Domain Review Flashcards
- When writing a corporate policy that explains the security objectives of confidentiality, integrity, and availability; what is the best definition for integrity?
a. To protect information asset from modification or destruction of information assets
b. To prevent unauthorized personnel and/or program from accessing information assets
c. To protect information assets from unauthorized modification or destruction
d. To authorize personnel and/or program to access information assets
Domain: Information Security & Risk Management
Best answer: A
“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” (44 U.S.C. Section 3542)
- A good and effective information security policy should have the following characteristics, except?
a. Delegation of roles and responsibilities
b. Explanation of management objectives that are aligned with business goals
c. Enumeration of short- and long-term goals
d. Definition of terms
Domain: Information Security & Risk Management
Best answer: C
A information security policy should:
- Explain laws, regulations, business needs, and management’s expectations (goals & objectives)
- Identify roles and delineate responsibilities
- “Users should only have access to information that enables them to perform their assigned job functions.” Is a practice of which security implementation principles?
a. Need to know
b. Least privilege
c. Separation of duties
d. Confidentiality
Domain: Information Security & Risk Management
Best answer: A
“Need to know” is where users should only have access to information that enables them to perform their assigned job functions.
“Least privilege” is where users should only have sufficient access privilege that allow them to perform their assigned work.
“Separation of duties” is where no single person should be responsible for carrying out a series of critical tasks from beginning to end; where the tasks requires more than one internal controls to prevent fraud and errors.
- What type of information security requirement is design to establish confidence that a control will perform as intended?
a. Functional requirements
b. Assurance requirements
c. Performance requirements
d. Operational requirements
Domain: Information Security & Risk Management
Best answer: B
Functional requirement describes the functionality or behavior which a system shall perform.
Assurance requirement measures level of confidence that the security function will perform as intended
- What type of security control is designed to preclude actions that violate policy or increase risks to information assets?
a. Directive
b. Preventive
c. Detective
d. Corrective
Domain: Information Security & Risk Management
Best answer B
- Directive controls are intended to advise employees of the behavior expected of them during their interfaces with or use the organization’s information systems.
- Preventive controls are the physical, administrative, and technical measures intended to preclude actions violating policy or increasing risk to system resources.
- Detective controls involve the use of practices, processes, and tools that identify and possibly react to security violations.
- Corrective controls involve physical, administrative, and technical measures designed to react to detection of an incident in order to reduce or eliminate the opportunity for the unwanted event to recur.
- As a security professional, how would you explain the definition of a risk?
a. An entity that may act on a vulnerability
b. Any potential danger to information (/ system) life cycle
c. The likelihood of a threat source take advantage of a vulnerability
d. An instance of being compromised by a threat source.
Domain: Information Security & Risk Management
Best answer: C
Risk is the likelihood of a threat source exploiting vulnerability.
Vulnerability is a weakness or flaw that may provide an opportunity to a threat source to exploit.
Threat is any potential danger to information (/ system) life cycle.
Risk = Threat X Vulnerability
- What is the process that determines what security controls are needed to adequately protect the information system that supports the operations and assets of an organization?
a. Risk management
b. Threat assessment
c. Vulnerability assessment
d. Security audit
Domain: Information Security & Risk Management
Best answer: A
Threat and vulnerability assessments are a part of risk management process.
Security audit determines whether the required controls have been implemented.
- In information security management, what is the primary responsibility of an information (/ data) owner?
a. Ensure accuracy of the data
b. Authorizes user access and determine privilege
c. Back up data regularly
d. Determine the data sensitivity (/ classification) level
Domain: Information Security & Risk Management
Best answer: D
The owner of information (/ data) that understands the value and potential impact should determine the sensitivity of data.
- As the information security engineer estimating the annual budget for an information security program, what would be the appropriate amount you would recommend to protect an asset valued at $1 million from a threat that has annualized rate of occurrence (ARO) of once every 5 years and an exposure factor (EF) of 30%?
a. $1,500
b. $60,000
c. $150,000
d. $300,000
Domain: Information Security & Risk Management
Best answer: B
SLE = Asset value x EF ($1,000,000 x 30% = $300,000) ALE = ARO x SLE (1/5 x $300,000 = $60,000)
- In an enterprise, who is primarily responsible for determining the level of protection needed for information assets?
a. Senior management
b. Program manager
c. Auditor
d. Information systems security engineer
Domain: Information Security & Risk Management
Best answer: D
Security engineers or analysts determine the level of protection based on the risk assessment results.
- When using quantitative risk assessment method, which of the following statement is incorrect?
a. Assessment & results are based substantially on independently objective processes & metrics. Thus, meaningful statistical analysis is supported.
b. A credible basis for cost/benefit assessment of risk mitigation measures is provided. Thus, information security budget decision-making is supported.
c. Risk assessment & results are essentially subjective in both process & metrics.
d. Calculations are complex.
Domain: Information Security & Risk Management
Best answer: C
Quantitative risk assessment method is not subjective. It requires the value of information be expressed in monetary terms. Hence the calculations are complex and the assessment results are objective.
- What is the primary rationale for implementing security controls?
a. To eliminate risk and the potential for loss.
b. To eliminate risk and reduce the potential for loss.
c. To mitigate risk and reduce the potential for loss.
d. To mitigate risk and eliminate the potential for loss.
Domain: Information Security & Risk Management
Best answer: D
Risk can be accepted, mitigated, or transferred, but cannot be eliminated.
Implement security controls can eliminate potential for loss.
If a security control cannot fully eliminate the potential for loss, then the risk would have to be accepted.
- A disciplined approach to evaluate level of conformance to the prescribed security requirements and the implemented security controls is?
a. Certification
b. Accreditation
c. Risk management
d. Vulnerability assessment
Domain: Information Security & Risk Management
Best answer: A
Accreditation is the official management decision of operate the certified system. It is also a formal acceptance of the responsibility to the security of the certified system.
Risk management is a process for managing risks to an acceptable level.
- Using the “reasonable and prudent person” concept; performing background investigation, interviewing references, conducting counterintelligence and lifestyle polygraphs are what type of personnel security activities?
a. Due diligence
b. Due care
c. Due process
d. Management controls
Domain: Information Security & Risk Management
Best answer: B
Due care are the actions taken to minimize risks.
Due diligence are the continual actions that an organization doing to protect and minimize risks.
- Why is configuration management a key component of information security management?
a. Ensures the change does not affect the system accreditation.
b. Ensures the change is documented.
c. Ensures the change improves the security posture baseline.
d. Ensures the change does not adversely affect the security posture baseline.
Domain: Information Security & Risk Management
Best answer: D
Configuration management ensures the system configuration baseline is recorded and changes are documented, so associated risks maybe assessed and actions can be taken.