Security and Risk Management

Question 1

Information security objectives are to provide:

A) Accountability, Confidentiality and Integrity
B) Confidentiality, Audit and Availability
C) Availability, Confidentiality and Integrity
D) None of the above

Answer 1

C) Availability, Confidentiality and Integrity

Question 2

A(n) _____ is a weakness in a system which allows a threat source to compromise its security.

A) Vulnerability
B) Risk
C) Exploit
D) None of the above

Answer 2

A) Vulnerability

Question 3

A ______ is the possibility that someone or something could exploit a vulnerability, accidentally or intentionally, causing harm to an asset.

A) Risk
B) Threat
C) Vulnerability
D) Exploit

Answer 3

B) Threat

Question 4

A _____ is the probability of a threat agent exploiting a vulnerability and the potential for loss from that exploit.

A) Loss Expectancy
B) Risk
C) Likelihood
D) Residual Risk

Answer 4

B) Risk

Question 5

What mitigates a risk?

i. Countermeasure
ii. Avoidance
iii. Control
iv. Safeguard

A) i
B) ii and iii
C) i, iii, iv
D) All of the above

Answer 5

C) i, iii, iv

‘Countermeasure’, ‘control’ and ‘safeguard’ may be used interchangeably for the same mitigation of risk.

‘Avoidance’ and ‘mitigation’ of risk are two different options for addressing risk; ‘avoidance’ does not itself ‘mitigate’ risk.

Question 6

A control can be characterized by one of the following :

A) Avoidance, acceptance, or transference
B) Administrative, technical, or empirical
C) Logical, mitigation or remediation
D) Administrative, technical, or physical

Answer 6

D) Administrative, technical, or physical

Question 7

A ____ control is put into place for financial or business function reasons.

A) Adminstrative
B) Acceptance
C) Compensating
D) None of the above

Answer 7

C) Compensating

Question 8

One framework for IT governance and control objectives is:

A) Six Sigma
B) NIST
C) SANS
D) COBIT

Answer 8

D) COBIT

Question 9

The standard for the establishment, implementation, control and improvement of of the information security management system is:

A) ISO 27005
B) ISO 27004
C) ISO 27001
D) OCTAVE

Answer 9

C) ISO 27001

Question 10

What is used to develop architectures for specific stakeholders and to present information in ‘views’?

A) Constrained user interfaces
B) The KANBAN methodology
C) NIST 800-53
D) Enterprise architecture frameworks

Answer 10

D) Enterprise architecture frameworks

Question 11

A coherent set of policies, processes and systems to manage risks is, according to ISO27001, called:

A) Risk management lifecycle
B) SIEM
C) Information Security Management System (ISMS)
D) None of the above

Answer 11

C) Information Security Management System (ISMS)

Question 12

Enterprise security architecture is a subset of:

A) Data architecture
B) Enterprise architecture
C) Business architecture
D) Classical architecture

Answer 12

C) Business architecture

Question 13

A _____ is a functional definition for the integration of technology into business processes.

A) Roadmap
B) Blueprint
C) Procedure
D) None of the above

Answer 13

B) Blueprint

Question 14

Enterprise architecture is used to build individual architectures that best map to:

A) Users
B) Business teams
C) Business drivers
D) All of the above

Answer 14

C) Business drivers

Question 15

SABSA is a(n):

A) Capability Maturity Model
B) Security enterprise architecture framework
C) Enterprise architecture framework
D) Continuous improvement process

Answer 15

B) Security enterprise architecture framework

Question 16

____ is a governance model used to help prevent fraud within a corporate setting.

A) PCI-DSS
B) COSO Internal Control-Integrated Framework
C) Sarbanes Oxley
D) SANS

Answer 16

B) COSO Internal Control-Integrated Framework

Question 17

____ is/are a set of best practices for service management.

A) ISO
B) NIST
C) ITIL
D) All of the above

Answer 17

C) ITIL

Question 18

A framework used to identify process defects in order to remedy them is:

A) CMMI
B) SABSA
C) ITIL
D) Six Sigma

Answer 18

D) Six Sigma

Question 19

____ is a maturity model which allows for processes to improve in an incremental and standard fashion.

A) SABSA
B) Six Sigma
C) CMMI
D) ITIL

Answer 19

C) CMMI

Question 20

Security enteprise architecture should include:

i. Strategic alignment
ii. Control implementation
iii. Business enablement
iv. Business planning

A) i, iii
B) i, iv
C) ii, iii
D) i, ii, iii

Answer 20

C) ii, iii

Question 21

NIST 800-53 identifies which of the following control categories:

i. Procedural
ii. Business
iii. Technical
iv. Operational
v. Management

A) i, iii, iv
B) ii, iii, iv
C) iii, iv, v
D) ii, iii, iv

Answer 21

C) iii, iv, v

Question 22

The civil law system:

A) Is based on pre-written rules
B) is based on precedence
C) Is different from tort law
D) Both A and C

Answer 22

D) Both A and C

Question 23

The common law system made up of:

A) Criminal laws
B) Civil laws
C) Administrative laws
D) All of the above

Answer 23

D) All of the above

Question 24

A customary law system:

A) Addresses primarily personal conduct
B) Uses local/regional customs and traditions as its foundation
C) Is usually mixed with another type of legal system
D) All of the above

Answer 24

D) All of the above

Question 25

A religious law system:

A) Derives its laws from religious belief and addresses individual religious responsibilities
B) Is based on common law
C) Is based on civil law
D) None of the above

Answer 25

A) Derives its laws from religious belief and addresses individual religious responsibilities

Question 26

A mixed law system:

A) Uses only civil and common law
B) Uses only civil and customary law
C) Uses two or more legal systems
D) None of the above

Answer 26

C) Uses two or more legal systems

Question 27

____ deals with individual conduct that violates government laws which protect the public.

A) Tort law
B) Criminal law
C) Common law
D) Civil law

Answer 27

B) Criminal law

Question 28

____ deals with wrongs committed against an individual or companies which result in injuries or damages.

A) Tort law
B) Criminal law
C) Common law
D) Civil law

Answer 28

D) Civil law

Question 29

What type of law deals with standards of performance or conduct for companies, industries and officials?

A) Civil law
B) Administrative law
C) Tort law
D) Statutes

Answer 29

B) Administrative law

Question 30

What grants ownership rights and enables the owner to enforce those rights?

A) Copyright
B) Trademark
C) Patent
D) All of the above

Answer 30

C) Patent

Question 31

____ protects the expression of ideas–not the ideas themselves.

A) Copyright
B) Trademark
C) Patent
D) All of the above

Answer 31

A) Copyright

Question 32

___ protects words, shapes, symbols, colors or combinations of these items used to identify a product and/or company.

A) Copyright
B) Trademark
C) Patent
D) All of the above

Answer 32

B) Trademark

Question 33

What is the term commonly used to describe knowledge proprietary to a company, including that which provides a competitive edge?

A) Confidential information
B) Trade secrets
C) Patent
D) None of the above

Answer 33

B) Trade secrets

Question 34

Which of the following has raised issues of court jurisdiction?

A) Sarbanes Oxley
B) PCI-DSS
C) Civil law
D) Internet crimes

Answer 34

D) Internet crimes

Question 35

Privacy laws for government agencies enforce which of the following principles?

i. Information must be collected fairly and lawfully
ii. Information must be used only for the purpose for which it was obtained
iii. Information must be held only for a reasonable period
iv. Information must be accurate and timely

A) i
B) ii, iii
C) i, iii, iv
D) i, ii, iii, iv

Answer 35

D) i, ii, iii, iv

Question 36

When choosing a safeguard to reduce risk, which of the following should be considered?

A) Cost
B) Functionality
C) Effectiveness
D) All of the above

Answer 36

D) All of the above

In addition, a cost/benefit analysis should be performed.