Security and Risk Management Flashcards
This domain represents 15% of the CISSP exam and covers fundamental security concepts and principles, as well as compliance, ethics, governance, security policies and procedures, business continuity planning, risk management, and security education, training, and awareness.
Q.Q. 1 A statement that specifies security technologies or products is known as a(n)
Product guideline
Informative policy
Security standard
Safeguard
Security standard
Note
Security standards define specific (or minimum) products or technologies required to protect information.
Q.Q. 2 Information warfare is BEST known as a
Potential loss
Vulnerability
Threat
Risk
Vulnerability
Q.Q. 3 A suspect has been apprehended and charged with breaking into a database containing medical records. Under which of the following U.S. laws is the suspect most likely to be charged? Drag and drop the correct answer(s) from top to bottom.
PCI DSS HIPAA Data Protection Act Federal Privacy Act Computer Fraud and Abuse Act
Computer Fraud and Abuse
note
The suspect would most likely be charged with a violation of the Computer Fraud and Abuse Act, which pertains to the unlawful or unauthorized access to a computer system. The Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Data Protection Act, and Federal Privacy Act of 1974 all address what an organization must do to protect information.
Q.Q. 4 The name of the U.S. law requiring protection of personal medical information is
PIPEDA
GLBA
HIPAA
HIPPA
HIPAA
note
[Security and Risk Management] The Health Insurance Portability and Accountability Act (HIPAA) addresses health care information privacy in the U.S. HIPPA is a common misspelling of the HIPAA acronym. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy in the private sector. The Gramm-Leach-Bliley Act (GLBA) relates to data privacy in the financial sector.
Q.Q. 5 What’s meant by the term risk mitigation?
Elimination of risk
Reduction of risk to an acceptable level
Calculating vulnerabilities multiplied by threats
Ranking risks in order of likelihood
Reduction of risk to an acceptable level
Q.Q. 6 Using social skills to acquire critical information about computer systems is known as
Social espionage
Social engineering
Online dating
Eavesdropping
Social engineering
Note
Social engineering describes the activity carried out by individuals who claim to be someone they’re not in order to elicit information from unsuspecting individual in order to facilitate an intrusion.
Q. 7 Audit trails and security cameras are examples of
Detective controls Preventive controls Corrective controls Trust controls
Detective controls
Note
Detective controls, such as audit trails and security cameras, are designed to discover a security incident that is occurring or has already occurred.
Q. 8 It’s difficult to determine that theft of information has occurred because
It’s not a crime unless someone posts the information on the Internet Most sites have inadequate audit logs More often than not, the information is still there Most law enforcement personnel don’t understand information technology
More often than not, the information is still there
Note
When information is stolen, it’s most often copied, which means that the original information is still on the original system, unlike in the case of theft of physical property.
Q. 9 What’s the greatest source of loss when a corporate laptop is lost or stolen?
Self esteem of the laptop owner Licensed software installed on the laptop Information stored on the laptop Street value of the laptop
Information stored on the laptop
Q. 10 The purpose of a security control is to
Contain and deliver a specific security policy Record recipients of classified documents Properly release data to comply with a court order Reduce threats and vulnerabilities to an acceptable level
Reduce threats and vulnerabilities to an acceptable level
Note
Security controls are used to address threats and vulnerabilities.
Q. 11 Under what circumstance can evidence be seized without a warrant?
If it’s in the public domain If it’s believed that its destruction is imminent In international incidents If it’s on a computer
If it’s believed that its destruction is imminent
Note
Evidence may be seized without a warrant under exigent circumstances; that is, if law enforcement reasonably believes it is about to be destroyed.
Q. 12 Motive, means, and opportunity
Are required prior to the commission of a crime Are the required three pieces of evidence in any criminal trial Are the three factors that determine whether someone may have committed a crime Are the usual ingredients in a sting operation
Are the three factors that determine whether someone may have committed a crime
Note
Motive, means, and opportunity are the standard criteria used when considering a possible suspect in a crime.
Q. 13 What’s the purpose of a senior management statement of security policy?
It defines who’s responsible for carrying out a security policy It states that senior management doesn’t need to follow a security policy It emphasizes the importance of security throughout an organization It states that senior management must also follow a security policy
It emphasizes the importance of security throughout an organization
Note
A senior management statement of security policy underscores the importance of (and senior management’s commitment to) security within the organization.
Q. 14 The primary goal of information privacy laws is to
Require organizations to ask for permission each time they share information Discourage the abuse of individuals’ private information Require the use of government-operated databases, rather than private databases Prevent individuals from falsifying information about themselves
Discourage the abuse of individuals’ private information
Note
Privacy laws seek to curb the abuses of an individual’s private information by organizations and individuals who misuse that information.
Q. 15 The loss of competitive advantage and market share due to a disaster is an example of
Ineffective strategic planning A qualitative loss A quantitative loss Profiteering
A qualitative loss
Note
Competitive advantage and market share are examples of qualitative losses that an organization may suffer in the event of a disaster or security incident, because they cannot be objectively valued.
Q. 16 The deliberate misuse of information is prohibited by
The U.S. Federal Trade Commission The Heisenberg Principle The Fourth Amendment of the U.S. Constitution The (ISC)2 Code of Ethics
The (ISC)2 Code of Ethics
Note
The (ISC)2 Code of Ethics prohibits the deliberate misuse of information.
Q. 17 The most cost-effective way to make employees aware of security policies is to
Use email and Web sites to communicate the importance of security Enroll all employees in a security awareness class Send a hardcopy set of security policies to each employee Purchase a good book on security for each employee
Use email and Web sites to communicate the importance of security
Note
Using existing tools, such as email and websites, is a cost-effective way to communicate security information within an organization.
Q. 18 The illegal acquisition of funds through intimidation is known as
Embezzlement Conspiracy Blackmail Extortion
Extortion
Q. 19 The only way to be absolutely sure that a hard disk hasn’t been tampered with is to
Write-protect the hard disk Remove the hard disk from the computer Create a digital signature based on the hard disk’s entire contents Back up the hard disk to tape and make comparisons later, as needed
Create a digital signature based on the hard disk’s entire contents
Note
A digital signature is the most reliable way of determining whether a hard disk has been tampered with. Write protection can be defeated and alters the attributes of files on the hard disk, removing the hard disk from the computer doesn’t assure that it can’t be changed, and backing up a hard disk alters the attributes of files on the hard disk.
Q. 20 Reboot instructions and file restore procedures are examples of
Detective controls Preventive controls Corrective controls Trust controls
Corrective controls
Note
Corrective controls, such as reboot instructions and file restore procedures, are designed to restore normal operations after a security incident has occurred.
Q. 21 In the context of data processing continuity planning, subscription services refers to
Contracts to have replacement computer hardware within 72 hours Contracts to have replacement computer hardware within 24 hours Commercial services providing hot sites, warm sites, and cold sites The quarterly journal Continuity Planning
Commercial services providing hot sites, warm sites, and cold sites
Q. 22 The chain of evidence ensures
That evidence links the alleged perpetrator to the crime That those who collected it will be available to testify in court That it’s relevant and reliable The integrity of evidence, from collection through safekeeping
The integrity of evidence, from collection through safekeeping
Q. 23 Access controls and card-key systems are examples of
Detective controls Preventive controls Corrective controls Trust controls
Preventive controls
Note
Preventive controls, such as access controls and card-key systems, are designed to prevent a security incident from occurring.
Q. 24 Which of the following is NOT required when performing a Risk Analysis?
Determine the monetary value of an asset Identify all threats to an asset Classify the asset’s security level Calculate the Annualized Loss Expectancy
Classify the asset’s security level
Note
A risk analysis is used to calculate Annualized Loss Expectancy (ALE) which requires information about the value of the asset, the potential threats to the asset, and the likelihood of a threat event occurring (Annualized Loss Expectancy, or ALE). A risk analysis is not used to determine an asset’s security level.
Q. 25 Which of the following is NOT a part of Risk Analysis?
Determining value of assets Determining the location of assets Determining threats to assets Selecting safeguards
Determining the location of assets
Note
The three main components of risk analysis are quantitative/qualitative analysis, asset valuation, and safeguard selection. Determining the location of assets is not part of a risk analysis.
Q. 26 What’s the best reason for employees to be aware of an organization’s security policies?
So that they can socialize it with other employees To receive reminders of best security practices So that they can perform the appropriate actions needed to safeguard information So that they can avoid the consequences of not knowing the security policies
So that they can perform the appropriate actions needed to safeguard information
Q. 27 The purpose of risk analysis is
To qualify the classification of a potential threat To quantify the likelihood of a potential threat To quantify the net present value of an asset To quantify the impact and likelihood of a potential threat
To quantify the impact and likelihood of a potential threat
Note
A risk analysis quantifies the impact of a potential threat; in other words, it puts a monetary value on the loss of information or functionality.
Q. 28 A set of values defining acceptable and unacceptable behavior is known as
Ethics Guiding principles Laws Requirements
Ethics
Note
Ethics define right and wrong behavior that is expected in various contexts or situations.
Q. 29 What factors are used to select a safeguard? Drag and drop the correct answer(s) from top to bottom.
Return on investment Accuracy exposure factor Auditability annualized loss expectancy cost-benefit analysis
Accuracy
Auditability
Cost-benefit analysis
Note
A safeguard should be selected based on auditability (or verifiability), a cost-benefit analysis, and accuracy (or effectiveness).
Q. 30 Laws having to do with a wrong that one has inflicted on another are called
Statutory laws Common laws Civil laws Liability laws
Civil laws
Note
Laws that deal with one person or organization aggrieving another are civil laws.
Q. 31 What’s meant by the term risk reduction?
Factoring risk downward to match return on investment (ROI) Removing threats from the Risk Analysis (RA) Reducing risk by lowering the Annualized Loss Expectancy (ALE) Taking measures to reduce the risk of loss to an asset
Taking measures to reduce the risk of loss to an asset
Note
“Risk reduction” refers to any measure that can be taken to reduce the risk to an asset.
Q. 32 Federal sentencing guidelines specify that a corporation’s senior officers can be
Imprisoned for failing to protect corporate information assets from harm Held personally liable for failing to protect information assets from harm Sentenced to house arrest for failing to protect information assets from harm Barred from management for failing to protect information assets from harm
Held personally liable for failing to protect information assets from harm
Note
Senior officers in an organization can be held personally liable for failure to comply with federal laws.
Q. 33 Annualized Loss Expectancy refers to
The expectation of the occurrence of losses throughout the year The monetary loss expected from all occurrences of a single threat in a year The total monetary annual loss from all occurrences of a single threat An industry-provided benchmark that serves as a prediction of a threat
The monetary loss expected from all occurrences of a single threat in a year
Note
Annualized Loss Expectancy (ALE) is a risk management term calculated as the product of Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO). Mathematically, ALE = SLE x ARO. For example, if the SLE for a given event is $50,000 and the ARO for the event is 10, then the ALE is $500,000 ($500,000 = $50,000 x 10).
Q. 34 Intellectual property laws apply to which of the following? Drag and drop the correct answer(s) from top to bottom.
Copyrights Medical records Credit card data Patents Trade secrets Trademarks
Copyrights
Patents
Trade secrets
Trademarks
Note
Intellectual property laws apply to copyrights, trademarks, patents, and trade secrets.
Q. 35 The illegal acquisition of funds through manipulation or falsification of financial information is known as
Embezzlement Conspiracy Blackmail Extortion
Embezzlement
Q. 36 A weakness in a security control is called a
Risk Vulnerability Threat Hole
Vulnerability
Q. 37 What’s the definition of a threat?
Any event that produces an undesirable outcome A weakness present in a control or countermeasure An act of aggression that causes harm An individual likely to violate security policy
Any event that produces an undesirable outcome
Note
A threat is a possible, undesirable event that may cause harm or damage.
Q. 38 What’s the purpose of a security guideline?
It provides suggested methods for following a security policy It explains the purpose of a security policy It explains why a security policy must be followed It describes the consequences for violating a security policy
It provides suggested methods for following a security policy
Q. 39 What is the purpose of pre-employment screening?
Identifying undesirable medical or genetic conditions Eliminating certain personality types from consideration Ensuring employees have knowledge of security processes Potentially discovering undesirable activities, errors or omissions in the application
Potentially discovering undesirable activities, errors or omissions in the application
Q. 40 During an interrogation of a suspect, copies of any evidence should be used because
The suspect may ask for the evidence The suspect may attempt to destroy the evidence The original evidence should be locked in the evidence room The suspect is allowed to give a copy of the evidence to his or her attorney
The suspect may attempt to destroy the evidence
Q. 41 In order to be admissible, electronic evidence must
Be legally permissible Not be copied Have been in the custody of the investigator at all times Not contain viruses
Be legally permissible
Q. 42 Acting with excellence, competence, and diligence is known as
Due care Due diligence Due ignorance Due process
Due care
Note
Due care includes exercising due diligence. Due process is a legal concept.
Q. 43 Methodologies used to identify and assess risk in an organization are known as
Risk assessment frameworks Risk management frameworks Risk analysis Threat modeling
Risk assessment frameworks
Note
Risk assessment frameworks, such as Operationally Critical Threat, Assessment and Vulnerability Evaluation (OCTAVE) and Factor Analysis of Information RISK (FAIR), are methodologies used to identify and assess risk in an organization.
Q. 44 What’s the purpose of a Business Impact Assessment (BIA)?
To identify critical business processes and the resources required to resume them To identify the impact of a disaster on the organization’s value chain To identify the financial cost of various disaster scenarios To identify a disaster’s impact on company market share
To identify critical business processes and the resources required to resume them
Q. 45 A patent protects the owner’s intellectual property rights for how long in the United States?
20 years 7 years 10 years 27 years
20 years
Q. 46 One of the main disadvantages of a mutual aid agreement is
An organization has no guarantee that the other organization will agree to help A disaster that affects both organizations potentially reduces the effectiveness of the agreement It’s the most expensive way to maintain a warm site The DRP isn’t tested until a disaster strikes
A disaster that affects both organizations potentially reduces the effectiveness of the agreement
Q. 47 Typically, the first step in the BCP development process is
Inventory all business critical processes Determine scope Create a Business Impact Analysis Develop a training plan
Determine scope
Q. 48 The categories of common law that relate to information systems are what? Drag and drop the correct answer(s) from top to bottom.
Civil Sharia Criminal Privacy Misdemeanor Felony Intellectual property Regulatory
Criminal, civil, regulatory, intellectual property, and privacy laws relate to all types of activities, including information systems.
Q. 49 An organization is considering storing its internal human resources data in the cloud. The organization should be concerned with all of the following EXCEPT
Administrative access to shared-tenant systems Multi-tenant segregation Legal jurisdiction Operating system virtualization
Operating system virtualization
Note
An organization storing its human resources data with a cloud service provider should be concerned with the physical location of the stored data, the legal jurisdiction governing storage and use of the data, control of administrative access to the data, and methods used to segregate the organization’s data from that of other cloud tenants.
Q. 50 What are the reasons for performing a pre-employment background check? Drag and drop the correct answer(s) from top to bottom.
Verify family history Verify medical history Verify criminal history Verify educational history Verify social history Verify employment history
Verify employment history
Verify criminal history
Verify educational history
Note
In most situations, attempting to verify an applicant’s social, medical, or family history as part of an employment decision is inappropriate, unethical, and illegal.
Q. 51 Which of the following methods are used to create an online redundant data set? Drag and drop the correct answer(s) from top to bottom.
Database mirroring
Electronic vaulting
Off-site storage
Remote journaling
Database mirroring
Electronic vaulting
Remote journaling
Note
Offsite storage simply refers to an alternate location for storing backup media.
Q. 52 Single Loss Expectancy refers to
The expectation of the occurrence of a single loss The monetary loss realized from a single event The likelihood that a single loss will occur The annualized monetary loss from a single threat
The monetary loss realized from a single event
Note
Single Loss Expectancy (SLE) is a risk management term that assigns a monetary value (impact) associated with an individual threat for a single occurrence of an event.
Q. 53 Which of the following is NOT a goal of a Business Impact Assessment (BIA)?
To inventory mutual aid agreements To identify and prioritize business critical functions To identify process and system interdependencies To identify resources required by critical processes
To inventory mutual aid agreements
Q. 54 Annualized Rate of Occurrence refers to
The exact frequency of a threat The estimated frequency of a threat The estimated monetary value of a threat The exact monetary value of a threat
The estimated frequency of a threat
Note
Annualized Rate of Occurrence (ARO) is a risk management term that assigns the likelihood (frequency) of a threat occurring within a one-year time frame.
Q. 55 Which of the following is NOT a factor in Business Continuity Planning?
Making sure sufficient personnel are available to recover business operations Identifying critical business processes and planning for their resumption Defining the emergency response activities of local authorities Identifying funding necessary during a disaster and for recovery of operations
Defining the emergency response activities of local authorities
Q. 56 Management needs to perform a risk assessment in order to understand the potential costs of a security breach. What is the best approach for performing a risk assessment?
Perform a qualitative risk assessment Perform a qualitative risk assessment, then a quantitative risk assessment Perform a quantitative risk assessment Perform a quantitative risk assessment, then a qualitative risk assessment
Perform a qualitative risk assessment, then a quantitative risk assessment
Note
A quantitative risk assessment is required to determine the potential cost of a security incident. However, it is usually best to perform a qualitative risk assessment before performing the quantitative risk assessment.
Q. 57 A security control intended to reduce risk is called a
Safeguard Threat Mitigating circumstance Partition
Safeguard
Q. 58 What is an advisory policy?
An optional policy that can be followed An informal offering of advice regarding security practices A temporary policy good only for a certain period of time A policy that must be followed but isn’t mandated by regulation
A policy that must be followed but isn’t mandated by regulation
Note
An advisory policy is required by the organization but isn’t mandated by local, state, regional, national, or international laws or regulations.
