Security and Risk management Flashcards
When can executives be charged with negligence?
A. If they follow the transborder laws
B. If they do not properly report and prosecute attackers
C. If they properly inform users that they may be monitored
D. If they do not practice due care when protecting resources
D. Executives are held to a certain standard and are expected to act responsibly when running and protecting a company. These standards and expectations equate to the due care concept under the law. Due care means to carry out activities that a reasonable person would be expected to carry out in the same situation. If an executive acts irresponsibly in
any way, she can be seen as not practicing due care and be held negligent
To better deal with computer crime, several legislative bodies have taken what steps in their strategy?
A. Expanded several privacy laws
B. Broadened the definition of property to include data
C. Required corporations to have computer crime insurance
D. Redefined transborder issues
B. Many times, what is corrupted, compromised, or taken from a computer is data, so current laws have been updated to include the protection of intangible assets, as in data. Over the years, data and information have become many companies’ most valuable asset,
which must be protected by the laws
Which factor is the most important item when it comes to ensuring security is successful in
an organization?
A. Senior management support
B. Effective controls and implementation methods
C. Updated and relevant security policies and procedures
D. Security awareness by all employees
A. Without senior management’s support, a security program will not receive the necessary attention, funds, resources, and enforcement capabilities.
Which of the following is true about data breaches?
A. They are exceptionally rare.
B. They always involve personally identifiable information (PII).
C. They may trigger legal or regulatory requirements.
D. The United States has no laws pertaining to data breaches.
C. Organizations experiencing a data breach may be required by laws or regulations to take certain actions. For instance, many countries have disclosure requirements that require notification to affected parties and/or regulatory bodies within a specific timeframe.
When is it acceptable to not take action on an identified risk?
A. Never. Good security addresses and reduces all risks.
B. When political issues prevent this type of risk from being addressed.
C. When the necessary countermeasure is complex.
D. When the cost of the countermeasure outweighs the value of the asset and potential loss
D. Companies may decide to live with specific risks they are faced with if the cost of trying to protect themselves would be greater than the potential loss if the threat were to become real. Countermeasures are usually complex to a degree, and there are almost always political issues surrounding different risks, but these are not reasons to not implement a countermeasure.
Why should the team that will perform and review the risk analysis information be made up of people in different departments?
A. To make sure the process is fair and that no one is left out.
B. It shouldn’t. It should be a small group brought in from outside the organization because
otherwise the analysis is biased and unusable.
C. Because people in different departments understand the risks of their department. Thus,
it ensures the data going into the analysis is as close to reality as possible.
D. Because the people in the different departments are the ones causing the risks, so they
should be the ones held accountable.
C. An analysis is only as good as the data that goes into it. Data pertaining to risks the company faces should be extracted from the people who understand best the business functions and environment of the company. Each department understands its own threats and resources, and may have possible solutions to specific threats that affect its part of the company
Which best describes a quantitative risk analysis?
A. A scenario-based analysis to research different security threats
B. A method used to apply severity levels to potential loss, probability of loss, and risks
C. A method that assigns monetary values to components in the risk assessment
D. A method that is based on gut feelings and opinions
C. A quantitative risk analysis assigns monetary values and percentages to the different components within the assessment. A qualitative analysis uses opinions of individuals and a rating system to gauge the severity level of different threats and the benefits of specific
countermeasures.
Why is a truly quantitative risk analysis not possible to achieve?
A. It is possible, which is why it is used.
B. It assigns severity levels. Thus, it is hard to translate into monetary values.
C. It is dealing with purely quantitative elements.
D. Quantitative measures must be applied to qualitative elements
D. During a risk analysis, the team is trying to properly predict the future and all the risks that future may bring. It is somewhat of a subjective exercise and requires educated guessing. It is very hard to properly predict that a flood will take place once in ten years
and cost a company up to $40,000 in damages, but this is what a quantitative analysis tries to accomplish
The operating system access controls comprise which of the following? A. Logical controls B. Physical controls C. Administrative controls D. Compensating controls
A. Logical (or technical) controls are security mechanisms, as in firewalls, encryption, software permissions, and authentication devices. They are commonly used in tandem with physical and administrative controls to provide a defense-in-depth approach to security.
The international standards bodies ISO and IEC developed a series of standards that are used in organizations around the world to implement and maintain information security management systems. The standards were derived from the British Standard 7799, which was broken down into two main pieces. Organizations can use this series of standards as
guidelines, but can also be certified against them by accredited third parties. Which of the following are incorrect mappings pertaining to the individual standards that make up the
ISO/IEC 27000 series?
i. ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC 27003 outlines the ISMS program’s requirements.
ii. ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC 27002 outlines the metrics framework.
iii. ISO/IEC 27006 outlines the program implementation guidelines, and ISO/IEC 27005
outlines risk management guidelines.
iv. ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines the implementation framework.
A. i, iii
B. i, ii
C. ii, iii, iv
D. i, ii, iii, iv
D. Unfortunately, you will run into questions on the CISSP exam that will be this confusing, so you need to be ready for them. The proper mapping for the ISO/IEC standards are as follows:
• ISO/IEC 27001 ISMS requirements
• ISO/IEC 27002 Code of practice for information security management
• ISO/IEC 27003 Guideline for ISMS implementation
• ISO/IEC 27004 Guideline for information security management measurement and metrics framework
• ISO/IEC 27005 Guideline for information security risk management
• ISO/IEC 27006 Guidance for bodies providing audit and certification of information security management systems
Susan has been told by her boss that she
will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems mis-configured, along with what to do in this situation.
Which of the following best describes what Susan needs to ensure the operations staff
creates for proper configuration standardization?
A. Dual control
B. Redundancy
C. Training
D. Baselines
D. The operations staff needs to know what minimum level of security is required per
system within the network. This minimum level of security is referred to as a baseline.
Once a baseline is set per system, then the staff has something to compare the system
against to know if changes have not taken place properly, which could make the system
vulnerable.
Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems mis-configured, along with what to do in this situation.
Which of the following is the best way for Susan to illustrate to her boss the dangers of the current configuration issues?
A. Map the configurations to the compliancy requirements.
B. Compromise a system to illustrate its vulnerability.
C. Audit the systems.
D. Carry out a risk assessment.
D. Susan needs to illustrate these vulnerabilities (misconfigured systems) in the context of
risk to her boss. This means she needs to identify the specific vulnerabilities, associate
threats to those vulnerabilities, and calculate their risks. This will allow her boss to
understand how critical these issues are and what type of action needs to take place
Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems mis-configured, along with what to do in this situation.
Which of the following is one of the most likely solutions that Susan will come up with and present to her boss? A. Development of standards B. Development of training C. Development of monitoring D. Development of testing
A. Standards need to be developed that outline proper configuration management processes and approved baseline configuration settings. Once these standards are developed and put into place, then employees can be trained on these issues and how to implement and maintain what is outlined in the standards. Systems can be tested against what is laid out in the standards, and systems can be monitored to detect if there are configurations that do not meet the requirements outlined in the standards. You will find that some CISSP questions seem subjective and their answers hard to pin down. Questions that ask what is “best” or “more likely” are common.
What is one of the first steps in developing a business continuity plan? A. Identify a backup solution. B. Perform a simulation test. C. Perform a business impact analysis. D. Develop a business resumption plan.
C. A business impact analysis includes identifying critical systems and functions of a company and interviewing representatives from each department. Once management’s support is solidified, a business impact analysis needs to be performed to identify the
threats the company faces and the potential costs of these threats
The purpose of initiating emergency procedures right after a disaster takes place is to prevent loss of life and injuries, and to _______________.
A. secure the area to ensure that no looting or fraud takes place
B. mitigate further damage
C. protect evidence and clues
D. investigate the extent of the damages
B. The main goal of disaster recovery and business continuity plans is to mitigate all risks
that could be experienced by a company. Emergency procedures first need to be carried out
to protect human life, and then other procedures need to be executed to reduce the damage
from further threats.