Lecture 5

Question 1

______ ensures proper creation, implemenation and enforcement of a ecurity policy

Answer 1

security management planning

Question 2

A ____ plan is long-term and is stable. Should define the mission, long-term goal and vision.

Answer 2

Strategic

Question 3

A ____ plan is a midterm plan with more details on how to achieve the long-term goals.

Answer 3

Tactical

Question 4

The _____ plan is a short-term, highly detailed plan. Based more on day to day operations.

Answer 4

Operational

Question 5

A set of practices to support, define and direct the security efforts of an organization.

A: Security policy
B: Security plan
C: Security governance

Answer 5

C: Security governance

Question 6

Who is ultimately responsible for the security maintained by the organization? Usually sign off on policies.

Answer 6

Senior Manager

Question 7

Who is responsible for classifying information?

Answer 7

Data owner

Question 8

A(n) _____is responsible for testing and verifying that the security policy is properly implemented and the security solutions are adequate

Answer 8

auditor

Question 9

_____ is used by grouping security controls together by type or function in order to simplify security.

A. collecting
B. abstraction
c. grouping

Answer 9

b. Abstraction

Question 10

Data hiding is used for what?

Answer 10

Prevent data from being discovered or accessed by a subject

Question 11

______ is the art and science of hiding the meaning or intent of a communication from unintended recipients.

Answer 11

Encryption

Question 12

**
A control framework. A documented set of best IT security practices. It encourages mapping IT security ideals to business objectives.

Answer 12

CobiT

Control Objectives for Information and Related Technology

Question 13

_________ is using reasonable care to protect the interests of an organization.

Answer 13

Due care

Question 14

__________ is practicing the activities that maintain the due care effort.

Answer 14

Due diligence

Question 15

____ is information that can be traced back to a person and can be used to compromise their identity.

Answer 15

Personally identifiable information (PII)

Question 16

T/F: Privacy must be addressed in an organizational security policy.

Answer 16

True

Question 17

Match the type of documents to what they are.

1. Policy
2. Standards
3. Guidelines
4. Procedures

A. Recommendations/best practices
B. Specific mandatory controls
C. Step by step instructions
D. General management statements

Answer 17

1. Policy, D. General management
2. Standards, B. specific mandatory controls
3. Guidelines, A. Recommendations/best practices
4. Procedures, C. Step by step instructions

Question 18

A ___ defines the scope of security, assets to protect, security goals and practices, roles, responsibilities, risk levels. Mandatory to have.

Answer 18

security policy

Question 19

A ____ defines mandatory requirements for the use of hardware, software, technology, and security controls.

Answer 19

standard

Question 20

The minimum level of security that every system must meet is the ____.

Answer 20

baseline

Question 21

A _____ is a recommendation on how standards and baselines can be implemented.

Answer 21

guideline

Question 22

A ___ is a detailed step-by-step document to describe exact actions needed to do a specific security mechanism.

Answer 22

procedure

Question 23

The goal of _____ is to prevent any change from reducing or compromising security

Answer 23

change management

Question 24

Why would you use parallel run in change management?

Answer 24

The new and old system run in parallel so functionality can be verified before removing the old system

Question 25

What is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality?

A. Data roles
B. Data Security
C. Data Classification
D. None of the above

Answer 25

C. Data classification

Question 26

What is an asset?

Answer 26

Something in the environment that should be protected

Question 27

____ is the dollar value assigned to an asset based on actual cost and nonmonetary expenses to develop, and maintain it

Answer 27

asset valuation

Question 28

An event or situation that may cause an undesirable or unwanted outcome for an organization or for a specific asset

Answer 28

Threat

Question 29

A weakness in an asset or the absence or weakness of a safeguard or countermeasure

Answer 29

vulnerability

Question 30

Being susceptible to asset loss because of a threat

Answer 30

exposure

Question 31

The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset

Answer 31

risk

Question 32

Any mechanism that removes or reduces a vulnerability or protects against one or more specific threats

Answer 32

safeguard/countermeasure

Question 33

The occurrence of a security mechanism being bypassed or thwarted by a threat agent

Answer 33

breach

Question 34

Asset valuation is the ___ step of risk analysis?

Answer 34

1st

Question 35

The risk analysis that uses dollar figures and actual costs is what?

A. Qualitative
B. Quantitative

Answer 35

B. Quantitative

Question 36

The percentage of loss that an organization would experience if a specific asset were violated by a realized risk

Answer 36

Exposure Factor (EF) or loss potential

Question 37

The _________ is the cost associated witha single realized risk against a specific asset.

Answer 37

single loss expectancy (SLE)

Question 38

How do you calculate the SLE?

Answer 38

SLE = Asset Value * EF
(AV = $200,000 and EF = 45%, then SLE = $90,000)

Question 39

The expected frequency with which a specific threat or risk will occur

Answer 39

Annualized Rate of Occurrence (ARO)

Question 40

The possible yearly cost of all instances of a specific realized threat against a specific asset

Answer 40

Annualized Loss Expectancy (ALE)

Question 41

How do you calculate the annualized loss expectancy?

Answer 41

ALE = SLE * ARO

Question 42

Order the steps of the quantitative risk analysis.

A. Calculate the ALE (annualized loss expectancy)
B. List all possible threats for each asset
C. Perform threat analysis and find the ARO (Annual rate of occurance)
D. Inventory assets and assign value (AV)
E. Perform cost/benefit analysis to find the most appropriate response for each threat of an asset
F. Inventory countermeasures for each threat

Answer 42

D. Inventory assets and assign value (AV)
B. List all possible threats for each asset
C. Perform threat analysis and find the ARO (Annual rate of occurance)
A. Calculate the ALE (annualized loss expectancy)
F. Inventory countermeasures for each threat
E. Perform cost/benefit analysis to find the most appropriate response for each threat of an asset

Question 43

The Cost/benefit analysis has 4 steps. What are they?

Answer 43

1. Calculate the annual cost of safeguard (ACS)
2. Calculate post safeguard ALE (value of ARO and ALE changes when safeguard is applied)
3. Cost/benefit equation (ALE before safeguard - ALE afterguard) - ACS *If result is positive then it’s a viable choice
4. Select the countermeasure

Question 44

The risk analysis that is scenario based on how it would affect the organization. Based on a scale (Low - High) and uses judgement, intuition and experience instead of dollar amounts.

A. Qualitative
B. Quantitative

Answer 44

A. Qualitative

Question 45

You would use a risk-level matrix for what type of analysis?

Answer 45

Qualitative

Question 46

When you ____ risks, you use safeguards.

A. reject
B. accept
C. mitigate

Answer 46

C. mitigate

Question 47

When you ____ risk you outsource- such as insurance

A. reject
B. transfer
C. mitigate

Answer 47

B. transfer

Question 48

When you ____ risk, upper management signs documents to record it.

A. reject
B. accept
C. mitigate

Answer 48

B. accept

Question 49

Residual risk is what?

Answer 49

The risk that is left after implementing the control measures

Question 50

What is the weakest element in any security solution?

Answer 50

humans/people

Question 51

What does separation of duties mean?

Answer 51

It is the security concept that prescribes that critical work tasks are divided among several different people. It ensures that not one person has full control to violate security measures, and it protects against collusion.

Question 52

What is the concept of least privilege?

Answer 52

It is the concept that a person/subject has only the minimum access to perform their duties. It can include access to documents and access to specific systems and applications.

Question 53

What are 2 reasons would you implement job rotation?

Answer 53

knowledge redundancy
reduce risk of fraud or misuse of information
provide peer auditing
protect against collusion

Question 54

What is meant by screening a candidate for a position?

Answer 54

used based on the sensitivity & classification defined by the job description.

Question 55

A background check helps determine what?

Answer 55

That a candidate is trustworthy for a secured position

Question 56

Employment agreements includes all of the following except?

A. job description
B. NDA
C. security policy
D. NCA
E. procedures

Answer 56

E. procedures