Security and Risk Management Flashcards

1
Q

Which of the following best describes the relationship between COBIT and ITIL? A. COBIT is a model for IT governance, whereas ITIL is a model for corporate governance. B. COBIT provides a corporate governance roadmap, whereas ITIL is a customizable framework for IT service management. C. COBIT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them. D. COBIT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals.

A

C. The Control Objectives for Information and related Technology (COBIT) is a framework developed by ISACA (formerly the Information Systems Audit and Control Association) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure IT maps to business needs, not specifically just security needs. The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. A customizable framework, ITIL provides the goals, the general activities necessary to achieve these goals, and the input and output values for each process required to meet these determined goals. In essence, COBIT addresses “what is to be achieved,” and ITIL addresses “how to achieve it.” A is incorrect because, although COBIT can be used as a model for IT governance, ITIL is not a model for corporate governance. Actually, Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a model for corporate governance. COBIT is derived from the COSO framework. You can think of COBIT as a way to meet many of the COSO objectives, but only from the IT perspective. In order to achieve many of the objectives addressed in COBIT, an organization can use ITIL, which provides process-level steps for achieving IT service management objectives. B is incorrect because, as previously stated, COBIT can be used as a model for IT governance, not corporate governance. COSO is a model for corporate governance. The second half of the answer is correct. ITIL is a customizable framework that is available either as a series of books or online for IT service management. D is incorrect because COBIT defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs, not just IT security needs. ITIL provides steps for achieving IT service management goals as they relate to business needs. ITIL was created because of the increased dependence on information technology to meet business needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this? A. Committee of Sponsoring Organizations of the Treadway Commission B. The Organisation for Economic Co-operation and Development C. COBIT D. International Organization for Standardization

A

B. Almost every country has its own rules pertaining to what constitutes private data and how it should be protected. As the digital and information age came upon us, these different laws started to negatively affect business and international trade. Thus, the Organisation for Economic Co-operation and Development (OECD) developed guidelines for various countries so that data is properly protected and everyone follows the same rules. A is incorrect because the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985 to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them. The acronym COSO refers to a model for corporate governance that addresses IT at a strategic level, company culture, financial accounting principles, and more. C is incorrect because the Control Objectives for Information and related Technology (COBIT) is a framework that defines goals for the controls that should be used to properly manage IT and ensure that IT maps to business needs. It is an international open standard that provides requirements for the control and security of sensitive data and a reference framework. D is incorrect because the International Organization for Standardization (ISO) is an international standard-setting body consisting of representatives from national standards organizations. Its objective is to establish global standardizations. However, its standardizations go beyond the privacy of data as it travels across international borders. For example, some standards address quality control, and others address assurance and security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining? A. Security policy committee B. Audit committee C. Risk management committee D. Security steering committee

A

D. Steve is joining a security steering committee, which is responsible for making decisions on tactical and strategic security issues within the enterprise. The committee should consist of individuals from throughout the organization and meet at least quarterly. In addition to the responsibilities listed in the question, the security steering committee is responsible for establishing a clearly defined vision statement that works with and supports the organizational intent of the business. It should provide support for the goals of confidentiality, integrity, and availability as they pertain to the organization’s business objectives. This vision statement should, in turn, be supported by a mission statement that provides support and definition to the processes that will apply to the organization and allow it to reach its business goals. Images A is incorrect because a security policy committee is a committee chosen by senior management to produce security policies. Usually senior management has this responsibility unless they delegate it to a board or committee. Security policies dictate the role that security plays within the organization. They can be organizational, issue specific, or system specific. The steering committee does not directly create policies, but reviews and approves them if acceptable. Images B is incorrect because the audit committee’s goal is to provide independent and open communication among the board of directors, management, internal auditors, and external auditors. Its responsibilities include the company’s system of internal controls, the engagement and performance of independent auditors, and the performance of the internal audit function. The audit committee would report its findings to the steering committee, but not be responsible for overseeing and approving any part of a security program. Images C is incorrect because the purpose of a risk management committee is to understand the risks that the organization faces as a whole and work with senior management to reduce these risks to acceptable levels. This committee does not oversee the security program. The security steering committee usually reports its findings to the risk management committee as it relates to information security. A risk management committee must look at overall business risks, not just IT security risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is not included in a risk assessment? A. Discontinuing activities that introduce risk B. Identifying assets C. Identifying threats D. Analyzing risk in order of cost or criticality

A

A. Discontinuing activities that introduce risk is a way of responding to risk through avoidance. For example, there are many risks surrounding the use of instant messaging (IM) in the enterprise. If a company decides not to allow IM activity because there is not enough business need for its use, then prohibiting this service is an example of risk avoidance. Risk assessment does not include the implementation of countermeasures such as this. Images B is incorrect because identifying assets is part of a risk assessment, and the question asks to identify what is not included in a risk assessment. In order to determine the value of assets, those assets must first be identified. Asset identification and valuation are also important tasks of risk management. Images C is incorrect because identifying threats is part of a risk assessment, and the question asks to identify what is not included in a risk assessment. Risk is present because of the possibility of a threat exploiting a vulnerability. If there were no threats, there would be no risk. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact. Images D is incorrect because analyzing risk in order of cost or criticality is part of the risk assessment process, and the question asks to identify what is not included in a risk assessment. A risk assessment researches and quantifies the risk a company faces. Dealing with risk must be done in a cost-effective manner. Knowing the severity of the risk allows the organization to determine how to address it effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The integrity of data is not related to which of the following? A. Unauthorized manipulation or changes to data B. The modification of data without authorization C. The intentional or accidental substitution of data D. The extraction of data to share with unauthorized entities

A

D. The extraction of data to share with unauthorized entities is a confidentiality issue, not an integrity issue. Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of secrecy should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Integrity, on the other hand, is the principle that signifies the data has not been changed or manipulated in an unauthorized manner. Images A is incorrect because integrity is related to the unauthorized manipulation or changes to data. Integrity is upheld when any unauthorized modification is prevented. Hardware, software, and communication mechanisms must work in concert to maintain and process data correctly and move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination. Images B is incorrect because the modification of data without authorization is related to integrity. Integrity is about protecting data so that it cannot be changed either by users or other systems that do not have the rights to do so. Images C is incorrect because the intentional or accidental substitution of data is related to integrity. Along with the assurance that data is not modified by unauthorized entities, integrity is upheld when the assurance of the accuracy and reliability of the information and systems is provided. An environment that enforces integrity prevents attackers, for example, from inserting a virus, logic bomb, or back door into a system that could corrupt or replace data. Users usually affect a system or its data’s integrity by mistake (although internal users may also commit malicious deeds). For example, a user may insert incorrect values into a data processing application that ends up charging a customer $3,000 instead of $300.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

As his company’s CISO, George needs to demonstrate to the board of directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk? A. threats × vulnerability × asset value = residual risk B. SLE × frequency = ALE, which is equal to residual risk C. (threats × vulnerability × asset value) × controls gap = residual risk D. (total risk – asset value) × countermeasures = residual risk

A

C. Countermeasures are implemented to reduce overall risk to an acceptable level. However, no system or environment is 100 percent secure, and with every countermeasure some risk remains. The leftover risk after countermeasures are implemented is called residual risk. Residual risk differs from total risk, which is the risk companies face when they choose not to implement any countermeasures. While the total risk can be determined by calculating threats × vulnerability × asset value = total risk, residual risk can be determined by calculating (threats × vulnerability × asset value) × controls gap = residual risk. The controls gap is the amount of protection the control cannot provide. Images A is incorrect because threats × vulnerability × asset value does not equal residual risk. It is the equation to calculate total risk. Total risk is the risk a company faces in the absence of any security safeguards or actions to reduce the overall risk exposure. The total risk is reduced by implementing safeguards and countermeasures, leaving the company with residual risk—or the risk left over after safeguards are implemented. Images B is incorrect because SLE × frequency is the equation to calculate the annualized loss expectancy (ALE) as a result of a threat exploiting a vulnerability and the business impact. The frequency is the threat’s annual rate of occurrence (ARO). The ALE is not equal to residual risk. ALE indicates how much money a specific type of threat is likely to cost the company over the course of a year. Knowing the real possibility of a threat and how much damage in monetary terms the threat can cause is important in determining how much should be spent to try and protect against that threat in the first place. Images D is incorrect and is a distracter answer. There is no such formula like this used in risk assessments. The actual equations are threats × vulnerability × asset value = total risk and (threats × vulnerability × asset value) × controls gap = residual risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Capability Maturity Model Integration (CMMI) came from the software engineering world and is used within organizations to help lay out a pathway of how incremental improvement can take place. This model is used by organizations in self-assessment and to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes. In the CMMI model graphic shown, what is the proper sequence of the levels? A. Initial, Defined, Managed, Quantitatively Managed, Optimizing B. Initial, Defined, Quantitatively Managed, Optimizing, Managed C. Defined, Managed, Quantitatively Managed, Optimizing D. Initial, Repeatable, Defined, Quantitatively Managed, Optimizing

A

D. Capability Maturity Model Integration (CMMI) is an organizational development model for process improvement developed by Carnegie Mellon. While organizations know that they need to constantly make their security programs better, it is not always easy to accomplish because “better” is a vague and nonquantifiable concept. The only way we can really improve is to know where we are starting from, where we need to go, and the steps we need to take in between. This is how the security industry uses the CMMI model. A security program starts at Level 1 and is chaotic in nature. Processes are not predictable, and the security team is reactive to issues that arise—not proactive. The model uses the following maturity levels: Initial, Repeatable, Defined, Managed, Optimizing. Images A is incorrect because it has the Defined level as the second level in the model. The actual second level is referred to as Managed. The developer of CMMI is Carnegie Mellon University, and they have modified this model to be used in three main categories: product and service development (CMMI-DEV), service establishment management (CMMI-SVC), and product and service acquisition (CMMI-ACQ). You do not need to know this level of detail for the exam, but you should understand that this is a flexible model that can be used for different situations. The Managed level will be defined slightly differently based upon how the model is being used. Different entities have modified the basic CMMI model to map to organizational security programs. For example, ISACA has laid out a CMMI model showing how ISO 27000 standards can be accomplished and IT security governance can be practiced. The latest version of CMMI has included these security topics: • OPSD Organizational Preparedness for Secure Development • SMP Security Management in Projects • SRTS Security Requirements and Technical Solution • SVV Security Verification and Validation Images B is incorrect because the Defined and Managed levels are out of order. It might be confusing at first as to why Managed (Level 2) comes before Defined (Level 3). Level 2 basically means that the organization is not just practicing security by the seat of its pants. It is managing the processes—the processes are not managing the organization. An organization can only be considered to be at Level 3 if it has defined many things that will be tracked. This is the first part of creating a meaningful metric system for process improvement and optimization. Defining things means putting useful data about the security program into formats that can be used in quantitative analysis. Images C is incorrect because the order of levels is wrong. The correct order is Initial, Managed, Defined, Quantitatively Managed, Optimizing. Organizations can only be assessed and assigned a level starting at Level 2. Level 1 basically means that there is no coherent structure. Level 2 means the program is being managed, Level 3 means things that can be counted are created, Level 4 means the organization is counting things and using quantitative measures to grade their improvement, and Level 5 means that the organization has control over the security program as a whole and is now focused on just making things more optimized. This is a process improvement model, and these levels are considered maturity levels—as the security program improves, it can be evaluated and achieve a higher maturity level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks? A. FAP B. OCTAVE C. AS/NZS 4360 D. NIST SP 800-30

A

C. Although AS/NZS 4360 can be used to analyze security risks, it was not created for that purpose. It takes a much broader approach to risk management than other risk assessment methodologies, such as NIST and OCTAVE, which focus on IT threats and information security risks. AS/NZS 4360 can be used to understand a company’s financial, capital, human safety, and business decisions risks. Images A is incorrect because there is no formal FAP risk analysis approach. It is a distracter answer. Images B is incorrect because OCTAVE focuses on IT threats and information security risks. OCTAVE is meant to be used in situations where people manage and direct the risk evaluation for information security within their organization. The organization’s employees are given the power to determine the best approach for evaluating security. Images D is incorrect because NIST SP 800-30 is specific to IT threats and how they relate to information security risks. It focuses mainly on systems. Data is collected from network and security practice assessments and from people within the organization. The data is then used as input values for the risk analysis steps outlined in the 800-30 document.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is not a characteristic of a company with a security governance program in place? A. Board members are updated quarterly on the company’s state of security. B. All security activity takes place within the security department. C. Security products, services, and consultants are deployed in an informed manner. D. The organization has established metrics and goals for improving security.

A

B. If all security activity takes place within the security department, then security is working within a silo and is not integrated throughout the organization. In a company with a security governance program, security responsibilities permeate the entire organization, from executive management down the chain of command. A common scenario would be executive management holding business unit managers responsible for carrying out risk management activities for their specific business units. In addition, employees are held accountable for any security breaches they participate in, either maliciously or accidentally. Images A is incorrect because security governance is a set of responsibilities and practices exercised by the board and executive management of an organization with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the organization’s resources are used responsibly. An organization with a security governance program in place has a board of directors that understands the importance of security and is aware of the organization’s security performance and breaches. Images C is incorrect because security governance is a coherent system of integrated security components that includes products, personnel, training, processes, etc. Thus, an organization with a security governance program in place is likely to purchase and deploy security products, managed services, and consultants in an informed manner. They are also constantly reviewed to ensure they are cost effective. Images D is incorrect because security governance requires performance measurement and oversight mechanisms. An organization with a security governance program in place continually reviews its processes, including security, with the goal of continued improvement. On the other hand, an organization that lacks a security governance program is likely to march forward without analyzing its performance and therefore repeatedly makes similar mistakes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

There are four ways of dealing with risk. In the graphic that follows, which method is missing and what is the purpose of this method? A. Risk transference. Share the risk with other entities. B. Risk reduction. Reduce the risk to an acceptable level. C. Risk rejection. Accept the current risk. D. Risk assignment. Assign risk to a specific owner.

A

A. Once a company knows the amount of total and residual risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. Many types of insurance are available to companies to protect their assets. If a company decides the total or residual risk is too high to gamble with, it can purchase insurance, which would transfer the risk to the insurance company. Images B is incorrect because another approach is risk mitigation, where the risk is reduced to a level considered acceptable enough to continue conducting business. The implementation of firewalls, training, and intrusion/detection protection systems represent types of risk mitigation. Risk reduction is the same as risk mitigation, which is already listed in the graphic. Images C is incorrect because companies should never reject risk, which basically means that they refuse to deal with it. Risk commonly has a negative business impact, and if risk is not dealt with properly, the company could have to deal with things such as the loss of production resources, legal liability issues, or a negative effect on its reputation. It is important that identified risk be dealt with properly through transferring it, avoiding it, reducing it, or accepting it. Images D is incorrect because although someone could be delegated to deal with a specific risk, this is not one of the methods that is used to deal with risk. Even if risk was assigned to a specific entity to deal with it, she would still need to transfer, avoid, reduce, or accept the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The following graphic contains a commonly used risk management scorecard. Identify the proper quadrant and its description. A. Top-right quadrant is high impact, low probability. B. Top-left quadrant is high impact, medium probability. C. Bottom-left quadrant is low impact, high probability. D. Bottom-right quadrant is low impact, high probability.

A

D. The bottom-right quadrant contains low-impact, high-probability risks. This means that there is a high chance that specific threats will exploit specific vulnerabilities. Although these risks are commonly frequent, their business impact is low. Out of the four quadrants, the risks that reside in this quadrant should be dealt with after the risks that reside in the two higher quadrants. An example of a risk that could reside in this quadrant is a virus that infects a user workstation. Since viruses are so common, this would mean that this risk has a high probability of taking place. This is only a user workstation and not a production system, so the impact would be low. Images A is incorrect because the top-right quadrant contains high-impact, high-probability risks. This means that there is a high chance that specific threats will exploit specific vulnerabilities. These risks are commonly frequent and their business impact is high. Out of the four quadrants, the risks that reside in this quadrant should be dealt with first. An example of a risk that would reside in this quadrant is an attacker compromising an internal mail server. If the proper countermeasures are not in place, there is a high probability that this would occur. Since this is a resource that the whole company depends upon, it would have a high business impact. Images B is incorrect because the top-left quadrant contains high-impact, low-probability risks. This means that there is a low chance that specific threats will exploit specific vulnerabilities. These risks are commonly infrequent and their business impact is low. Out of the four quadrants, the risks that reside in this quadrant should be dealt with after the risks that reside in the top-right quadrant. An example of this type of risk is an attacker compromising an internal DNS server. If there is an external-facing DNS server and a DMZ is in place, an attacker being able to access an internal DNS server is low. But if this does happen, this would have a high business impact since all systems depend upon this resource. Images C is incorrect because the bottom-left quadrant contains low-impact, low-probability risks. This means that there is a low chance that specific threats will exploit specific vulnerabilities. These risks are commonly infrequent and their business impact is low. Out of the four quadrants, the risks that reside in this quadrant should be dealt with after the risks in all of the other three quadrants. An example of this type of risk would be a legacy file server that is hardly used failing and going offline. Since it is not commonly used by users, it would have a low business impact, and if the correct countermeasures are in place, there would be a low probability of this occurring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the three types of policies that are missing from the following graphic? A. Regulatory, Informative, Advisory B. Regulatory, Mandatory, Advisory C. Regulatory, Informative, Public D. Regulatory, Informative, Internal Use

A

A. A Regulatory type of policy ensures that the organization is following standards set by specific industry regulations. It is very detailed and specific to a type of industry. It is used in financial institutions, healthcare facilities, public utilities, and other government-regulated industries. An Informative type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, indicate the company’s goals and mission, and provide a general reporting structure in different situations. An Advisory type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical information, how to handle financial transactions, or how to process confidential information. Images B is incorrect because Mandatory is not one of the categories of a type of policy; thus, this answer is a distracter. Images C is incorrect because Public is not one of the categories of a type of policy; thus, this answer is a distracter. Images D is incorrect because Internal Use is not one of the categories of a type of policy; thus, this answer is a distracter.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

List in the proper order from the table on the top of the next page the learning objectives that are missing and their proper definitions. A. Understanding, recognition and retention, skill B. Skill, recognition and retention, skill C. Recognition and retention, skill, understanding D. Skill, recognition and retention, understanding

A

C. Awareness training and materials remind employees of their responsibilities pertaining to protecting company assets. Training provides skills needed to carry out specific tasks and functions. Education provides management skills and decision-making capabilities. Images A is incorrect because the different types of training and education do not map to the listed results. Companies today spend a lot of money on security devices and technologies, but they commonly overlook the fact that individuals must be trained to use these devices and technologies. Without such training, the money invested toward reducing threats can be wasted, and the company is still insecure. Images B is incorrect because the different types of training and education do not map to the listed results. Different roles require different types of training or education. A skilled staff is one of the most critical components to the security of a company. Images D is incorrect because the different types of training and education do not map to the listed results. A security-awareness program is typically created for at least three types of audiences: management, staff, and technical employees. Each type of awareness training must be geared toward the individual audience to ensure each group understands its particular responsibilities, liabilities, and expectations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What type of risk analysis approach does the following graphic provide? A. Quantitative B. Qualitative C. Operationally Correct D. Operationally Critical

A

B. A qualitative risk analysis approach does not assign monetary values to components and losses. Instead, qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions. Qualitative analysis techniques include judgment, best practices, intuition, and experience. This graphic shows a rating system, which qualitative risk analysis uses instead of percentages and monetary numbers. Images A is incorrect because a quantitative risk analysis attempts to assign percentages and monetary values to all elements of the risk analysis process. These elements may include safeguard costs, asset value, business impact, threat frequency, safeguard effectiveness, exploit probabilities, and so on. When all of these are quantified, the process is said to be quantitative. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quantified and entered into equations to determine total and residual risks. Images C is incorrect because there is no Operationally Correct formal risk analysis approach. This is a distracter answer. Images D is incorrect because there is no formal Operationally Critical risk analysis approach. This is a distracter answer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

ISO/IEC 27000 is part of a growing family of ISO/IEC information security management systems (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards? A. ISO/IEC 27002: Code of practice for information security management B. ISO/IEC 27003: Guideline for ISMS implementation C. ISO/IEC 27004: Guideline for information security management measurement and metrics framework D. ISO/IEC 27005: Guideline for bodies providing audit and certification of information security management systems

A

D. The ISO/IEC 27005 standard is the guideline for information security risk management. ISO/IEC 27005 is an international standard for how risk management should be carried out in the framework of an ISMS. Images A is incorrect because ISO/IEC 27002 is the code of practice for information security management; thus, it has a correct mapping. ISO/IEC 27002 provides best practice recommendations and guidelines as they pertain to initiating, implementing, or maintaining an ISMS. Images B is incorrect because ISO/IEC 27003 is the guideline for ISMS implementation; thus, it has a correct mapping. It focuses on the critical aspects needed for successful design and implementation of an ISMS in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. Images C is incorrect because ISO/IEC 27004 is the guideline for information security management measurement and metrics framework; thus, it has a correct mapping. It provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an ISMS and controls or groups of controls, as specified in ISO/IEC 27001.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Sam is the security manager of a company that makes most of its revenue from its intellectual property. Sam has implemented a process improvement program that has been certified by an outside entity. His company received a Level 2 during an appraisal process, and he is putting in steps to increase this to a Level 3. A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to potentially losing trade secrets. The countermeasure his team implemented reduced this risk, and Sam determined that the annualized loss expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400. 16. Which of the following is the criteria Sam’s company was most likely certified under? A. SABSA B. Capability Maturity Model Integration C. Information Technology Infrastructure Library D. Prince2

A

B. Capability Maturity Model Integration (CMMI) is a process improvement approach that is used to help organizations improve their performance. The CMMI model may also be used as a framework for appraising the process maturity of the organization. The levels used in CMMI are Level 1–Initial, Level 2–Managed, Level 3–Defined, Level 4–Quantitatively Managed, and Level 5–Optimizing. Images A is incorrect because Sherwood Applied Business Security Architecture (SABSA) is a model and methodology for the development of information security enterprise architectures. Since it is a framework, this means it provides a structure for individual architectures to be built from. Since it is a methodology also, this means it provides the processes to follow to build and maintain this architecture. Images C is incorrect because the Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. ITIL was created because of the increased dependence on information technology to meet business needs. Although ITIL has a component that deals with security, its focus is more on internal service level agreements between the IT department and the “customers” it serves. The customers are usually internal departments. ITIL does not use the levels described in the scenario. Images D is incorrect because PRINCE2 (PRojects IN Controlled Environments) is a process-based method for effective project management. It is commonly used by the UK government and is not a topic covered by the CISSP exam.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Sam is the security manager of a company that makes most of its revenue from its intellectual property. Sam has implemented a process improvement program that has been certified by an outside entity. His company received a Level 2 during an appraisal process, and he is putting in steps to increase this to a Level 3. A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to potentially losing trade secrets. The countermeasure his team implemented reduced this risk, and Sam determined that the annualized loss expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400. What is the associated single loss expectancy value in this scenario? A. $65,000 B. $400,000 C. $40,000 D. $4,000

A

C. The formula to calculate the annualized loss expectancy (ALE) value is single loss expectancy (SLE) × annualized rate of occurrence (ARO). The formula to calculate the SLE is asset value × exposure factor. In this scenario, if the ALE of the risk of a trade secret being stolen once in a hundred-year period is $400, then you have to work backward to obtain the SLE value. If the ALE is $400 and the ARO is 0.01, then the SLE is $40,000. Images A is incorrect because the formula to obtain the SLE is asset value × exposure factor = SLE, and ALE is SLE × ARO = ALE. If the ALE of the risk of a trade secret being stolen once in a hundred-year period is $400, then you have to work backward to obtain the SLE value. If the ALE is $400 and the ARO is 0.01, then the resulting SLE value is $40,000. Images B is incorrect because the formula to obtain the SLE is asset value × exposure factor = SLE, and ALE is SLE × ARO = ALE. In this scenario, the risk of an asset being stolen once in a hundred-year period is calculated at the ALE being $400. If the ALE is $400 and the ARO is 0.01, then the resulting SLE value is $40,000. Images D is incorrect because the formula to obtain the SLE is asset value × exposure factor = SLE, and ALE is SLE × ARO = ALE. The goal of carrying out these calculations is to fully understand the criticality of specific risks and to know how much can be spent on implementing a countermeasure in a cost-effective manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The NIST organization has defined best practices for creating continuity plans. Which of the following phases deals with identifying and prioritizing critical functions and systems? A. Identify preventive controls. B. Develop the continuity planning policy statement. C. Create contingency strategies. D. Conduct the business impact analysis.

A

D. Although no specific scientific equation must be followed to create continuity plans, certain best practices have proven themselves over time. The National Institute of Standards and Technology (NIST) organization is responsible for developing many of these best practices and documenting them so that they are easily available to all. NIST outlines seven steps in its Special Publication 800-34 Rev 1, “Continuity Planning Guide for Federal Information Systems”: develop the continuity planning policy statement; conduct the business impact analysis; identify preventive controls; create contingency strategies; develop an information system contingency plan; ensure plan testing, training, and exercises; and ensure plan maintain. Conducting a business impact analysis involves identifying critical functions and systems and allowing the organization to prioritize them based on necessity. It also includes identifying vulnerabilities and threats and calculating risks. Images A is incorrect because identifying preventive controls must be done after critical functions and systems have been prioritized and their vulnerabilities, threats, and risks identified—which is all part of the business impact analysis. Conducting a business impact analysis is step two of creating a continuity plan, and identifying preventive controls is step three. Images B is incorrect because developing the continuity planning policy statement involves writing a policy that provides the guidance necessary to develop a business continuity plan and that assigns authority to the necessary roles to carry out these tasks. It is the first step in creating a business continuity plan and thus comes before identifying and prioritizing critical systems and functions, which is part of the business impact analysis. Images C is incorrect because creating contingency strategies involves formulating methods to ensure systems and critical functions can be brought online quickly. Before this can be done, a business impact analysis must be carried out to determine which systems and functions are critical and should be given priority during recovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

As his company’s business continuity coordinator, Matthew is responsible for helping recruit members to the business continuity planning (BCP) committee. Which of the following does not correctly describe this effort? A. Committee members should be involved with the planning stages, as well as the testing and implementation stages. B. The smaller the team, the better to keep meetings under control. C. The business continuity coordinator should work with management to appoint committee members. D. The team should consist of people from different departments across the company.

A

B. The BCP committee should be as large as it needs to be in order to represent each department within the organization. The team must be composed of people who are familiar with the different departments within the company, because each department is unique in its functionality and has distinctive risks and threats. The best plan is developed when all issues and threats are brought to the table and discussed. This cannot be done effectively with a few people who are familiar with only a couple of departments. The committee should be made up of representatives from at least the following departments: business units, senior management, IT department, security department, communications department, and legal department. Images A is incorrect because it is true that committee members should be involved with the planning stages, as well as the testing and implementation stages. If Matthew, the BCP coordinator, is a good management leader, he will understand that it is best to make team members feel a sense of ownership pertaining to their tasks and roles. The people who develop the BCP should also be the ones who execute it. If you knew that in a time of crisis you would be expected to carry out some critical tasks, you might pay more attention during the planning and testing phases. Images C is incorrect because the BCP coordinator should work with management to appoint committee members. But management’s involvement does not stop there. The BCP team should work with management to develop the ultimate goals of the plan, identify the critical parts of the business that must be dealt with first during a disaster, and ascertain the priorities of departments and tasks. Management also needs to help direct the team on the scope of the project and the specific objectives. Images D is incorrect because it is true that the team should be composed of people from different departments across the company. This is the only way the team will be able to consider the distinctive risks and threats that each department faces.

20
Q

A business impact analysis is considered a functional analysis. Which of the following is not carried out during a business impact analysis? A. A parallel or full-interruption test B. The application of a classification scheme based on criticality levels C. The gathering of information via interviews D. Documentation of business functions

A

A. A business impact analysis (BIA) is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions; develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function’s criticality level. Parallel and full-interruption tests are not part of a BIA. These tests are carried out to ensure the continued validity of a business continuity plan, since environments continually change. A parallel test is done to ensure that specific systems can actually perform adequately at the alternate offsite facility, while a full-interruption test involves shutting down the original site and resuming operations and processing at the alternate site. Images B is incorrect because the application of a classification scheme based on criticality levels is carried out during a BIA. This is done by identifying the critical assets of the company and mapping them to the following characteristics: maximum tolerable downtime, operational disruption and productivity, financial considerations, regulatory responsibilities, and reputation. Images C is incorrect because the gathering of information during interviews is conducted during a BIA. The BCP committee will not truly understand all business processes, the steps that must take place, or the resources and supplies those processes require. So the committee must gather this information from the people who do know, which are department managers and specific employees throughout the organization. The committee must identify the individuals who will provide information and how that information will be collected (surveys, interviews, or workshops). Images D is incorrect because the BCP committee does document business functions as part of a BIA. Business activities and transactions must also be documented. This information is obtained from the department managers and specific employees who are interviewed or surveyed. Once the information is documented, the BCP committee can conduct an analysis to determine which processes, devices, or operational activities are the most critical.

21
Q

Which of the following steps comes first in a business impact analysis? A. Calculate the risk for each different business function. B. Identify critical business functions. C. Create data-gathering techniques. D. Identify vulnerabilities and threats to business functions.

A

C. Of the steps listed, the first step in a business impact analysis (BIA) is creating data-gathering techniques. The BCP committee can use surveys, questionnaires, and interviews to gather information from key personnel about how different tasks get accomplished within the organization, whether it’s a process, transaction, or service, along with any relevant dependencies. Process flow diagrams should be built from this data, which will be used throughout the BIA and plan development stages. Images A is incorrect because calculating the risk of each business function occurs after business functions have been identified. And before that can happen, the BCP team must gather data from key personnel. To calculate the risk of each business function, qualitative and quantitative impact information should be gathered and properly analyzed and interpreted. Upon completion of the data analysis, it should be reviewed with the most knowledgeable people within the company to ensure that the findings are appropriate and describe the real risks and impacts the organization faces. This will help flush out any additional data points not originally obtained and will give a fuller understanding of all the possible business impacts. Images B is incorrect because identifying critical business functions takes place after the BCP committee has learned about the business functions that exist by interviewing and surveying key personnel. Upon completion of the data collection phase, the BCP committee conducts an analysis to establish which processes, devices, or operational activities are critical. If a system stands on its own, doesn’t affect other systems, and is of low criticality, then it can be classified as a tier-two or tier-three recovery step. This means these resources will not be dealt with during the recovery stages until the most critical (tier one) resources are up and running. Images D is incorrect because identifying vulnerabilities and threats to business functions takes place toward the end of a business impact analysis. Of the steps listed in the answers, it is the last one. Threats can be manmade, natural, or technical. It is important to identify all possible threats and estimate the probability of them happening. Some issues may not immediately come to mind when developing these plans. These issues are often best addressed in a group with scenario-based exercises. This ensures that if a threat becomes a reality, the plan includes the ramifications on all business tasks, departments, and critical operations. The more issues that are thought of and planned for, the better prepared a company will be if and when these events occur.

22
Q

It is not unusual for business continuity plans to become out of date. Which of the following is not a reason why plans become outdated? A. Changes in hardware, software, and applications B. Infrastructure and environment changes C. Personnel turnover D. That the business continuity process is integrated into the change management process

A

D. Unfortunately, business continuity plans can become quickly out of date. An out-of-date BCP may provide a company with a false sense of security, which could be devastating if and when a disaster actually takes place. One of the simplest and most cost-effective and process-efficient ways to keep a plan up to date is to incorporate it within the change management process of the organization. When you think about it, it makes a lot of sense. Where do you document new applications, equipment, or services? Where do you document updates and patches? Your change management process should be updated to incorporate fields and triggers that alert the BCP team when a significant change will occur and should provide a means to update the recovery documentation. Other measures that can help ensure that the BCP remains current include the performance of regular drills that use the plan, including the plan’s maintenance in personnel evaluations, and making business continuity a part of every business decision. Images A is incorrect because changes in hardware, software, and applications occur frequently, and unless the BCP is part of the change management process, then these changes are unlikely to be included in the BCP. When changes to the environment take place, the BCP needs to be updated. If it is not updated after changes, it is out of date. Images B is incorrect because infrastructure and environment changes occur frequently. Just as with software, hardware, and application changes, unless the BCP is part of the change management process, infrastructure and environment changes are unlikely to make it into the BCP. Images C is incorrect because plans often become outdated as a result of personnel turnover. It is not unusual for a BCP to become abandoned when the person or people responsible for its maintenance leave the organization. These responsibilities must be reassigned. To ensure this happens, maintenance responsibilities should be incorporated into job descriptions and properly monitored.

23
Q

Preplanned business continuity procedures provide organizations a number of benefits. Which of the following is not a capability enabled by business continuity planning? A. Resuming critical business functions B. Letting business partners know your company is unprepared C. Protecting lives and ensuring safety D. Ensuring survivability of the business

A

B. Preplanned business continuity procedures afford organizations a number of benefits. They allow an organization to provide an immediate and appropriate response to emergency situations, reduce business impact, and work with outside vendors during a recovery period—in addition to the other answer options listed earlier. The efforts in these areas should be communicated to business partners to let them know that the company is prepared in case a disaster takes place. Images A is incorrect because a business continuity plan allows an organization to resume critical business functions. As part of the BCP creation, the BCP team conducts a business impact analysis, which includes identifying the maximum tolerable downtime for critical resources. This effort helps the team prioritize recovery efforts so that the most critical resources can be recovered first. Images C is incorrect because a business continuity plan allows an organization to protect lives and ensure safety. People are a company’s most valuable asset; thus, human resources are a critical component to any recovery and continuity process and need to be fully thought out and integrated into the plan. When this is done, a business continuity plan helps a company protect its employees. Images D is incorrect because a preplanned business continuity plan allows a company to ensure the survivability of the business. A business continuity plan provides methods and procedures for dealing with longer-term outages and disasters. It includes getting critical systems to another environment while the original facility is being repaired and conducting business operations in a different mode until regular operations are back in place. In short, the business continuity plan deals with how business is conducted during the aftermath of an emergency.

24
Q

Management support is critical to the success of a business continuity plan. Which of the following is the most important to be provided to management to obtain their support? A. Business case B. Business impact analysis C. Risk analysis D. Threat report

A

A. The most critical part of establishing and maintaining a current continuity plan is management support. Management may need to be convinced of the necessity of such a plan. Therefore, a business case must be made to obtain this support. The business case may include current vulnerabilities, regulatory and legal obligations, the current status of recovery plans, and recommendations. Management is commonly most concerned with cost/benefit issues, so preliminary numbers can be gathered and potential losses estimated. The decision of how a company should recover is a business decision and should always be treated as such. Images B is incorrect because a business impact analysis (BIA) is conducted after the BCP team has obtained management’s support for their efforts. A BIA is performed to identify the areas that would suffer the greatest financial or operational loss in the event of a disaster or disruption. It identifies the company’s critical systems needed for survival and estimates the outage time that can be tolerated by the company as a result of a disaster or disruption. Images C is incorrect because a risk analysis is a method of identifying risks and assessing the possible damage that could be caused in order to justify security safeguards. In the context of BCP, risk analysis methodologies are used during a BIA to establish which processes, devices, or operational activities are critical and should therefore be recovered first. Images D is incorrect because threat report is a distracter answer. However, it is critical that management understand what the real threats are to the company, the consequences of those threats, and the potential loss values for each threat. Without this understanding, management may only give lip service to continuity planning, and in some cases that is worse than not having any plans at all because of the false sense of security that it creates.

25
Q

Which of the following is a critical first step in disaster recovery and contingency planning? A. Plan testing and drills. B. Complete a business impact analysis. C. Determine offsite backup facility alternatives. D. Organize and create relevant documentation.

A

B. Of the steps listed in this question, completing a business impact analysis would take the highest priority. The BIA is essential in determining the most critical business functions and identifying the threats that correlate to them. Qualitative and quantitative data needs to be gathered, analyzed, interpreted, and presented to management. Images A is incorrect because plan testing and drills are some of the last steps in disaster recovery and contingency planning. It is important to test the business continuity plan regularly because environments continually change. Tests and disaster recovery drills and exercises should be performed at least once a year. Most companies cannot afford for these exercises to interrupt production or productivity, so the exercises may need to take place in sections or at specific times, which requires logistical planning. Images C is incorrect because determining offsite backup facility alternatives is part of the contingency strategy, which takes place in the middle of the disaster recovery and contingency planning process. Organizations must have alternative offsite backup facilities in the case of a larger disaster. Generally, contracts are established with third-party vendors to provide such services. The client pays a monthly fee to retain the right to use the facility in a time of need and then incurs an activation fee when the facility has to be used. Images D is incorrect because organizing and creating relevant documentation takes place toward the end of the disaster recovery and contingency planning process. Procedures need to be documented because when they are actually needed, it will most likely be a chaotic and frantic atmosphere with a demanding time schedule. The documentation may need to include information on how to install images, configure operating systems and servers, and properly install utilities and proprietary software. Other documentation could include a calling tree and contact information for specific vendors, emergency agencies, offsite facilities, etc.

26
Q

Which of the following is not a reason to develop and implement a disaster recovery plan? A. Provide steps for a post-disaster recovery. B. Extend backup operations to include more than just backing up data. C. Outline business functions and systems. D. Provide procedures for emergency responses.

A

C. Outlining business functions and systems is not a viable reason to create and implement a disaster recovery plan. Although these tasks will most likely be accomplished as a result of a disaster recovery plan, it is not a good reason to carry out the plan compared to the other answers in the question. You don’t develop and implement a disaster recovery plan just to outline business functions and systems, although that usually takes place during the planning process. Images A is incorrect because providing steps for a post-disaster recovery is a good reason to develop and implement a disaster recovery plan. In fact, that is exactly what a disaster recovery plan provides. The goal of disaster recovery is to minimize the effects of a disaster and take the necessary steps to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner. The goal of a disaster recovery plan is to handle the disaster and its ramifications right after the disaster hits. Images B is incorrect because extending backup operations to include more than just backing up data is a good reason to develop and implement a disaster recovery plan. When looking at disaster recovery plans, some companies focus mainly on backing up data and providing redundant hardware. Although these items are extremely important, they are just small pieces of the company’s overall operations. Hardware and computers need people to configure and operate them, and data is usually not useful unless it is accessible by other systems and possibly outside entities. All of these things can require backups, not just data. Images D is incorrect because providing procedures for emergency responses is a good reason to develop and implement a disaster recovery plan. A disaster recovery plan is carried out when everything is still in emergency mode and everyone is scrambling to get all critical systems back online. Having well-thought-out written procedures makes this whole process much more effective.

27
Q

With what phase of a business continuity plan does a company proceed when it is ready to move back into its original site or a new site? A. Reconstitution phase B. Recovery phase C. Project initiation phase D. Damage assessment phase

A

A. When it is time for the company to move back into its original site or a new site, the company is ready to enter into the reconstitution phase. A company is not out of an emergency state until it is back in operation at the original primary site or a new site that was constructed to replace the primary site, because the company is always vulnerable while operating in a backup facility. Many logistical issues need to be considered as to when a company must return from the alternate site to the original site. Some of these issues include ensuring the safety of the employees, ensuring proper communications and connectivity methods are working, and properly testing the new environment. Once the coordinator, management, and salvage team sign off on the readiness of the facility, the salvage team should back up data from the alternate site and restore it within the new facility, carefully terminate contingency operations, and securely transport equipment and personnel to the new facility. Images B is incorrect because the recovery phase includes the preparation of the offsite facility (if needed), the rebuilding of the network and systems, and the organization of staff to move into a new facility. The recovery process needs to be as organized as possible to get the company up and running as soon as possible. Templates should be developed during the plan development stage that can be used by the different teams during the recovery phase to step them through the necessary phases and to document their findings. The templates keep the teams on task and quickly tell the team leaders about the progress, obstacles, and potential recovery time. Images C is incorrect because the project initiation phase is how the actual planning of the business continuity plan begins. It does not occur during the execution of the plan. The project initiation phase involves getting management support, developing the scope of the plan, and securing funding and resources. Images D is incorrect because the damage assessment takes place at the start of actually carrying out the business continuity procedures. A damage assessment helps determine whether the business continuity plan should be put into action based on activation criteria predefined by the BCP coordinator and team. After the damage assessment, if one or more of the situations outlined in the criteria have taken place, then the team is moved into recovery mode.

28
Q

What is the missing second step in the graphic that follows? (ID critical functions; ID critical resources; Calculate MTD for resources; ID threats; Calculate risks; ID backup solutions) A. Identify continuity coordinator B. Business impact analysis C. Identify BCP committee D. Dependency identification

A

B. A business impact analysis (BIA) is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions; develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function’s criticality level. It is one of the most important first steps in the planning development of a business continuity plan (BCP). Qualitative and quantitative data need to be gathered, analyzed, interpreted, and presented to management. Identifying critical functions and systems allow the organization to prioritize them based on necessity. Images A is incorrect because the business continuity coordinator needs to be put into position before this whole process starts. He will be the leader for the BCP team and will oversee the development, implementation, and testing of the continuity and disaster recovery plans. The coordinator should be identified in the project initiation and oversee all the steps shown in the graphic. It is best if this person has good social skills and is somewhat of a politician because he will need to coordinate a lot of different departments and busy individuals who have their own agendas. This person needs to have direct access to management and have the credibility and authority to carry out leadership tasks. Images C is incorrect because a BCP committee needs to be put together after the coordinator is identified to help carry out all the steps in the graphic. Management and the coordinator should work together to appoint specific qualified people to be on this committee. The team must be composed of people who are familiar with the different departments within the company, because each department is unique in its functionality and has distinctive risks and threats. The best plan is when all issues and threats are brought to the table and discussed. This cannot be done effectively with a few people who are familiar with only a couple of departments. Representatives from each department must be involved with not only the planning stages but also the testing and implementation stages. Images D is incorrect because dependencies between company-critical functions and resources are carried out during the BIA. This is only one of the components in the overall BIA process. Identifying these types of dependencies is critical because it is important to look at a company as a complex animal instead of a static two-dimensional entity. It comprises many types of equipment, people, tasks, departments, communications mechanisms, and interfaces to the outer world. The biggest challenge of true continuity planning is understanding all of these intricacies and their interrelationships. A team may develop plans to back up and restore data, implement redundant data processing equipment, educate employees on how to carry out automated tasks manually, and obtain redundant power supplies. But if all of these components don’t know how to work together in a different environment to get the products out the door, it might all be a waste of time.

29
Q

Different threats need to be evaluated and ranked based upon their severity of business risk when developing a BCP. Which ranking approach is illustrated in the graphic that follows? Choose the following statement that best describes the effect on this business unit/cost center should there be an unplanned interruption of normal business operations. Images 8 hours of an interruption. This business unit/cost center is Vital. Images 24 hours of an interruption. This business unit/cost center is Critical. Images 3 days of an interruption. This business unit/cost center is Essential. Images 5 days of an interruption. This business unit/cost center is Important. Images 10 days of an interruption. This business unit/cost center is Noncritical. Images 30 days of an interruption. This business unit/cost center is Deferrable. A. Mean time to repair B. Mean time between failures C. Maximum critical downtime D. Maximum tolerable downtime

A

D. The BIA identifies which of the company’s critical systems are needed for survival and estimates the outage time that can be tolerated by the company as a result of various unfortunate events. The outage time that can be endured by a company is referred to as the maximum tolerable downtime (MTD). This is the timeframe between an unplanned interruption of business operations and the resumption of business at a reduced level of service. During the BIA, the BCP team identifies the maximum tolerable downtime for the critical resources. This is done to understand the business impact that would be caused if the assets were unavailable for one reason or another. Images A is incorrect because the mean time to repair (MTTR) is the amount of time it will be expected to take to get a device fixed and back into production. For a hard drive in a redundant array, the MTTR is the amount of time between the actual failure and the time when, after noticing the failure, someone has replaced the failed drive and the redundant array has completed rewriting the information on the new drive. This is likely to be measured in hours. For an unplanned reboot, the MTTR is the amount of time between the failure of the system and the point in time when it has rebooted its operating system, checked the state of its disks (hopefully finding nothing that its file systems cannot handle), restarted its applications, allowed its applications to check the consistency of their data (hopefully finding nothing that their journals cannot handle), and once again begun processing transactions. For well-built hardware running high-quality, well-managed operating systems and software, this may be only minutes. For commodity equipment without high-performance journaling file systems and databases, this may be hours, or, worse, days if automated recovery/rollback does not work and a restore of data from tape is required. Images B is incorrect because the mean time between failures (MTBF) is the estimated lifespan of a piece of equipment. MTBF is calculated by the vendor of the equipment or a third party. The reason for using this value is to know approximately when a particular device will need to be replaced. Either based on historical data or scientifically estimated by vendors, it is used as a benchmark for reliability by predicting the average time that will pass in the operation of a component or a system until its final death. Organizations trending MTBF over time for the device they use may be able to identify types of devices that are failing above the averages promised by manufacturers and take action, such as proactively contacting manufacturers under warranty or deciding that old devices are reaching the end of their useful life and choosing to replace them en masse before larger-scale failures and operational disruptions occur. Images C is incorrect because maximum critical downtime is not an official term used in BCP and is a distracter answer.

30
Q

Sean has been hired as business continuity coordinator. He has been told by his management that he needs to ensure that the company is in compliance with the ISO/IEC standard that pertains to technology readiness for business continuity. He has also been instructed to find a way to transfer the risk of being unable to carry out critical business functions for a period of time because of a disaster. Which of the following is most likely the standard that Sean has been asked to comply with? A. ISO/IEC 27031 B. ISO/IEC 27005 C. ISO/IEC BS7799 D. ISO/IEC 2899

A

A. ISO/IEC 27031:2011 is a set of guidelines for information and communications technology readiness for business continuity. It is a component of the overall ISO/IEC 27000 series. Images B is incorrect because the purpose of ISO/IEC 27005 is to provide guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. This standard deals with developing a formal risk management approach and not necessarily continuity issues. Images C is incorrect because this is a distracter answer. There is no official standard called ISO/IEC BS7799. Images D is incorrect because this is a distracter answer. There is no official standard called ISO/IEC 2899.

31
Q

Which organization has been developed to deal with economic, social, and governance issues and with how sensitive data is transported over borders? A. European Union B. Council of Europe C. Safe Harbor D. Organisation for Economic Co-operation and Development

A

D. Global organizations that move data across other country boundaries must be aware of and follow the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Since most countries have a different set of laws pertaining to the definition of private data and how it should be protected, international trade and business gets more convoluted and can negatively affect the economy of nations. The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Because of this, the OECD came up with guidelines for the various countries to follow so that data is properly protected and everyone follows the same type of rules. One of these rules is that subjects should be able to find out whether an organization has their personal information and, if so, what that information is, to correct erroneous data, and to challenge denied requests to do so. Images A is incorrect because the European Union is not an organization that deals with economic, social, and governance issues, but does address the protection of sensitive data. The European Union Principles on Privacy are as follows: The reason for the gathering of data must be specified at the time of collection; data cannot be used for other purposes; unnecessary data should not be collected; data should only be kept for as long as it is needed to accomplish the stated task; only the necessary individuals who are required to accomplish the stated task should be allowed access to the data; and whoever is responsible for securely storing the data should not allow unintentional “leaking” of data. Images B is incorrect because the Council of Europe is responsible for the creation of the Convention on Cybercrime. The Council of Europe Convention on Cybercrime is one example of an attempt to create a standard international response to cybercrime. In fact, it is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation. The convention’s objectives include the creation of a framework for establishing jurisdiction and extradition of the accused. For example, extradition is only available by treaty and when the event is a crime in both jurisdictions. Images C is incorrect because Safe Harbor is not an organization but a set of requirements for organizations that wish to exchange data with European entities. Europe has always had tighter control over protecting privacy information than the United States and other parts of the world. So in the past when U.S. and European companies needed to exchange data, confusion erupted and business was interrupted because the lawyers had to get involved to figure out how to work within the structures of the differing laws. To clear up this mess, a “safe harbor” framework was created, which outlines how any entity that is going to move privacy data to and from Europe must go about protecting it. U.S. companies that deal with European entities can become certified against this rule base so data transfer can happen more quickly and easily.

32
Q

Widgets, Inc., wishes to protect its logo from unauthorized use. Which of the following will protect the logo and ensure that others cannot copy and use it? A. Patent B. Copyright C. Trademark D. Trade secret

A

C. Intellectual property can be protected by several different laws, depending upon the type of resource it is. A trademark is used to protect a word, name, symbol, sound, shape, color, or combination of these—such as a logo. The reason a company would trademark one of these, or a combination, is that it represents their company (brand identity) to a group of people or to the world. Companies have marketing departments that work very hard to create something new that will cause the company to be noticed and stand out in a crowd of competitors, and trademarking the result of this work with a government registrar is a way of properly protecting it and ensuring others cannot copy and use it. Images A is incorrect because a patent covers an invention, whereas a trademark protects a word, name, symbol, sound, shape, color, or combination thereof. Patents are given to individuals or companies to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the patent. The invention must be novel, useful, and not obvious. A patent is the strongest form of intellectual property protection. Images B is incorrect because in the United States, copyright law protects the right the creator of an original work to control the public distribution, reproduction, display, and adaptation of that original work. The law covers many categories of work: pictorial, graphic, musical, dramatic, literary, pantomimes, motion picture, sculptural, sound recording, and architectural. Copyright law does not cover the specific resource. It protects the expression of the idea of the resource instead of the resource itself. A copyright law is usually used to protect an author’s writings, an artist’s drawings, a programmer’s source code, or specific rhythms and structures of a musician’s creation. Images D is incorrect because trade secret law protects certain types of information or resources from unauthorized use or disclosure. A trade secret is something that is proprietary to a company and important for its survival and profitability. For a company to have its resource qualify as a trade secret, the resource must provide the company with some type of competitive value or advantage. A trade secret can be protected by law if developing it requires special skill, ingenuity, and/or expenditure of money and effort.

33
Q

Which of the following means that a company did all it could have reasonably done to prevent a security breach? A. Downstream liability B. Responsibility C. Due diligence D. Due care

A

D. Due care means that a company did all it could have reasonably done, under the circumstances, to prevent security breaches and took reasonable steps to ensure that if a security breach did take place, proper controls or countermeasures were in place to mitigate the damages. In short, due care means that a company practiced common sense and prudent management and acted responsibly. If a company has a facility that burns to the ground, the arsonist is only one small piece of this tragedy. The company is responsible for providing fire detection and suppression systems, fire-resistant construction material in certain areas, alarms, exits, fire extinguishers, and backups of all the important information that could be affected by a fire. If a fire burns a company’s building to the ground and consumes all the records (customer data, inventory records, and similar information that is necessary to rebuild the business), then the company did not exercise due care to ensure it was protected from such loss (by backing up to an offsite location, for example). In this case, the employees, shareholders, customers, and everyone affected could potentially successfully sue the company. However, if the company did everything expected of it in the previously listed respects, it is harder to successfully sue for failure to practice due care. Images A is incorrect because downstream liability means that one company’s activities—or lack of them—can negatively affect another company. If one of the companies does not provide the necessary level of protection and its negligence affects a partner it is working with, the affected company can sue the upstream company. For example, let’s say company A and company B have constructed an extranet. Company A does not put in controls to detect and deal with viruses. Company A gets infected with a destructive virus, which is spread to company B through the extranet. The virus corrupts critical data and causes a massive disruption to company B’s production. Therefore, company B can sue company A for being negligent. This is an example of downstream liability. Images B is incorrect because responsibility generally refers to the obligations and expected actions and behaviors of a particular party. An obligation may have a defined set of specific actions that are required or a more general and open approach, which enables the party to decide how it will fulfill the particular obligation. Due diligence is a better answer to this question. Responsibility is not considered a legal term as the other answers are. Images C is incorrect because due diligence means that the company properly investigated all of its possible weaknesses and vulnerabilities. Before you can figure out how to properly protect yourself, you need to find out what it is you are protecting yourself against. This is what due diligence is all about—researching and assessing the current level of vulnerabilities so that the true risk level is understood. Only after these steps and assessments take place can effective controls and safeguards be identified and implemented. Due diligence means identifying all of the potential risks, whereas due care means actually doing something to mitigate those risks.

34
Q

Which of the following is a U.S. copyright law that criminalizes the production and dissemination of technology, devices, or services that circumvent access control measures put into place to protect copyright material? A. Copyright law B. Digital Millennium Copyright Act C. Federal Privacy Act D. SOPA

A

B. The Digital Millennium Copyright Act (DMCA) is a U.S. copyright law that criminalizes the production and dissemination of technology, devices, or services that circumvent access control measures that are put into place to protect copyright material. So if you figure out a way to “unlock” the proprietary way that Barnes & Noble protects its e-books, you can be charged under this act. Even if you don’t share the actual copyright-protected books with someone, you still broke this specific law and can be found guilty. The United States already had a copyright protection law on the books that grants the creator of an original work exclusive rights to its use and distribution, with the goal of allowing the creator to receive compensation for their work. As copyright-protected works were distributed more and more in the digital world, the industry needed a way to implement access control of these works to ensure only the authorized individuals had access to it. Various digital rights management (DRM) technologies were developed and deployed to protect these works, which were quickly hacked and compromised, allowing unauthorized access to copyright-protected content. The DMCA was created to make the breaking of these DRM technologies illegal. Images A is incorrect because the copyright law has nothing to do with circumventing access controls. Copyright is a form of intellectual property protection that grants the creator of an original work exclusive rights to its use and distribution, usually for a limited time, to allow the creator to receive compensation for their work. Copyright is applicable to any expressible form of an idea or information that is substantive and discrete. There are national copyright laws and international copyright agreements that have unique requirements, but all have the same overall goal of protecting creative works. Copyright is usually enforced through the civil legal system, but in some situations, breaking this law is considered a criminal act. So the copyright law protects the content (i.e., book, song, art), and DMCA protects the access control technology put in place to prevent unauthorized individuals from gaining access to this content. Images C is incorrect because there is no law specifically called the Federal Privacy Act. The Privacy Act of 1974 is a U.S. federal law that establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. So this privacy law has nothing to do with copyright content or access control technologies. The focus of this law is to keep the government in check and not allow it to gather too much data on its citizens that could be used for Big Brother–type activities. This law outlines what type of data government agencies can gather, how long they can keep it, how they have to protect the gathered data, and the agencies’ responsibilities pertaining to sharing and destroying this type of data. Images D is incorrect because the Stop Online Piracy Act (SOPA) is a U.S. bill that was introduced, but never passed, to expand the ability of law enforcement to enforce online copyright infringement rules and restrict online trafficking in counterfeit goods. The goal of this proposed law was to restrict access to websites that host or facilitate the trading of pirated content. SOPA does not deal with access control technologies like DMCA, but provides a legal structure to go after owners of websites who share content that they do not own. Content developers in the United States could rely upon the copyright law, but this only applies within the United States. SOPA has an international reach and would require search engines and hosting companies to cut off access to websites that were serving up content that they did not own. There was a lot of push back to SOPA, and as of this writing it has not been passed.

35
Q

What role does the Internet Architecture Board play regarding technology and ethics? A. It creates criminal sentencing guidelines. B. It issues ethics-related statements concerning the use of the Internet. C. It edits Request for Comments. D. It maintains the Ten Commandments of Computer Ethics.

A

B. The Internet Architecture Board (IAB) is the coordinating committee for Internet design, engineering, and management. It is responsible for the architectural oversight of the Internet Engineering Task Force (IETF) activities, Internet Standards Process oversight and appeal, and editor of Request for Comments (RFC). The IAB issues ethics-related statements concerning the use of the Internet. It considers the Internet to be a resource that depends upon availability and accessibility to be useful to a wide range of people. It is mainly concerned with irresponsible acts on the Internet that could threaten its existence or negatively affect others. It sees the Internet as a great gift and works hard to protect it for all who depend upon it. The IAB sees the use of the Internet as a privilege, which should be treated as such and used with respect. Images A is incorrect because the IAB has nothing to do with the Federal Sentencing Guidelines, which are rules used by judges when determining the proper punitive sentences for specific felonies or misdemeanors that individuals or corporations commit. The guidelines work as a uniform sentencing policy for entities that carry out felonies and/or serious misdemeanors in the U.S. federal court system. Images C is incorrect because, although the Internet Architecture Board is responsible for editing Request for Comments (RFC), this task is not related to ethics. This answer is a distracter. Images D is incorrect because the Computer Ethics Institute, not the IAB, developed and maintains the Ten Commandments of Computer Ethics, listed next. The Computer Ethics Institute is a nonprofit organization that works to help advance technology by ethical means. 1. Thou shalt not use a computer to harm other people. 2. Thou shalt not interfere with other people’s computer work. 3. Thou shalt not snoop around in other people’s computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false witness. 6. Thou shalt not copy or use proprietary software for which you have not paid. 7. Thou shalt not use other people’s computer resources without authorization or proper compensation. 8. Thou shalt not appropriate other people’s intellectual output. 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

36
Q

As a CISSP candidate, you must sign a Code of Ethics. Which of the following is from the (ISC)2 Code of Ethics for the CISSP? A. Information should be shared freely and openly; thus, sharing confidential information should be ethical. B. Think about the social consequences of the program you are writing or the system you are designing. C. Act honorably, honestly, justly, responsibly, and legally. D. Do not participate in Internet-wide experiments in a negligent manner.

A

C. (ISC)2 requires all certified system security professionals to commit to fully supporting its Code of Ethics. If a CISSP intentionally or knowingly violates this Code of Ethics, he or she may be subject to a peer-review panel, which will decide whether the certification should be relinquished. The following list is an overview, but each CISSP candidate should read the full version and understand the Code of Ethics before attempting this exam: • Act honorably, honestly, justly, responsibly, and legally and protect society. • Work diligently, provide competent services, and advance the security profession. • Encourage the growth of research—teach, mentor, and value the certification. • Discourage unnecessary fear or doubt, and do not consent to bad practices. • Discourage unsafe practices, and preserve and strengthen the integrity of public infrastructures. • Observe and abide by all contracts, expressed or implied, and give prudent advice. • Avoid any conflict of interest, respect the trust that others put in you, and take on only those jobs you are fully qualified to perform. • Stay current on skills, and do not become involved with activities that could injure the reputation of other security professionals. Images A is incorrect because it is not an ethics statement within the (ISC)2 canons. It is an ethical fallacy used by many in the computing world to justify unethical acts. Some people in the industry feel as though all information should be available to all people; thus, they might release sensitive information to the world that was not theirs to release because they feel as though they are doing something right. Images B is incorrect because the statement is from the Computer Ethics Institute’s Ten Commandments of Computer Ethics, not the (ISC)2 canons. The Computer Ethics Institute is a nonprofit organization that works to help advance technology by ethical means. Images D is incorrect because it is an ethics statement issued by the Internet Architecture Board (IAB). The IAB issues ethics-related statements concerning the use of the Internet. It considers the Internet to be a resource that depends upon availability and accessibility to be useful to a wide range of people. It is mainly concerned with irresponsible acts on the Internet that could threaten its existence or negatively affect others. It sees the Internet as a great gift and works hard to protect it for all who depend upon it.

37
Q

Which of the following was the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation? A. Council of Global Convention on Cybercrime B. Council of Europe Convention on Cybercrime C. Organisation for Economic Co-operation and Development D. Organisation for Cybercrime Co-operation and Development

A

B. The Council of Europe (CoE) Convention on Cybercrime is one example of an attempt to create a standard international response to cybercrime. It is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation. The convention’s objectives include the creation of a framework for establishing jurisdiction and extradition of the accused. For example, extradition can only take place when the event is a crime in both jurisdictions. Images A is incorrect because it is a distracter answer. The official name for the treaty is Council of Europe Convention on Cybercrime. It serves as a guideline for any country developing comprehensive national legislation against cybercrime and as a framework for international cooperation between state parties to this treaty. Images C is incorrect because the Organisation for Economic Co-operation and Development (OECD) is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Because of this, the OECD came up with guidelines for the various countries to follow so that data is properly protected and everyone follows the same type of rules. Images D is incorrect because this is a distracter answer. There is no official entity with this name.

38
Q

Lee is a new security manager who is in charge of ensuring that his company complies with the European Union Principles on Privacy when his company is interacting with their European partners. The set of principles that deals with transmitting data considered private is encompassed within which of the following laws or regulations? A. Data Protection Directive B. Organisation for Economic Co-operation and Development C. Federal Private Bill D. Privacy Protection Law

A

A. The European Union (EU) in many cases takes individual privacy much more seriously than most other countries in the world, so they have strict laws pertaining to data that is considered private, which are based on the European Union Principles on Privacy. This set of principles addresses using and transmitting information considered private in nature. The principles and how they are to be followed are encompassed within the EU’s Data Protection Directive. All states in Europe must abide by these principles to be in compliance, and any company that wants to do business with an EU company must comply with this directive if the business will include exchanging privacy type of data. Images B is incorrect because the Organisation for Economic Co-operation and Development (OECD) is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Because of this, the OECD came up with guidelines for the various countries to follow so that data is properly protected and everyone follows the same type of rules. Images C is incorrect because this is a distracter answer. There is no official bill with this name. Images D is incorrect because this is a distracter answer. There is no official law with this name.

39
Q

Brandy could not figure out how Sam gained unauthorized access to her system, since he has little computer experience. Which of the following is most likely the attack Sam used? A. Dictionary attack B. Shoulder surfing attack C. Covert channel attack D. Timing attack

A

B. Shoulder surfing is a type of browsing attack in which an attacker looks over another’s shoulder to see items on that person’s monitor or what is being typed in at the keyboard. Sam probably viewed Brandy’s password as she typed it. Of the attacks listed, this is the easiest to execute in that it does not require any real knowledge of computer systems. Images A is incorrect because a dictionary attack is an automated attack involving the use of tools like Crack or L0phtcrack. Sam would need to be aware of these tools and know how to find and use them. A dictionary attack requires more knowledge of how computer systems work compared to shoulder surfing. Images C is incorrect because a covert channel attack requires computer expertise. A covert channel is a communications path that enables a process to transmit information in a way that violates the system’s security policy. Identifying and using a covert channel requires a lot more computer expertise compared to a shoulder surfing attack. Images D is incorrect because a timing attack requires intimate knowledge of how software executes its instruction sets so that they can be manipulated. Commonly a person who could successfully carry out this attack requires programming experience.

40
Q

Jane has been charged with ensuring that the privacy of clients’ personal health information is adequately protected before it is exchanged with a new European partner. What data security requirements must she adhere to? A. HIPAA B. NIST SP 800-66 C. Safe Harbor D. European Union Principles on Privacy

A

C. The Safe Harbor requirements were created to harmonize the data privacy practices of the United States with the European Union’s stricter privacy controls and to prevent accidental information disclosure and loss. The framework outlines how any entity that is going to move private data to and from Europe must go about protecting it. By certifying against this rule base, U.S. companies that work with European entities can more quickly and easily transfer data. Images A is incorrect because the Health Insurance Portability and Accountability Act (HIPAA) does not specifically address data protection for the purposes of sharing it with European entities. HIPAA provides a framework and guidelines to ensure security, integrity, and privacy when handling confidential medical information within the United States. The U.S. federal regulation also outlines how security should be managed for any facility that creates, accesses, shares, or destroys medical information. Images B is incorrect because NIST SP 800-66 is a risk assessment methodology. It does not point out specific data privacy requirements. NIST SP 800-66 does apply to health care. It was originally designed to be implemented in the healthcare field and can be used by HIPAA clients to help achieve compliance. Images D is incorrect because the European Union Principles on Privacy are the foundation for the European Union’s strict laws pertaining to data that is considered private. The purpose of the principles is not to prepare data specifically for its exchange with U.S. companies, nor are the requirements mandated for U.S. companies. This set of principles has six areas that address using and transmitting sensitive information, and all European states must abide by these principles to be in compliance.

41
Q

Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company’s e-mail system. What type of approach is her company taking to handle the risk posed by the system? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transference

A

A. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. By implementing security controls such as antivirus and antispam software, Sue is reducing the risk posed by her company’s e-mail system. This is also referred to as risk mitigation, where the risk is decreased to a level considered acceptable. In addition to the use of IT security controls and countermeasures, risk can be mitigated by improving procedures, altering the environment, erecting barriers to the threat, and implementing early detection methods to stop threats as they occur, thereby reducing their possible damage. Images B is incorrect because risk acceptance does not involve spending money on protection or countermeasures, such as antivirus software. When accepting risk, the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to live with it without implementing countermeasures. Many companies accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value. Images C is incorrect because risk avoidance involves discontinuing the activity that is causing the risk, and in this case Sue’s company has chosen to continue to use e-mail. A company may choose to terminate an activity that introduces risk if that risk outweighs the activity’s business need. For example, a company may choose to block social media websites for some departments because of the risk they pose to employee productivity. Images D is incorrect because risk transference involves sharing the risks with another entity as in purchasing of insurance to transfer some of the risk to the insurance company. Many types of insurance are available to companies to protect their assets. If a company decides the total or residual risk is too high to gamble with, it can purchase insurance.

42
Q

A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset? A. The asset’s value in the external marketplace B. The level of insurance required to cover the asset C. The initial and outgoing costs of purchasing, licensing, and supporting the asset D. The asset’s value to the organization’s production operations

A

B. The level of insurance required to cover the asset is not a consideration when assigning values to assets. It is actually the other way around: By knowing the value of an asset, an organization can more easily determine the level of insurance coverage to purchase for that asset. In fact, understanding the value of an asset is the first step to understanding what security mechanisms should be put in place and what funds should go toward protecting it. This knowledge can also help companies perform effective cost/benefit analyses, understand exactly what is at risk, and comply with legal and regulatory requirements. Images A is incorrect because the asset’s value in the external marketplace is a factor that should be considered when determining the value of an asset. It should also include the value the asset might have to competitors or what others are willing to pay for a given asset. Images C is incorrect because the initial and outgoing costs of purchasing, licensing, and supporting the asset are considerations when determining the cost and value of an asset. The asset must be cost effective to the business directly. If the supporting requirements of maintaining the asset outweighs the business need for the asset, its value will decrease. Images D is incorrect because it is a factor to be considered when determining an asset’s value. The asset’s value to the organization’s production operations is the determination of cost to an organization if the asset is not available for a certain period of time. Along these same lines, the asset’s usefulness and role in the organization should be considered, as well as the operational and production activities affected, if the asset is unavailable. If the asset helps operations, it is valuable; the trick is to figure out how valuable.

43
Q

The Zachman Architecture Framework is often used to set up an enterprise security architecture. Which of the following does not correctly describe the Zachman Framework? A. A two-dimensional model that uses communication interrogatives intersecting with different levels B. A security-oriented model that gives instructions in a modular fashion C. Used to build a robust enterprise architecture versus a technical security architecture D. Uses six perspectives to describe a holistic information infrastructure

A

B. The Zachman Framework is not security oriented, but it is a good template to work with to build an enterprise security architecture because it gives direction on how to understand the enterprise in a modular fashion. This framework is structured and formal and is used as a tool to understand any type of enterprise from many different angles. The Zachman Framework was developed in the 1980s by John Zachman and is based on the principles of classical architecture that contains rules that govern an ordered set of relationships. Images A is incorrect because the Zachman Framework is a two-dimensional model that addresses the what, how, where, who, when, and why from six different perspectives: the planner or visionary, the owner, the architect, the designer, the builder, and the working system. Together, this information gives a holistic view of the enterprise. Images C is incorrect because the Zachman Framework is used to create a robust enterprise architecture, not a security architecture, technical or not. The framework is not security specific. Almost all robust enterprise security architectures work with the structure provided by the Zachman Framework in one way or another. When we talk about a robust security architecture, we are talking about one that deals with many components throughout the organization—not just a network and the systems within that network. Images D is incorrect because the Zachman Framework uses six perspectives to build a holistic view of the enterprise. Those perspectives are the planner or visionary, owner, architect, designer, builder, and the working system. Those using the framework address what, how, where, who, when, and why as they relate to each of these perspectives. This is to ensure that regardless of the order in which they are put in place, components of the enterprise are organized and relationships are clearly defined so that they create a complete system. The framework does not just specify an information infrastructure.

44
Q

John has been told to report to the board of directors with a vendor-neutral enterprise architecture framework that will help the company reduce fragmentation that results from the misalignment of IT and business processes. Which of the following frameworks should he suggest? A. DoDAF B. CMMI C. ISO/IEC 42010 D. TOGAF

A

D. The Open Group Architecture Framework (TOGAF) is a vendor-neutral platform for developing and implementing enterprise architectures. It focuses on effectively managing corporate data through the use of metamodels and service-oriented architecture (SOA). A proficient implementation of TOGAF is meant to reduce fragmentation that occurs due to misalignment of traditional IT systems and actual business processes. It also adjusts to new innovations and capabilities to ensure new changes can easily be integrated into the enterprise platform. Images A is incorrect because the Department of Defense Architecture Framework (DoDAF) provides guidelines for the organization of enterprise architecture for the U.S. Department of Defense systems. All DoD weapons and IT systems are required to design and document enterprise architecture according to these guidelines. They are also suitable for large and complex integrated systems in military, private, or public sectors. Images B is incorrect because Capability Maturity Model Integration (CMMI) is used during software development to design and further enhance software. The CMMI provides a standard for software development process where the level of maturity of the development process can be measured. It was developed by the Carnegie Mellon Software Engineering Institute and is an upgraded version of Capability Maturity Model (CMM). Images C is incorrect because the ISO/IEC 42010 consists of a set of recommended practices intended to simplify the design and conception of software-intensive system architectures. This standard provides a type of language (terminology) to describe the different components of a software architecture and how to integrate it into the life cycle of development. Many times the overall vision of the architecture of a piece of software is lost as the developers get caught up in the actual development procedures. This standard provides a conceptual framework to follow for architecture development and implementation.

45
Q

The Information Technology Infrastructure Library (ITIL) consists of five sets of instructional books. Which of the following is considered the core set and focuses on the overall planning of the intended IT services? A. Service Operation B. Service Design C. Service Transition D. Service Strategy

A

D. The fundamental approach of ITIL lies in the creation of Service Strategy, which focuses on the overall planning of the intended IT services. Once the initial planning has been concluded, the Service Design provides guidelines on designing valid IT services and overall implementation policies. The Service Transition stage is then initiated, where guidelines regarding evaluation, testing, and validation of the IT services are provided. This allows the transition from business environments into technology services. The Service Operation makes sure that all the decided services have met their objectives. Finally, the Continual Service Improvement points out the areas of improvements in the entire service life cycle. The Service Strategy is considered to be the core of ITIL. It consists of a set of guidelines that include best practices regarding strategy and value planning, design, and alignment between the IT and business approaches, market analysis, service assets, setting targets toward providing quality service to the clients, and implementation of service strategies. Images A is incorrect because Service Operation refers to an important component of the life cycle in which the services are actually delivered. This part of the life cycle defines a set of guidelines that makes sure that the agreed levels of services are delivered to the customers. The various genres incorporated by Service Operation include Event Management, Problem Management, Access Management, Incident Management, Application Management, Technical Management, and Operations Management. Service Operation also balances between the conflicting goals, such as technology vs. business requirements, stability vs. response, cost vs. quality of service, and reactive vs. proactive activities. Images B is incorrect because the Service Design comprises a set of optimal practices for the designing of IT services, including their processes, architectures, policies, and documentation, in order to fulfill the current and future business requirements. The target of the Service Design is to design services according to their agreed business objectives; design such processes that can support life cycle, identification and management of risks; and involvement in the improvement of IT service quality as a whole. Images C is incorrect because Service Transition focuses on delivering services proposed by business strategy into operational use. It also contains guidelines that enable the smooth transition of the business model into technology services. If the requirements of a service have changed after its design, the Service Transition ensures that those requirements are delivered according to its modified design. The areas focused on by these guidelines include Transition Planning and Support, Change Management, Knowledge Management, Release and Deployment Management, Service Validation and Testing, and Evaluation, along with the responsibilities of personnel involved with the Service Transition.

46
Q

Sarah and her security team have carried out many vulnerability tests over the years to locate the weaknesses and vulnerabilities within the systems on the network. The CISO has asked her to oversee the development of a threat model for the network. Which of the following best describes what this model is and what it would be used for? A. A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to minimize or eradicate the threats. B. A threat model combines the output of the various vulnerability tests and the penetration tests carried out to understand the security posture of the network as a whole. C. A threat model is a risk-based model that is used to calculate the probabilities of the various risks identified during the vulnerability tests. D. A threat model is used in software development practices to uncover programming errors.

A

A. Threat modeling is a structured approach to identifying potential threats that could exploit vulnerabilities. A threat modeling approach looks at who would most likely want to attack an organization and how could they successfully do this. A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to minimize or eradicate the threats. Threat modeling is a process of identifying the threats that could negatively affect an asset and the attack vectors they would use to achieve their goals. Images B is incorrect because a threat model is very different from vulnerability and penetration tests. These types of tests are carried out to look for and at specific items in a very focused manner. A threat model is a conceptual construct that is developed to understand a system or network at an abstraction level. A threat model is used as a tool to think through all possible attack vectors, while these tests are carried out to detect if specific vulnerabilities exist to allow certain attacks to take place. Images C is incorrect because a threat model is not used for calculations. Quantitative risk analysis procedures are commonly carried out to calculate the probability of identified vulnerabilities turning into true risks. These procedures can be carried out after a threat model is developed, but they are not one and the same. Images D is incorrect because although a threat model can be used in software development, it is not restricted to just this portion of the industry. It is important to be able to understand all types of threats—software, physical, personnel, etc. A threat model is a high-level construct that can be used to understand different types of threats for different assets. A threat model would not necessarily be used to identify programming errors. The model is used to understand potential threats against an asset.