Information Security Governance and Risk Management

Question 1

What are 3 kinds of security policies

Answer 1

Organizational
Functional
System-specific

Question 2

Functional policy

Answer 2

Focus on specific security issue

Question 3

A standard

Answer 3

Specify the technology or approach that must be used to control a security risk.

Question 4

A document from a medical research company specifies the use of multi-factor authentication with a combination of key cards and biometrics for protecting access to a database.
Which component of a policy framework does this document represent?

Answer 4

Standard

Question 5

A security procedure

Answer 5

Provides step by step instructions on how to comply with a security policy.

Question 6

A baseline

Answer 6

Describes minimum technical security standards that should be maintained consistently across an organization.

Question 7

A guideline

Answer 7

Recommendations that individuals can follow or use at their own discretion

Question 8

For an organization to adhere to legislative and regulatory compliance, its control frameworks need to be 5 things

Answer 8

Consistent
Measurable
Standardized
Comprehensive
Modular

Question 9

COSO - Committee of Sponsoring Organizations of the Treadway Comission

Answer 9

Formed to study and prevent fraud in financial reporting

Question 10

ITIL - IT Infrastructure Library

Answer 10

set of 34 books written to improve IT service management.

Question 11

COBIT - Control Objectives for Information and related Technology.

Answer 11

34 high level processes and 214 control objectives to support the processes. Examines effectiveness of confidentiality, integrity, availability

Question 12

ISO 27000

Answer 12

Standards for information security management

Contains 134 detailed information security controls based on 11 different areas.

Question 13

ISO 27001

Answer 13

Can be tailored and applied to organizations of varying sizes.

Question 14

NIST SP 800-53

Answer 14

has 300 controls across 17 families and three classes. Mandatory for US fed govt agencies and contractors.

Question 15

COBIT divides into how many domains?

Answer 15

4
Planning and organization
acquisition and implementation
delivery and support
Monitoring

Question 16

CRAMM

Answer 16

Developed by CCTA in Britain for risk analysis. Incorporates securing IT hardware and software with physical and human resources.

Question 17

How many stages in CRAMM methology?

Answer 17

3
Identifying and valuing assets
assessing threats and vulnerability
Selecting and recommending countermeasures

Question 18

FMEA - failure modes and effect analysis methodology

Answer 18

Assesses risk by examining the effects at 3 different levels.

Question 19

FRAP - Facilitated risk analysis process

Answer 19

Qualitative risk analysis method that uses pre-screening to identify critical risk areas.

Question 20

8 NIST risk assessment methodology steps

Answer 20

characterize systems
identify threats
identify countermeasures
determine likelihood
determine impact
determine risk
recommend additional countermeasures
document results

Question 21

OCTAVE - Operationally critical threat asset and vulnerability evaluation

Answer 21

uses a self-directed interdisciplinary team to analyze and evaluate security risks by reviewing operational risk and security practices.

Question 22

NIST

Answer 22

Qualitative risk assessment methodology established with healthcare in mind.

Question 23

PUSH

Answer 23

service based risk assessment solution with 4 phases
Preparation
Universe definition
Scoring
Hitting the mark

Question 24

SOMAP - Security Officers Management and Analysis Project

Answer 24

Swiss non-profit guide and risk assessment tool for open-source systems

Question 25

How many stages in SOMAP?

Answer 25

5
Risk treatment
Data collection
Threat analysis
vulnerability analysis
risk retention

Question 26

VAR - value at risk methodology

Answer 26

theoretically based quantitative measure of information security risk.
Creates summary of worst loss due to security breach and create a workable balance between the cost of implementing controls and reducing risk.

Question 27

Number of stages in VAR - value at risk methodology

Answer 27

4
Mitigate risk
identify threats
estimate var
estimate likelihood

Question 28

Risk management definition

Answer 28

comprises the tasks and activities associated with assessing, mitigating, and preventing potential threats to an organization.

Question 29

Why is risk management important?

Answer 29

helps ensure legal compliance

enables identification and protection of critical assets

Question 30

What are the two types of risk assessment?

Answer 30

qualitative

quantitative

Question 31

Risk Assessment step

Define System characterization

Answer 31

Set the scope of the assessment. Determine system and data criticality and sensitivity at this stage

Question 32

Risk Assessment step

Define Threat identification

Answer 32

Identify anything that may harm an IT system and system information.

Question 33

Risk Assessment step

Define vulnerability identification

Answer 33

Review of system security procedures, design, implementation, or internal controls that may fail during an attack.

Question 34

Risk Assessment step

Define Control analysis

Answer 34

Review of current and planned countermeasures against a security requirements checklist.

Question 35

Risk Assessment step

Define Likelihood determination

Answer 35

Consider the capability and motivation of threat sources in terms of vulnerability

Question 36

Risk Assessment step

Define impact analysis

Answer 36

Quantify or rate potential losses of integrity, availability, or confidentiality of system data.

Question 37

Risk Assessment step

Define risk determination

Answer 37

Quantify the probability of attack, its impact, and the adequacy of current or planned controls.

Question 38

Risk Assessment step

Define control recommendations

Answer 38

Consider the effectiveness, performance impacts, safety and reliability of control options.

Question 39

Risk Assessment step

Define results determination

Answer 39

Present threat and vulnerability pairings with associated cost-benefit data.

Question 40

4 types of risk responses

Answer 40

risk avoidance
risk transfer
risk mitigation
risk acceptance

Question 41

Risk transfer

Answer 41

Passing risk to a third party

Question 42

Which frameworks & methodologies are designed for performing risk assessments?

Answer 42

OCTAVE, CRAMM, VAR

Question 43

Which frameworks & methodologies are designed for implementing and auditing security controls?

Answer 43

COBIT, ITIL, COSO

Question 44

What 5 things should an information security officer be able to provide information about

Answer 44

each risk the organization is facing
likelihood and potential impact of a risk
costs and benefits of potential solutions
risk that will remain after a response is implemented
a time frame for responding to a risk

Question 45

6 Responsibilities of an information security officer

Answer 45

communicating risks to senior management
ensuring regulatory compliance
assisting auditors
oversee development and delivery of a security awareness program.
Monitor emerging threats and new technologies
evaluating security incidents and responses

Question 46

6 steps to reduce employee security policy violations

Answer 46

prepare accurate job descriptions
check references
conduct background checks
ask new employees to sign employment agreements
oversee how employees perform
control terminations

Question 47

When determining the value of an intangible asset, which is the best approach?
A. determine the physical storage costs and multiply the expected life of the company.
B. With the assistance of a finance of accounting professional determine how much profit the asset has returned.
C. Review the depreciation of the intangible asset over the past three years.
D. Use the historical acquisition or development cost of the intangible asset.

Answer 47

B. With the assistance of a finance of accounting professional determine how much profit the asset has returned.

Question 48

Qualitative risk assessment is described by which of the following?
A. ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process.
B. Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics used for calculation of risk.
C. Detailed metrics used for calculation of risk and eas of implementation.
D. Can be completed by personnel with a limited understanding of the risk assessment process and detailed metrics used for the calculation of risk.

Answer 48

A. ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process.

Question 49

single loss expectancy SLE is calculated by using
A. asset value and annualized rate of occurrence.
B. asset value, local annual frequency estimate, and standard annual frequency estimate
C. asset value and exposure factor
D. local annual frequency estimate and annualized rate of occurrence.

Answer 49

C. asset value and exposure factor

Question 50

Consideration for which type of risk assessment to perform includes all of the following
A. culture of the organization, likelihood of exposure and budget
B. budget, capabilities of resources and likelihood of exposure
C. Capabilities of resources, likelihood of exposure and budget
D. Culture of the organization, budget, capabilities and resources

Answer 50

D. Culture of the organization, budget, capabilities and resources

Question 51

Security awareness training includes
A. Legislated security compliance objectives
B. Security roles and responsibilities for staff
C. The high-level outcome of vulnerability assessments
D. Specialized curriculum assignments, coursework and an accredited institution

Answer 51

B. Security roles and responsibilities for staff

Question 52

A signed user acknowledgement of the corporate security policy
A. Ensures that users have read the policy
B. Ensures that users understand the policy, as well as the consequences for not following the policy
C. Can be waived if the organization is satisfied that users have an adequate understanding of the policy
D. helps to protect the organization if a user’s behavior violates the policy.

Answer 52

D. helps to protect the organization if a user’s behavior violates the policy.

Question 53

Effective security management
A. Achieves security at the lowest cost
B. reduces risk to an acceptable level
C. prioritizes security for new products
D. installs patches in a timely manner

Answer 53

B. reduces risk to an acceptable level

Question 54

Availability makes information accessible by protecting it from:
A. Denial of service, fires, floods, hurricanes, and unauthorized transactions.
B. fires, floods, hurricanes, unauthorized transactions and unreadable backup tapes
C. unauthorized transactions, fires, floods, hurricanes and unreadable backup tapes
D. denial of services, fires, floods, hurricanes, and unreadable tapes.

Answer 54

D. denial of services, fires, floods, hurricanes, and unreadable tapes.

Question 55

To avoid bias, the security officer could report to any of the following
A. CEO, application development, or CFO
B. CIO, CFO, or application development
C. CFO, CEO, CIO
D. application development, CFO, CEO

Answer 55

C. CFO, CEO, CIO

Question 56

Tactical security plans are best used to
A. establish high-level security policies
B. enable enterprise/entity-wide security management
C. reduce downtime
D. deploy new security technology

Answer 56

D. deploy new security technology

Question 57

Who is accountable for implementing information security?
A. everyone
B. senior management
C. security officer
D. data owners

Answer 57

C. security officer

Question 58

Security is likely to be most expensive when addressed in which phase?
A. design
B. rapid prototyping
C. testing
D. implementation

Answer 58

D. implementation

Question 59

Information systems auditors help the organization
A. mitigate compliance issues
B. establish an effective control environment
C. identify control gaps
D. address information technology for financial statements.

Answer 59

C. identify control gaps

Question 60

Long duration security projects
A. provide greater organizational value
B. increase ROI
C. minimize risk
D. increase completion risk

Answer 60

D. increase completion risk

Question 61

Setting clear security roles has the following benefits
A. establishes personal accountability, reduces cross-training requirements and reduces departmental turf battles
B. enables continuous improvement, reduces cross-training requirements and reduces departmental turf battles
C. Establishes personal accountability, establishes continuous improvement and reduces turf battles
D. Reduces departmental turf battles, reduces cross-training requirements and establishes personal accountability.

Answer 61

C. Establishes personal accountability, establishes continuous improvement and reduces turf battles

Question 62

Well-written security program policies are best reviewed
A. at least annually or at pre-determined organization changes
B. after major project implementations
C. When applications or operating systems are updated
D. When procedures need to be modified.

Answer 62

A. at least annually or at pre-determined organization changes

Question 63

Orally obtaining a password from an employee is the result of 
A. social engineering
B. weak authentication controls
C. ticket granting server authorization
D. voice recognition software

Answer 63

A. social engineering

Question 64

A security policy which will remain relevant and meaningful over time includes the following:
A. Directive words such as shall, must, or will, technical specifications and is short in length
B. Defined policy development process, short in length and contains directive words such as shall, must, or will
C. Short in length, technical specifications and contains directive words such as shall, must or will
D. Directive words such as shall, must, or will defined policy development process and is short in length

Answer 64

D. Directive words such as shall, must, or will defined policy development process and is short in length

Question 65

The ability of one person in the finance department to add vendors to the vendor database and subsequently pay the vendors violates which concept?
A. a well formed transaction
B. separation of duties
C. least privilege
D. data sensitivity level

Answer 65

B. separation of duties

Question 66

Collusion is best mitigated through
A. Job rotation
B. Data classification
C. defining job sensitivity level
D. least privilege

Answer 66

A. Job rotation

Question 67

Data access decisions are best made by
A. user managers
B. data owners
C. senior management
D. application developers

Answer 67

B. data owners

Question 68

Which of the following best describes the relationship between CobiT and ITIL?
A. CobiT is a model for IT governance, whereas ITIL is a model for corporate governance.
B. CobiT provides a corporate goverance roadmap, whereas ITIL is a customizable framework for IT service management.
C. CobiT defines IT goals, whereas ITIL provides the process level steps on how to achieve them.
D. CobiT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service level goals.

Answer 68

C. CobiT defines IT goals, whereas ITIL provides the process level steps on how to achieve them.

Question 69

What is a “safe harbor”?

Answer 69

A set of “good faith” conditions which if met, may temporarily or indefinitely protect the organization from the penalties of a new law or regulation.

Question 70

What information security act must federal agencies adhere to?

Answer 70

FISMA - Federal Information Security Management Act

Question 71

What directive protects personal information in Europe?

Answer 71

European Data Protection Directive

Question 72

How often should security policies be reviewed?

Answer 72

Annually

Question 73

Jane has been charged with ensuring that clients' personal health information is adequately protected before it is exchanged with a new European Partner.  What data security requirements must she adhere to?
A. HIPPAA
B. NIST SP 800-66
C. Safe Harbor
D. European Union Principles on Privacy

Answer 73

C. Safe Harbor

Question 74

Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this?
A. Committee of Sponsoring Organizations of the Treadway Commission
B. The Organization for Economic Co-operation and Development.
C. CobiT
D. International Organization for Standardization

Answer 74

B. The Organization for Economic Co-operation and Development.

Question 75

Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs.  What committee is he joining?
A. Security policy committee
B. Audit committee
C. risk management committee
D. Security steering committee

Answer 75

D. Security steering committee

Question 76

As head of sales, Jim is the information owner for the sales department. Which of the following is not Jim’s responsibility as information owner?
A. Assigning information classifications.
B. Dictating how data should be protected
C. Verifying the availability of data
D. Determining how long to retain data.

Answer 76

C. Verifying the availability of data

Question 77

Assigning data classification levels can help with all of the following except:
A. The grouping of classified information with hierarchical and restrictive security
B. Ensuring that nonsensitive data is not being protected by unnecessary controls
C. Extracting data from a database
D. Lowering the costs of protecting data

Answer 77

C. Extracting data from a database

Question 78

Which of the following is not included in a risk assessment?
A. Discontinuing activities that introduce risk
B. Identifying assets
C. Identifying threats
D. Analyzing risk in order of cost or criticality

Answer 78

A. Discontinuing activities that introduce risk

Question 79

Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company's email system.  What type of approach is her company taking to handle the risk posed by the system?
A. Risk mitigation
B. Risk acceptance
C. Risk avoidance
D. Risk transference

Answer 79

A. Risk mitigation

Question 80

The integrity of data is not related to which of the following?
A. Unauthorized manipulation or changes to data
B. The modification of data without authorization
C. The intentional or accidental substitution of data
D. The extraction of data to share with unauthorized entities.

Answer 80

D. The extraction of data to share with unauthorized entities.

Question 81

There are several methods an intruder can use to gain access to a company’s assets. Which of the following best describes masquerading?
A. Changing an IP packet’s source address
B. Elevating privileges to gain access
C. An attempt to gain unauthorized access to as another user.
D. Creating a new authorized user with hacking tools

Answer 81

C. An attempt to gain unauthorized access to as another user.

Question 82

A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset?
A. The asset’s value in the external marketplace.
B. The level of insurance required to cover the asset.
C. The initial and outgoing costs of purchasing, licensing, and supporting the asset
D. The asset’s value to the organization’s production operations.

Answer 82

B. The level of insurance required to cover the asset.

Question 83

Jill is establishing a company wide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database?
A. Increase the database’s security controls and provide more granularity
B. Implement access controls that display each user’s permissions each time they access the database.
C. Change the database’s classification label to higher security status.
D. Decrease the security so that all users can access the information as needed.

Answer 83

A. Increase the database’s security controls and provide more granularity

Question 84

As his company’s CISCO, George needs to demonstrate to the board of directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk?
A. threats x vulnerability x asset value = residual risk
B. SLE x frequency - ALE which is equivalent to residual risk
C. (threats x vulnerability x asset value ) x control gap = residual risk
D. (total risk - asset value) x countermeasures = residual risk

Answer 84

C. (threats x vulnerability x asset value ) x control gap = residual risk

Question 85

Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep?
A. Users have a tendency to request additional permissions without asking for others to be taken away.
B. It is a violation of least privilege.
C. It enforces the “need to know” concept
D. It commonly occurs when users transfer to other departments.

Answer 85

C. It enforces the “need to know” concept

Question 86

For what purpose was the COSO framwork developed?
A. To address fraudulent financial activities and reporting.
B. To help organizations install, implement, and maintain Cobit controls
C. To serve as a guideline for IT security auditors to use when verifying compliance.
D. To address regulatory requirements related to protecting private health information.

Answer 86

A. To address fraudulent financial activities and reporting.

Question 87

Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is chief privacy officer. What is the primary function of her new role?
A. Ensuring the protection of partner data
B. Ensuring the accuracy and protection of company financial information
C. Ensuring that security policies are defined and enforced.
D. Ensuring the protection of customer, company, and employee data

Answer 87

D. Ensuring the protection of customer, company, and employee data

Question 88

Jared plays a role in his company's classification system.  In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data.  He does not determine, maintain, or evaluate controls, so what is Jared's role?
A. Data owner
B. Data custodian
C. Data user
D. Information systems auditor

Answer 88

C. Data user

Question 89

Risk assessment has several different methodologies.  Which of the following official risk methodologies was not created for the purpose of analyzing security risks?
A. FAP
B. OCATAVE
C. ANZ 4360
D. NIST SP 800-30

Answer 89

C. ANZ 4360

Question 90

Which of the following is not a characteristic of a company with a security governance program in place?
A. Board members are updated quarterly on the state of security.
B. All security activity takes place within the security department.
C. Security products, services, and consultants are deployed in an informed manner.
D. The organization has established metrics and goals for improving security.

Answer 90

B. All security activity takes place within the security department.

Question 91

Michael is charged with developing a classification program for his company. Which of the following should he do first?
A. Understand the different levels of protection that must be provided.
B. Specify data classification criteria
C. Identify the data custodians
D. Determine protection mechanisms for each classification level.

Answer 91

A. Understand the different levels of protection that must be provided.

Question 92

ISO/IEC 27000 is part of a growing family of ISO/IEC information security management systems standards. It comprises information security standards published jointly by the International Organization for Standardization and the International Electrotechnical Commission. Which of the following provides an incorrect mapping of the individual standards that make up this family of standards?
A. ISO/IEC 27002 code of practice for information security management
B. ISO/IEC 27003 guideline for ISMS implementation
C. ISO/IEC 27004 guieldine for information security management measurement and metrics framemwork.
D. ISO/IEC 27005 guideline for bodies providing audit and certification of information security management systems.

Answer 92

D. ISO/IEC 27005 guideline for bodies providing audit and certification of information security management systems.

Question 93

CobiT defines

Answer 93

goals for the controls that should be used to properly manage IT and ensure IT maps to business needs
Addresses what is to be achieved

Question 94

ITIL defines

Answer 94

general activities necessary to achieve goals

Addresses how to achieve goals

Question 95

Name the health care related risk assessment methodology

Answer 95

NIST SP-800-66

Question 96

Which information role is responsible for verifying data availability?

Answer 96

information custodian

Question 97

What is the job of the information custodian?

Answer 97

Carry out the mandates of the information owner

Question 98

What is residual risk?

Answer 98

Risk left after countermeasures are implemented.

Question 99

What is the Chief privacy officer responsible for?

Answer 99

Ensuring the security of customer, company, and employee data.