Security and Risk Management

Question 1

Q.Q. 1 A statement that specifies security technologies or products is known as a(n)

Product guideline

Informative policy

Security standard

Safeguard

Answer 1

Security standard

Note
Security standards define specific (or minimum) products or technologies required to protect information.

Question 2

Q.Q. 2 Information warfare is BEST known as a

Potential loss

Vulnerability

Threat

Risk

Answer 2

Vulnerability

Question 3

Q.Q. 3 A suspect has been apprehended and charged with breaking into a database containing medical records. Under which of the following U.S. laws is the suspect most likely to be charged? Drag and drop the correct answer(s) from top to bottom.

PCI DSS
HIPAA
Data Protection Act
Federal Privacy Act
Computer Fraud and Abuse Act

Answer 3

Computer Fraud and Abuse

note
The suspect would most likely be charged with a violation of the Computer Fraud and Abuse Act, which pertains to the unlawful or unauthorized access to a computer system. The Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Data Protection Act, and Federal Privacy Act of 1974 all address what an organization must do to protect information.

Question 4

Q.Q. 4 The name of the U.S. law requiring protection of personal medical information is

PIPEDA
GLBA
HIPAA
HIPPA

Answer 4

HIPAA

note
[Security and Risk Management] The Health Insurance Portability and Accountability Act (HIPAA) addresses health care information privacy in the U.S. HIPPA is a common misspelling of the HIPAA acronym. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy in the private sector. The Gramm-Leach-Bliley Act (GLBA) relates to data privacy in the financial sector.

Question 5

Q.Q. 5 What’s meant by the term risk mitigation?

Elimination of risk

Reduction of risk to an acceptable level

Calculating vulnerabilities multiplied by threats

Ranking risks in order of likelihood

Answer 5

Reduction of risk to an acceptable level

Question 6

Q.Q. 6 Using social skills to acquire critical information about computer systems is known as

Social espionage

Social engineering

Online dating

Eavesdropping

Answer 6

Social engineering

Note
Social engineering describes the activity carried out by individuals who claim to be someone they’re not in order to elicit information from unsuspecting individual in order to facilitate an intrusion.

Question 7

Q. 7 Audit trails and security cameras are examples of

Detective controls
Preventive controls
Corrective controls
Trust controls

Answer 7

Detective controls

Note
Detective controls, such as audit trails and security cameras, are designed to discover a security incident that is occurring or has already occurred.

Question 8

Q. 8 It’s difficult to determine that theft of information has occurred because

It’s not a crime unless someone posts the information on the Internet
Most sites have inadequate audit logs
More often than not, the information is still there
Most law enforcement personnel don’t understand information technology

Answer 8

More often than not, the information is still there

Note
When information is stolen, it’s most often copied, which means that the original information is still on the original system, unlike in the case of theft of physical property.

Question 9

Q. 9 What’s the greatest source of loss when a corporate laptop is lost or stolen?

Self esteem of the laptop owner
Licensed software installed on the laptop
Information stored on the laptop
Street value of the laptop

Answer 9

Information stored on the laptop

Question 10

Q. 10 The purpose of a security control is to

Contain and deliver a specific security policy
Record recipients of classified documents
Properly release data to comply with a court order
Reduce threats and vulnerabilities to an acceptable level

Answer 10

Reduce threats and vulnerabilities to an acceptable level

Note
Security controls are used to address threats and vulnerabilities.

Question 11

Q. 11 Under what circumstance can evidence be seized without a warrant?

If it’s in the public domain
If it’s believed that its destruction is imminent
In international incidents
If it’s on a computer

Answer 11

If it’s believed that its destruction is imminent

Note
Evidence may be seized without a warrant under exigent circumstances; that is, if law enforcement reasonably believes it is about to be destroyed.

Question 12

Q. 12 Motive, means, and opportunity

Are required prior to the commission of a crime
Are the required three pieces of evidence in any criminal trial
Are the three factors that determine whether someone may have committed a crime
Are the usual ingredients in a sting operation

Answer 12

Are the three factors that determine whether someone may have committed a crime

Note
Motive, means, and opportunity are the standard criteria used when considering a possible suspect in a crime.

Question 13

Q. 13 What’s the purpose of a senior management statement of security policy?

It defines who’s responsible for carrying out a security policy
It states that senior management doesn’t need to follow a security policy
It emphasizes the importance of security throughout an organization
It states that senior management must also follow a security policy

Answer 13

It emphasizes the importance of security throughout an organization

Note
A senior management statement of security policy underscores the importance of (and senior management’s commitment to) security within the organization.

Question 14

Q. 14 The primary goal of information privacy laws is to

Require organizations to ask for permission each time they share information
Discourage the abuse of individuals’ private information
Require the use of government-operated databases, rather than private databases
Prevent individuals from falsifying information about themselves

Answer 14

Discourage the abuse of individuals’ private information

Note
Privacy laws seek to curb the abuses of an individual’s private information by organizations and individuals who misuse that information.

Question 15

Q. 15 The loss of competitive advantage and market share due to a disaster is an example of

Ineffective strategic planning
A qualitative loss
A quantitative loss
Profiteering

Answer 15

A qualitative loss

Note

Competitive advantage and market share are examples of qualitative losses that an organization may suffer in the event of a disaster or security incident, because they cannot be objectively valued.

Question 16

Q. 16 The deliberate misuse of information is prohibited by

The U.S. Federal Trade Commission
The Heisenberg Principle
The Fourth Amendment of the U.S. Constitution
The (ISC)2 Code of Ethics

Answer 16

The (ISC)2 Code of Ethics

Note
The (ISC)2 Code of Ethics prohibits the deliberate misuse of information.

Question 17

Q. 17 The most cost-effective way to make employees aware of security policies is to

Use email and Web sites to communicate the importance of security
Enroll all employees in a security awareness class
Send a hardcopy set of security policies to each employee
Purchase a good book on security for each employee

Answer 17

Use email and Web sites to communicate the importance of security

Note
Using existing tools, such as email and websites, is a cost-effective way to communicate security information within an organization.

Question 18

Q. 18 The illegal acquisition of funds through intimidation is known as

Embezzlement
Conspiracy
Blackmail
Extortion

Answer 18

Extortion

Question 19

Q. 19 The only way to be absolutely sure that a hard disk hasn’t been tampered with is to

Write-protect the hard disk
Remove the hard disk from the computer
Create a digital signature based on the hard disk’s entire contents
Back up the hard disk to tape and make comparisons later, as needed

Answer 19

Create a digital signature based on the hard disk’s entire contents

Note
A digital signature is the most reliable way of determining whether a hard disk has been tampered with. Write protection can be defeated and alters the attributes of files on the hard disk, removing the hard disk from the computer doesn’t assure that it can’t be changed, and backing up a hard disk alters the attributes of files on the hard disk.

Question 20

Q. 20 Reboot instructions and file restore procedures are examples of

Detective controls
Preventive controls
Corrective controls
Trust controls

Answer 20

Corrective controls

Note
Corrective controls, such as reboot instructions and file restore procedures, are designed to restore normal operations after a security incident has occurred.

Question 21

Q. 21 In the context of data processing continuity planning, subscription services refers to

Contracts to have replacement computer hardware within 72 hours
Contracts to have replacement computer hardware within 24 hours
Commercial services providing hot sites, warm sites, and cold sites
The quarterly journal Continuity Planning

Answer 21

Commercial services providing hot sites, warm sites, and cold sites

Question 22

Q. 22 The chain of evidence ensures

That evidence links the alleged perpetrator to the crime
That those who collected it will be available to testify in court
That it’s relevant and reliable
The integrity of evidence, from collection through safekeeping

Answer 22

The integrity of evidence, from collection through safekeeping

Question 23

Q. 23 Access controls and card-key systems are examples of

Detective controls
Preventive controls
Corrective controls
Trust controls

Answer 23

Preventive controls

Note
Preventive controls, such as access controls and card-key systems, are designed to prevent a security incident from occurring.

Question 24

Q. 24 Which of the following is NOT required when performing a Risk Analysis?

Determine the monetary value of an asset
Identify all threats to an asset
Classify the asset’s security level
Calculate the Annualized Loss Expectancy

Answer 24

Classify the asset’s security level

Note
A risk analysis is used to calculate Annualized Loss Expectancy (ALE) which requires information about the value of the asset, the potential threats to the asset, and the likelihood of a threat event occurring (Annualized Loss Expectancy, or ALE). A risk analysis is not used to determine an asset’s security level.

Question 25

Q. 25 Which of the following is NOT a part of Risk Analysis?

Determining value of assets
Determining the location of assets
Determining threats to assets
Selecting safeguards

Answer 25

Determining the location of assets

Note
The three main components of risk analysis are quantitative/qualitative analysis, asset valuation, and safeguard selection. Determining the location of assets is not part of a risk analysis.

Question 26

Q. 26 What’s the best reason for employees to be aware of an organization’s security policies?

So that they can socialize it with other employees
To receive reminders of best security practices
So that they can perform the appropriate actions needed to safeguard information
So that they can avoid the consequences of not knowing the security policies

Answer 26

So that they can perform the appropriate actions needed to safeguard information

Question 27

Q. 27 The purpose of risk analysis is

To qualify the classification of a potential threat
To quantify the likelihood of a potential threat
To quantify the net present value of an asset
To quantify the impact and likelihood of a potential threat

Answer 27

To quantify the impact and likelihood of a potential threat

Note
A risk analysis quantifies the impact of a potential threat; in other words, it puts a monetary value on the loss of information or functionality.

Question 28

Q. 28 A set of values defining acceptable and unacceptable behavior is known as

Ethics
Guiding principles
Laws
Requirements

Answer 28

Ethics

Note
Ethics define right and wrong behavior that is expected in various contexts or situations.

Question 29

Q. 29 What factors are used to select a safeguard? Drag and drop the correct answer(s) from top to bottom.

Return on investment
Accuracy
exposure factor
Auditability
annualized loss expectancy
cost-benefit analysis

Answer 29

Accuracy
Auditability
Cost-benefit analysis

Note
A safeguard should be selected based on auditability (or verifiability), a cost-benefit analysis, and accuracy (or effectiveness).

Question 30

Q. 30 Laws having to do with a wrong that one has inflicted on another are called

Statutory laws
Common laws
Civil laws
Liability laws

Answer 30

Civil laws

Note
Laws that deal with one person or organization aggrieving another are civil laws.

Question 31

Q. 31 What’s meant by the term risk reduction?

Factoring risk downward to match return on investment (ROI)
Removing threats from the Risk Analysis (RA)
Reducing risk by lowering the Annualized Loss Expectancy (ALE)
Taking measures to reduce the risk of loss to an asset

Answer 31

Taking measures to reduce the risk of loss to an asset

Note
“Risk reduction” refers to any measure that can be taken to reduce the risk to an asset.

Question 32

Q. 32 Federal sentencing guidelines specify that a corporation’s senior officers can be

Imprisoned for failing to protect corporate information assets from harm
Held personally liable for failing to protect information assets from harm
Sentenced to house arrest for failing to protect information assets from harm
Barred from management for failing to protect information assets from harm

Answer 32

Held personally liable for failing to protect information assets from harm

Note
Senior officers in an organization can be held personally liable for failure to comply with federal laws.

Question 33

Q. 33 Annualized Loss Expectancy refers to

The expectation of the occurrence of losses throughout the year
The monetary loss expected from all occurrences of a single threat in a year
The total monetary annual loss from all occurrences of a single threat
An industry-provided benchmark that serves as a prediction of a threat

Answer 33

The monetary loss expected from all occurrences of a single threat in a year

Note
Annualized Loss Expectancy (ALE) is a risk management term calculated as the product of Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO). Mathematically, ALE = SLE x ARO. For example, if the SLE for a given event is $50,000 and the ARO for the event is 10, then the ALE is $500,000 ($500,000 = $50,000 x 10).

Question 34

Q. 34 Intellectual property laws apply to which of the following? Drag and drop the correct answer(s) from top to bottom.

Copyrights
Medical records
Credit card data
Patents
Trade secrets
Trademarks

Answer 34

Copyrights
Patents
Trade secrets
Trademarks

Note
Intellectual property laws apply to copyrights, trademarks, patents, and trade secrets.

Question 35

Q. 35 The illegal acquisition of funds through manipulation or falsification of financial information is known as

Embezzlement
Conspiracy
Blackmail
Extortion

Answer 35

Embezzlement

Question 36

Q. 36 A weakness in a security control is called a

Risk
Vulnerability
Threat
Hole

Answer 36

Vulnerability

Question 37

Q. 37 What’s the definition of a threat?

Any event that produces an undesirable outcome
A weakness present in a control or countermeasure
An act of aggression that causes harm
An individual likely to violate security policy

Answer 37

Any event that produces an undesirable outcome

Note
A threat is a possible, undesirable event that may cause harm or damage.

Question 38

Q. 38 What’s the purpose of a security guideline?

It provides suggested methods for following a security policy
It explains the purpose of a security policy
It explains why a security policy must be followed
It describes the consequences for violating a security policy

Answer 38

It provides suggested methods for following a security policy

Question 39

Q. 39 What is the purpose of pre-employment screening?

Identifying undesirable medical or genetic conditions
Eliminating certain personality types from consideration
Ensuring employees have knowledge of security processes
Potentially discovering undesirable activities, errors or omissions in the application

Answer 39

Potentially discovering undesirable activities, errors or omissions in the application

Question 40

Q. 40 During an interrogation of a suspect, copies of any evidence should be used because

The suspect may ask for the evidence
The suspect may attempt to destroy the evidence
The original evidence should be locked in the evidence room
The suspect is allowed to give a copy of the evidence to his or her attorney

Answer 40

The suspect may attempt to destroy the evidence

Question 41

Q. 41 In order to be admissible, electronic evidence must

Be legally permissible
Not be copied
Have been in the custody of the investigator at all times
Not contain viruses

Answer 41

Be legally permissible

Question 42

Q. 42 Acting with excellence, competence, and diligence is known as

Due care
Due diligence
Due ignorance
Due process

Answer 42

Due care

Note
Due care includes exercising due diligence. Due process is a legal concept.

Question 43

Q. 43 Methodologies used to identify and assess risk in an organization are known as

Risk assessment frameworks
Risk management frameworks
Risk analysis
Threat modeling

Answer 43

Risk assessment frameworks

Note
Risk assessment frameworks, such as Operationally Critical Threat, Assessment and Vulnerability Evaluation (OCTAVE) and Factor Analysis of Information RISK (FAIR), are methodologies used to identify and assess risk in an organization.

Question 44

Q. 44 What’s the purpose of a Business Impact Assessment (BIA)?

To identify critical business processes and the resources required to resume them
To identify the impact of a disaster on the organization’s value chain
To identify the financial cost of various disaster scenarios
To identify a disaster’s impact on company market share

Answer 44

To identify critical business processes and the resources required to resume them

Question 45

Q. 45 A patent protects the owner’s intellectual property rights for how long in the United States?

20 years
7 years
10 years
27 years

Answer 45

20 years

Question 46

Q. 46 One of the main disadvantages of a mutual aid agreement is

An organization has no guarantee that the other organization will agree to help
A disaster that affects both organizations potentially reduces the effectiveness of the agreement
It’s the most expensive way to maintain a warm site
The DRP isn’t tested until a disaster strikes

Answer 46

A disaster that affects both organizations potentially reduces the effectiveness of the agreement

Question 47

Q. 47 Typically, the first step in the BCP development process is

Inventory all business critical processes
Determine scope
Create a Business Impact Analysis
Develop a training plan

Answer 47

Determine scope

Question 48

Q. 48 The categories of common law that relate to information systems are what? Drag and drop the correct answer(s) from top to bottom.

Civil
Sharia
Criminal
Privacy
Misdemeanor
Felony
Intellectual property
Regulatory

Answer 48

Criminal, civil, regulatory, intellectual property, and privacy laws relate to all types of activities, including information systems.

Question 49

Q. 49 An organization is considering storing its internal human resources data in the cloud. The organization should be concerned with all of the following EXCEPT

Administrative access to shared-tenant systems
Multi-tenant segregation
Legal jurisdiction
Operating system virtualization

Answer 49

Operating system virtualization

Note
An organization storing its human resources data with a cloud service provider should be concerned with the physical location of the stored data, the legal jurisdiction governing storage and use of the data, control of administrative access to the data, and methods used to segregate the organization’s data from that of other cloud tenants.

Question 50

Q. 50 What are the reasons for performing a pre-employment background check? Drag and drop the correct answer(s) from top to bottom.

Verify family history
Verify medical history
Verify criminal history
Verify educational history
Verify social history
Verify employment history

Answer 50

Verify employment history
Verify criminal history
Verify educational history

Note
In most situations, attempting to verify an applicant’s social, medical, or family history as part of an employment decision is inappropriate, unethical, and illegal.

Question 51

Q. 51 Which of the following methods are used to create an online redundant data set? Drag and drop the correct answer(s) from top to bottom.

Database mirroring
Electronic vaulting
Off-site storage
Remote journaling

Answer 51

Database mirroring
Electronic vaulting
Remote journaling

Note
Offsite storage simply refers to an alternate location for storing backup media.

Question 52

Q. 52 Single Loss Expectancy refers to

The expectation of the occurrence of a single loss
The monetary loss realized from a single event
The likelihood that a single loss will occur
The annualized monetary loss from a single threat

Answer 52

The monetary loss realized from a single event

Note
Single Loss Expectancy (SLE) is a risk management term that assigns a monetary value (impact) associated with an individual threat for a single occurrence of an event.

Question 53

Q. 53 Which of the following is NOT a goal of a Business Impact Assessment (BIA)?

To inventory mutual aid agreements
To identify and prioritize business critical functions
To identify process and system interdependencies
To identify resources required by critical processes

Answer 53

To inventory mutual aid agreements

Question 54

Q. 54 Annualized Rate of Occurrence refers to

The exact frequency of a threat
The estimated frequency of a threat
The estimated monetary value of a threat
The exact monetary value of a threat

Answer 54

The estimated frequency of a threat

Note
Annualized Rate of Occurrence (ARO) is a risk management term that assigns the likelihood (frequency) of a threat occurring within a one-year time frame.

Question 55

Q. 55 Which of the following is NOT a factor in Business Continuity Planning?

Making sure sufficient personnel are available to recover business operations
Identifying critical business processes and planning for their resumption
Defining the emergency response activities of local authorities
Identifying funding necessary during a disaster and for recovery of operations

Answer 55

Defining the emergency response activities of local authorities

Question 56

Q. 56 Management needs to perform a risk assessment in order to understand the potential costs of a security breach. What is the best approach for performing a risk assessment?

Perform a qualitative risk assessment
Perform a qualitative risk assessment, then a quantitative risk assessment
Perform a quantitative risk assessment
Perform a quantitative risk assessment, then a qualitative risk assessment

Answer 56

Perform a qualitative risk assessment, then a quantitative risk assessment

Note
A quantitative risk assessment is required to determine the potential cost of a security incident. However, it is usually best to perform a qualitative risk assessment before performing the quantitative risk assessment.

Question 57

Q. 57 A security control intended to reduce risk is called a

Safeguard
Threat
Mitigating circumstance
Partition

Answer 57

Safeguard

Question 58

Q. 58 What is an advisory policy?

An optional policy that can be followed
An informal offering of advice regarding security practices
A temporary policy good only for a certain period of time
A policy that must be followed but isn’t mandated by regulation

Answer 58

A policy that must be followed but isn’t mandated by regulation

Note
An advisory policy is required by the organization but isn’t mandated by local, state, regional, national, or international laws or regulations.