IS3110 CHAP 10

Question 1

Critical business function (CBF)

Answer 1

Any function considered vital to an organization. If it fails, the organization will lose the ability to perform a critical operation necessary for the businesses mission.

Question 2

Critical success factor (CSF)

Answer 2

An element necessary for the success of an organization. This often contributes to CBFs.

Question 3

Defense in depth

Answer 3

A security principle used to provide multiple layers of controls. Even though one control may provide protection, additional controls are added to provide stronger protection. It is a strategy that ensures a risk is mitigated even if one control fails.

Question 4

E-Rate funding

Answer 4

A program in place that provides discounts to schools and libraries for Internet access. Any school or library that requests discounts under the program must comply with CIPA rules. CIPA mandates the filtering of Internet content for children under 17 years of age.

Question 5

Maximum acceptable outage (MAO)

Answer 5

The maximum amount of time a system or service can be down before affecting the mission. This directly affects the required recovery time. In other words, a system must be recoverable before this time is reached.

Question 6

Proxy server

Answer 6

A server used to accept requests from clients for Internet access, retrieve the Web pages, and serves them back to the client. It can filter requests so that clients cannot access Web pages. It can be used as a technology protection measures for CIPA.

Question 7

Return on investment (ROI)

Answer 7

A value that determines the monetary benefits of purchasing or improving a system. If the cost of a control is close to the annual projected benefits, this can be calculated to determine if the control will be valuable over the lifetime of the control.

Question 8

Service level agreement (SLA)

Answer 8

A document that identifies an expected level of performance. It can specify the minimum uptime or the maximum downtime. It is often written as a contract between a service provider and a customer. An SLA can identify monetary penalties if the terms aren’t met.

Question 9

Technology protection measure (TPM)

Answer 9

A requirement of CIPA. It will filter offensive content on school and library computers. This ensures that minors are not exposed to the offensive content. It can be disabled if an adult needs to use the computer.

Question 10

1. A ___ is used to identify the impact on an organization if a risk occurs.

Answer 10

Business impact analysis (BIA)

Question 11

2. MAO is the minimal acceptable outage that a system or service can have before affecting the mission.
   TRUE OR FALSE.

Answer 11

TRUE

Question 12

3. Your organization wants to have an agreement with a vendor for an expected level of performance for a service. You want to ensure that monetary penalties are assessed if the minimum uptime requirements are not met. What should you use?
4. MAO
5. BIA
6. SLA
7. IDS

Answer 12

SLA

Question 13

4. What can be used to help identify mission-critical systems?
5. Critical outage times
6. Critical business function
7. PCI DSS review
8. Disaster recovery plan

Answer 13

Critical business function

Question 14

5. What can be used to remind users of the contents of the AUP?
6. Logon banners
7. Posters
8. Emails
9. All the above

Answer 14

Logon banner
Posters
Emails
ALL

Question 15

6. Routers have ___ to control what traffic is allowed through them.

Answer 15

Access control lists (ACLs)

Question 16

7. Which of the strategies below can help to reduce security gaps even if a security control fails?
8. Access control
9. Critical business factor analysis
10. Defense in depth
11. Business impact analysis

Answer 16

Defense in depth

Question 17

8. How much can an organization be fined in a year for mistakes that result in noncompliance?
9. $100
10. $1,000
11. $25,000
12. $250,000

Answer 17

$25,000

Question 18

9. What determines if an organization is governed by FISMA?
10. If it is registered with the Securities and Exchange commission
11. If employees handle health-related information
12. If it receives E-Rate funding
13. If it is a federal agency

Answer 18

If it is a federal agency

Question 19

10. What determines if an organization is governed by HIPAA?
11. If it is registered with the Securities and Exchange commission
12. If employees handle health-related information
13. If it receives E-Rate funding
14. If it is a federal agency

Answer 19

If employees handle health-related information

Question 20

11. What determines if an organization is governed by SOX?
12. If it is registered with the Securities and Exchange commission
13. If employees handle health-related information
14. If it receives E-Rate funding
15. If it is a federal agency

Answer 20

If it is registered with the Securities and Exchange commission

Question 21

12. What determines if an organization is governed by CIPA?
13. If it is registered with the Securities and Exchange commission
14. If employees handle health-related information
15. If it receives E-Rate funding
16. If it is a federal agency

Answer 21

If it receives E-Rate funding

Question 22

13. You’ve performed a CBA on a prospective control. The CBA indicates the cost of the control is about the same as the projected benefits. What should you do?
14. Identify the ROI
15. Purchased the control
16. Cancel the purchase of the control
17. Redo the CBA

Answer 22

Identify the ROI

Question 23

14. Which of the following is a valid formula used to identify the projected benefits of a control?
15. Loss after control - loss before control
16. Loss before control - loss after control
17. Cost of control + losses
18. Cost of control /12

Answer 23

Loss before control - loss after control

Question 24

15. A CBA can be used to justify the purchase of a control.

TRUE OR FALSE

Answer 24

TRUE