Risk and Personnel Management Flashcards

1
Q
Which of the following is the weakest element in any security solution?
A. Software products
B. Internet connections
C. Security policies
D. Humans
A

D. Regardless of the specifics of a security solution, humans are the weakest element.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
When seeking to hire new employees, what is the first step?
A. Create a job description.
B. Set position classification.
C. Screen candidates.
D. Request resumes.
A

A. The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is a primary purpose of an exit interview?
A. To return the exiting employee’s personal belongings
B. To review the nondisclosure agreement
C. To evaluate the exiting employee’s performance
D. To cancel the exiting employee’s network access accounts

A

B. The primary purpose of an exit interview is to review the nondisclosure agreement (NDA) and other liabilities and restrictions placed on the former employee based on the employment agreement and any other security-related documentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When an employee is to be terminated, which of the following should be done?
A. Inform the employee a few hours before they are officially terminated.
B. Disable the employee’s network access just as they are informed of the termination.
C. Send out a broadcast email informing everyone that a specific employee is to be terminated.
D. Wait until you and the employee are the only people remaining in the building before announcing the termination.

A

B. You should remove or disable the employee’s network user account immediately before or at the same time they are informed of their termination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, what is the process called that is used to ensure that these entities support sufficient security?
A. Asset identification
B. Third-party governance
C. Exit interview
D. Qualitative analysis
A

B. Third-party governance is the application of security oversight on third parties that your organization relies upon.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
A portion of the\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk.
A. Hybrid assessment
B. Risk aversion process
C. Countermeasure selection
D. Documentation review
A

D. A portion of the documentation review is the logical and practical investigation of business processes and organizational policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following statements is not true?
A. IT security can provide protection only against logical or technical attacks.
B. The process by which the goals of risk management are achieved is known as risk analysis.
C. Risks to an IT infrastructure are all computer based.
D. An asset is anything used in a business process or task.

A

C. Risks to an IT infrastructure are not all computer based. In fact, many risks come from noncomputer sources. It is important to consider all possible risks when performing risk evaluation for an organization. Failing to properly evaluate and respond to all forms of risk, a company remains vulnerable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is not an element of the risk analysis process?
A. Analyzing an environment for risks
B. Creating a cost/benefit report for safeguards to present to upper management
C. Selecting appropriate safeguards and implementing them
D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage

A

C. Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
Which of the following would generally not be considered an asset in a risk analysis?
A. A development process
B. An IT infrastructure
C. A proprietary system resource
D. Users’ personal files
A

D. The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
Which of the following represents accidental or intentional exploitations of vulnerabilities?
A. Threat events
B. Risks
C. Threat agents
D. Breaches
A

A. Threat events are accidental or intentional exploitations of vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
When a safeguard or a countermeasure is not present or is not sufficient, what remains?
A. Vulnerability
B. Exposure
C. Risk
D. Penetration
A

A. A vulnerability is the absence or weakness of a safeguard or countermeasure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is not a valid definition for risk?
A. An assessment of probability, possibility, or chance
B. Anything that removes a vulnerability or protects against one or more specific threats
C. Risk = threat * vulnerability
D. Every instance of exposure

A

B. Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When evaluating safeguards, what is the rule that should be followed in most cases?
A. The expected annual cost of asset loss should not exceed the annual costs of safeguards.
B. The annual costs of safeguards should equal the value of the asset.
C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.
D. The annual costs of safeguards should not exceed 10 percent of the security budget.

A

C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How is single loss expectancy (SLE) calculated?
A. Threat + vulnerability
B. Asset value ($) * exposure factor
C. Annualized rate of occurrence * vulnerability
D. Annualized rate of occurrence * asset value * exposure factor

A

B. SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV * EF).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How is the value of a safeguard to a company calculated?
A. ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard
B. ALE before safeguard * ARO of safeguard
C. ALE after implementing safeguard – annual cost of safeguard – controls gap
D. Total risk – controls gap

A

A. The value of a safeguard to an organization is calculated by ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard [(ALE1 – ALE2) – ACS].

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
What security control is directly focused on preventing collusion?
A. Principle of least privilege
B. Job descriptions
C. Separation of duties
D. Qualitative risk analysis
A

C. The likelihood that a co-worker will be willing to collaborate on an illegal or abusive scheme is reduced because of the higher risk of detection created by the combination of separation of duties, restricted job responsibilities, and job rotation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions?
A. Education
B. Awareness
C. Training
D. Termination
A

C. Training is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to groups of employees with similar job functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
Which of the following is not specifically or directly related to managing the security function of an organization?
A. Worker job satisfaction
B. Metrics
C. Information security strategies
D. Budget
A

A. Managing the security function often includes assessment of budget, metrics, resources, information security strategies, and assessing the completeness and effectiveness of the security program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk?
A. Virus infection
B. Damage to equipment
C. System malfunction
D. Unauthorized access to confidential information

A

B. The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage to equipment.

20
Q
You’ve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change?
A. Exposure factor
B. Single loss expectancy
C. Asset value
D. Annualized rate of occurrence
A

D. A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.

21
Q

For information systems security, a penetration is defined as which of the following combinations?

a. Attack plus breach
b. Attack plus threat
c. Threat plus breach
d. Threat plus countermeasure

A

a. A penetration is the successful act of bypassing the security mechanisms of a computer system.

22
Q

Which of the following is not a basic objective of computer-based information systems security?

a. Protection of system assets from loss, damage, and misuse
b. Accuracy of data and reliability of application processes
c. Availability of information and application processes
d. Control of data analysis

A

d. The control of information protection, accuracy, availability, and dissemination, not the control of data analysis, is one of the basic objectives of computer-based information systems security.

23
Q

Which of the following is the primary purpose of plan of action and milestones document?

a. To reduce or eliminate known vulnerabilities
b. To use findings from security control assessments
c. To apply findings from security impact analyses
d. To implement findings from continuous monitoring activities

A

a. The primary purpose of a plan of action and milestones (POA&M) document is to correct deficiencies and to reduce or eliminate known vulnerabilities. The POA&M document updates are based on findings from security control assessment, security impact analyses, and continuous monitoring activities.

24
Q

For information systems security, an exposure is defined as which of the following combinations?

a. Attack plus breach
b. Threat plus vulnerability
c. Threat plus attack
d. Attack plus vulnerability

A

d. An exposure is an instance of vulnerability in which losses may result from the occurrence of one or more attacks (i.e., attack plus vulnerability). An attack is an attempt to violate data security.

25
Q

For risk mitigation, which of the following technical security controls are pervasive and interrelated with other controls?

a. Supporting controls
b. Prevention controls
c. Detection controls
d. Recovery controls

A

a. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls).

26
Q

Information security must follow which of the following?

a. Top-down process
b. Bottom-up process
c. Top-down and bottom-up
d. Bottom-up first, top-down next

A

a. Information security must be a top-down process requiring a comprehensive security strategy explicitly linked to the organization’s business processes and strategy.

27
Q

Information security baselines for information assets vary depending on which of the following?

a. Availability and reliability
b. Sensitivity and criticality
c. Integrity and accountability
d. Assurance and nonrepudiation

A

b. Information security baselines vary depending on the sensitivity and criticality of the information asset, which is part of the confidentiality goal. The other three choices are not related to the confidentiality goal.

28
Q

Which of the following characteristics of information security are critical for electronic transactions?

a. Trust and accountability
b. Trust and usefulness
c. Usefulness and possession
d. Accountability and possession

A

a. Trust and accountability are critical and needed in electronic transactions to make the customer comfortable with transactions, whereas usefulness and possession are needed to address theft, deception, and fraud.

29
Q

From a corporate viewpoint, information integrity is most needed in which of the following?

a. Financial reporting
b. Inventory information
c. Trade secrets
d. Intellectual property

A

a. Corporate financial reporting requires integrity of information so that it is protected against unauthorized modification.

30
Q

Which of the following is the major purpose of self-assessment of information security for improving the security?

a. Establish future targets
b. Understand the current status
c. Find out the industry average
d. Analyze the current target

A

a. Information security self-assessment results can be used to establish targets for future development, based on where the organization wants to reach (major purpose) and how to improve security.

31
Q

What does risk analysis in the contingency planning process not include?

a. Prioritization of applications
b. Development of test procedures
c. Assessment of threat impact on the organization
d. Development of recovery scenarios

A

b. Test procedures are detailed instructions that usually are not considered during a risk analysis exercise.

32
Q

Which of the following is not a key activity that facilitates the integration of information security governance components?

a. Operational planning
b. Organizational structure
c. Roles and responsibilities
d. Enterprise architecture

A

a. The key activities that facilitate integration of information security governance components include strategic planning, organizational structure (design and development), roles and responsibilities, enterprise architecture, and security objectives.

33
Q

Which of the following is not an example of protected communications controls that are part of technical preventive controls?

a. Cryptographic technologies
b. Data encryption methods
c. Discretionary access controls
d. Escrowed encryption algorithms

A

c. Discretionary access controls (DAC) define access control security policy. The other choices are examples of protected communications controls, which ensure the integrity, availability, and confidentiality of sensitive information while it is in transit.

34
Q

For risk mitigation strategies, which of the following is not a proper and effective action to take when a determined attacker’s potential or actual cost is too great?

a. Apply security design principles.
b. Decrease an attacker’s motivation.
c. Implement security architectural design.
d. Establish nontechnical security controls.

A

b. Usually, protection mechanisms to deter a normal and casual attacker are applied to decrease an attacker’s motivation by increasing the attacker’s cost when the attacker’s cost is less than the potential gain for the attacker.

35
Q

Which of the following is not the major purpose of information system security plans?

a. Describe major application systems.
b. Define the security requirements.
c. Describe the security controls.
d. Delineate the roles and responsibilities.

A

a. The information security plan should reflect inputs from various managers with responsibilities concerning the system.

36
Q

The information system security plan is an important deliverable in which of the following processes?

a. Configuration management
b. System development life cycle
c. Network monitoring
d. Continuous assessment

A

b. The information system security plan is an important deliverable in the system development life cycle (SDLC) process.

37
Q

Which of the following approves the system security plan prior to the security certification and accreditation process?

a. Information system owner
b. Program manager
c. Information system security officer
d. Business owner

A

c. Prior to the security certification and accreditation process, the information system security officer (the authorizing official, independent from the system owner) typically approves the security plan.

38
Q

Which of the following is the key factor in the development of the security assessment and authorization policy?

a. Risk management
b. Continuous monitoring
c. Testing the system
d. Evaluating the system

A

a. An organization’s risk management strategy is the key factor in the development of the security assessment and authorization policy.

39
Q

For new information systems, which of the following can be interpreted as having budgetary authority and responsibility for developing and deploying the information systems?

a. Security control
b. Management control
c. Operational control
d. Technical control

A

b. For new information systems, management control can be interpreted as having budgetary or programmatic authority and responsibility for developing and deploying the information systems. For current systems in the inventory, management control can be interpreted as having budgetary or operational authority for the day-to-day operation and maintenance of the information systems.

40
Q

The effectiveness of security controls depends on which of the following?

  1. System management
  2. Legal issues
  3. Quality assurance
  4. Management controls
    a. 1 only
    b. 3 only
    c. 4 only
    d. 1, 2, 3, and 4
A

d. The effectiveness of security controls depends on such factors as system management, legal issues, quality assurance, internal controls, and management controls.

41
Q

For information risk assessment, which of the following can improve the ability to realistically assess threats?

a. Intrusion detection tools
b. Natural threat sources
c. Human threat sources
d. Environmental threat sources

A

a. Common threat sources collect data on security threats, which include natural threats, human threat sources, and environmental threat sources. In addition, intrusion detection tools collect data on security events, thereby improving the ability to realistically assess threats to information.

42
Q

Which of the following provides a 360-degree inspection of the system during the vulnerability identification of a system in the risk assessment process?

a. Automated vulnerability scanning tools
b. Security requirement checklist
c. Security advisories
d. Security test and evaluation

A

b. Developing a security requirements checklist, based on the security requirements specified for the system during the conceptual, design, and implementation phases of the system development life cycle (SDLC), can be used to provide a 360-degree inspection of the system.

43
Q

During the risk assessment process of a system, what is the level of risk to the system derived by?

a. Multiplying the threat likelihood rating with the impact level
b. Subtracting the threat likelihood rating from the impact level
c. Adding the threat likelihood rating to the impact level
d. Dividing the threat likelihood rating by the impact level

A

a. When the ratings for threat likelihood (i.e., high, moderate, or low) and impact levels (i.e., high, moderate, or low) have been determined through appropriate analysis, the level of risk to the system and the organization can be derived by multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact level.

44
Q

The effectiveness of recommended security controls is primarily related to which of the following?

a. System safety
b. System reliability
c. System complexity
d. System regulations

A

c. The effectiveness of recommended security controls is primarily related to system complexity and compatibility. The level and type of security controls should fit with the system complexity, meaning more controls are needed for complex systems and fewer controls are needed for simple systems.

45
Q

Risk mitigation does not strive to do which of the following?

a. Control identification
b. Control prioritization
c. Control evaluation
d. Control implementation

A

a. Risk mitigation strives to prioritize, evaluate, and implement the appropriate risk-reducing controls recommended from the risk assessment process. Control identification is performed in the risk assessment process, which comes before risk mitigation.