Info Gov

Question 0

What are the 5 classifications commonly used by the U.S. department of Defence?

Answer 0

Unclassified
Sensitive but Unclassified (SBU)
Confidential
Secret
Top Secret

Question 1

What is the opposite of CIA?

Answer 1

Disclosure
Alteration
Destruction

Question 2

Which classification level (US DoD) may often use the terms “for official use only” or “for internal use only”?

Answer 2

Unclassified

Question 3

What is the difference between unclassified and SBU? (US DoD)

Answer 3

SBU generally contains personal information ie medical records or disciplinary proceedings.

Question 4

What is the lowest level of classified government information? (US DoD)

Answer 4

Confidential

Question 5

What term is commonly used to collectively represent policies, procedures, guidelines and standards that help steer an organisations decisions and operations?

Answer 5

Governance

Question 6

What are the four main types of policies?

SARI

Answer 6

Senior Management
Regulatory
Advisory
Informative

Question 7

Which type of policy do most policies fall under?

SARI

Answer 7

Advisory

Question 8

Which type of identity management system facilitates authentication, non-repudiation and access control via digital certificates?

Answer 8

PKI

Question 9

Which 3 of the following 5 background checks would commonly be included as part of more extensive pre-employment screening?
Credit check
Drug test
Reference check
Special background investigation
Verification of personal/professional data in application

Answer 9

Credit check
Drug test
Special background investigations

Question 10

Who is ultimately responsible for an organisations information security? management or information security professional?

Answer 10

Management

Question 11

With regards information a system admin what commonly be known as what? Information owner or custodian?

Answer 11

Custodian

Question 12

Which term is used to ensure that not one individual has complete authority or control over a critical system or process and also reduces dependence on individuals, ie avoiding a single point of failure?

Answer 12

Separation of duties

Question 13

Which terms describes regularly transferring key personnel into different roles or positions in different parts of the organisation?

Answer 13

Job rotation

Question 14

What 3 things does the risk assessment triple consist of?

Answer 14

Quantities risk methodologies
Risk calculations
Safeguard selection criteria and objectives

Question 15

What 2 elements are multiplied to calculate a risk?

Answer 15

Threat x Vulnerability = Risk

Question 16

What 3 elements does the risk management triple consist of?

Answer 16

Threat
Vulnerability
Asset

Question 17

Risk management consists of 3 elements. What are they?

Answer 17

Identification
Analysis
Risk Treatment

Question 18

When does risk identification occur?

Answer 18

During a risk assessment

Question 19

What are the two methods used for determining the value of an asset?

Answer 19

Quantitive

Qualities

Question 20

Which method is related to cost? Quantitive or qualative?

Answer 20

Quantitive

Question 21

Which method is related to importance? Quantitive or qualative

Answer 21

Qualative

Question 22

What 3 basic elements are used to determine the value of an asset?

Answer 22

Initial and maintenance costs
Organisational (internal) value
Public value

Question 23

Which value (organisational or public) includes the cost of acquiring, creating or re-creatinine information, and the business impact or loss if the information is lost or compromised. It can also include liability costs, personal injury, death, etc?

Answer 23

Organisational

Question 24

Which value (organisational or public) includes loss of proprietary information or processes and business reputation?

Answer 24

Public

Question 25

What are the 4 basic steps in threat analysis?

Answer 25

1. Define the threat
2. Identify the consequences if threat occurs
3. Determine the probable frequency of threat event
4. Assess the probability of threat occurring

Question 26

What two types are threats generally categorised as?

Answer 26

Man made

Natural

Question 27

Which 4 steps are involved in risk analysis?

Answer 27

1. Identify assets to be protected including sensitivity, value, importance to the organisation.
2. Define specific threats including threat frequency and impact data
3. Calculate Annualised Loss Expectancy (ALE)
4. Select appropriate safeguards

Question 28

How is the annual loss expectancy calculated?

Answer 28

SLE x ARO = ALE

Single loss expectancy x annual rate of occurrence

Question 29

How is single loss expectancy (SLE) calculated?

Answer 29

Asset value x Exposure Factor

Question 30

What is a measure of the negative effect or impact that a realised threat or event would have on a specific asset, expressed as a percentage otherwise known as?

Answer 30

Exposure factor

Question 31

Which type of risk analysis would include the following advantages?
No complex calculations are required
Time and work effort involved is relatively low
Volume of input data required is relatively low

Answer 31

Qualative

Question 32

Which type of risk analysis would include the following advantages?
Financial costs are defined (cost-benefit analysis)
More concise, specific data supports analysis, ie fewer assumptions
Analysis and calculations can often be automated
Specific quantifiable results are easier to communicate

Answer 32

Quantitive

Question 33

Which type of risk analysis is scenario driven and doesn’t use numeric values?

Answer 33

Qualative

Question 34

Which type of risk analysis attempts to assign objective numeric values?

Answer 34

Quantitive

Question 35

Purely Quantitive risk analysis is generally not possible or practical? True or false?

Answer 35

True

Question 36

What are the 4 methods of risk treatment?

Answer 36

Risk reduction
Risk assignment (or transference)
Risk avoidance
Risk acceptance

Question 37

What is the calculation for cost benefit analysis?

Answer 37

ALE before safeguard - ALE after safeguard - cost of safeguard = value of safeguard

Question 38

What should be considered when calculating the cost of a safeguard?

Answer 38

Total cost of ownership (TCO)

Question 39

What 4 criteria should be considered when selecting a safeguard?

Answer 39

Cost effectiveness
Legal liability
Operational impact
Technical factors

Question 40

What are the 3 main components of an effective security awareness program?

Answer 40

General awareness program, formal training and education

Question 41

What 5 key factors are critical to a successful security awareness program?

Answer 41

Senior level management support
Demonstration that security supports business objectives
Demonstration that security affects all individuals and job functions
Take into account the target audience ie level of training
Action and follow up

Question 42

Which person directs, coordinates, plans and organises information security activities throughout the organisation?
Security officer
Information Systems Security professional
Security Administrator

Answer 42

Security Officer

Question 43

Who is responsible for drafting of policies, standards and supporting guidelines, procedures and baselines?
Security officer
Information Systems Security professional
Security Administrator

Answer 43

Information Systems Security Professional

Question 44

Who is responsible for designing security controls into information systems, testing the controls and implementing the systems in production?
Security officer
Information Systems Security professional
Security Administrator
Information Systems/Technology Professional

Answer 44

Information Systems/Technology Professional

Question 45

Who is responsible for managing user access requests and privileges?
Security officer
Information Systems Security professional
Security Administrator
Information Systems/Technology Professional

Answer 45

Security Administrator

Question 46

NIST SP 800-53 is mandatory for US federal agencies and their contractors. True or False?

Answer 46

True

Question 47

NIST SP 600-53 and ISO 27001 are examples of what?

Answer 47

Control frameworks

Question 48

Common organisations that develop standards?

Answer 48

National Institute of Standards and technology (NIST)
Institute of Electronics and Electrical Engineers (IEEE)
American National Standards Institure (ANSI)
National Security Agency (NSA)

Question 49

Guidelines are recommendations, best practices and templates documented in the frameworks created by other organisations such as:

Answer 49

• Control Objectives For Information and Related Technology (COBIT)
• the Capability Maturity Model (CMM)
• ISO 2700

Question 50

Which two governance Framework documents are best to keep as standalone?
procedures
guidelines
policies
standards
baselines

Answer 50

Standards and Policies

Question 51

How often should a policy be reviewed?

Answer 51

Annually

Question 52

The following are types of what?
Canada’s “Security of Information Act”
China’s Law on “Guarding State Secrets”
The UK’s “Official Secrets Act”

Answer 52

classification and categorisation systems.

Question 53

NIST Federal Information Processing Standard 199 and NIST special publication 800-60 “Guide for mapping types of information and information systems to security categories” are required to be followed by whom

Answer 53

The US Federal Government

Question 54

What are the 9 steps of the NIST Risk Methodology?

Answer 54

1. System Characterisation
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Liklihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Reccomendations
9. Results Documentation

Question 55

Which Framework/Methodology identifies 5 areas of internal control necessary to meet the Financial Reporting and disclosure objectives?

Answer 55

-COSO (The Committee of sponsoring organisations of the Treadway Commission)

Question 56

Which Framework/Methodology contains a set of best practices for IT core operational processes such as change, release and configuration management, incident and problem management, capacity and availability management and IT Financial Management. It’s primary contribution is showing how the controls can be implemented for the service management IT processes?

• ITIL (The IT Infrastructure Library)
• COBIT (Control Objectives for Information and Related Technology)

Answer 56

• ITIL (The IT Infrastructure Library)

Question 57

Which Framework/Methodology provides an overall structure for information technology control and includes control objectives. Also used to examine effectiveness, efficiency, compliance, confidentiality, etc. of high level control objectives.

• ITIL (The IT Infrastructure Library)
• COBIT (Control Objectives for Information and Related Technology)

Answer 57

• COBIT (Control Objectives for Information and Related Technology)

Question 58

What is ISO 17799:2005 standard?

Answer 58

contains 134 information security controls

Question 59

What is ISO/IEC 27000?

Answer 59

the information security management series

Question 60

What is ISO 27002:2005?

Answer 60

specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system

Question 61

name 8 types of risk methodologies?

Answer 61

• NIST SP 800-30, 800-39, 800-66 - Qualative, used by US federal government, plus regulated industries and health care. 9 stages
• CRAMM - staged discipline approach, both technical and non-technical. uses asset identification & valuation, threat and vulnerability assessment and countermeasure selection and recommendation
• Failure Modes and Effect Analysis - hardware/software analysis using Immediate level, intermediate level and system wide
• FRAP - uses a narrow risk assessment. allows for pre-screening to determine is risk analysis is needed
• OCTAVE - driven by operational risk and security practices. criteria is a set of principles, attributes and outputs
• Security Officers Management and Analysis Project (SOMAP) - open information security management project
• Spanning Tree Analysis - creates a tree of all possible threats to or faults in a system
• VAR (Value At Risk) - provides a summary of the worst loss due to a security breach over a target horizon

Question 62

In a quantitative risk methodology, the calculation ALE = SLE x ARO can be adjusted using which 2 estimates?

Answer 62

Local Annual Frequency Estimate (LAFE)

Standard Annual Frequency Estimate (SAFE)

Question 63

What are the 4 elements of a risk?

Answer 63

threat
vulnerability
likelihood
impact

Question 64

What is the calculation for risk?

Answer 64

likelihood x impact

Question 65

Which risk methodology uses likelihood?

Answer 65

Qualitative

Question 66

How can the likelihood be determined?

Answer 66

capabilities of the threat and the presence or absence of countermeasures

Question 67

In asset valuation, what is the consensus/modified Delphi method?

Answer 67

Participants in a valuation exercise are asked to comment anonymously about the task at hand. results collected and then discussed in public forum

Question 68

What is the difference between a tangible asset and a intangible asset?

Answer 68

Tangible is something physical, intangible is not.

Question 69

How is a tangible asset generally valued?

Answer 69

Original cost minus depreciation.

Question 70

What are 3 ways to determine tangible asset value?

Answer 70

• Original cost minus depreciation
• Actual market value through research
• cost of switching to a competing asset

Question 71

Intangible assets can be defined as what?

Answer 71

Definite - expiration date ,ie patent

Indefinite - no expiration date, ie brand

Question 72

How can an intangible asset value be calculated?

Answer 72

• cost to create and replace
• capitalisation of historic profits
• cost avoidance or savings

Question 73

Job descriptions should have some reference to information security responsibilities. True or False?

Answer 73

True

Question 74

Credit checks carried out as part of employment checks must be done in line with which pieces of legislation in the US?

Answer 74

Fair Credit Reporting Act (FCRA)

Equal Employment Opportunity Commission (EEOC)

Question 75

In the US the law “Americans with Disabilities Act” (ADA) may provide protection for which individuals in the event of drug screening as part of employment checks?

Answer 75

individuals undergoing drug rehabilitation

Question 76

What is a CIRT?

Answer 76

Computer Incident Response Team