Security Management Practices

Question 1

COSO framework, developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission in 1985 was developed to deal with fraudulent financial activities and reporting. The COSO framework is made up of the following components except:

i. Control environment
ii. Risk assessment
iii. Control activities
iv. Information and communication
v. Accreditation

A. iii, iv
B. ii, v
C. i, ii
D. v

Answer 1

D. v

The COSO framework is made up of the following components:

Control Environment, Management’s philosophy and operating style, Company culture as it pertains to ethics and fraud, Risk assessment, Establishment of risk objectives, Ability to manage internal and external change, Control activities, Policies/proceedures/practices put in place to mitigate risk, Information and communication, Structure that ensures

Question 2

Which category best describes threat modeling?
A. Qualitative approach to risk analysis
B. Value-based approach to risk analysis
C. Quantitative approach to risk analysis
D. None of these

Answer 2

A. Qualtative approach to risk analysis

Since threat modeling is based on perceptions, opinions, judgments, and experiences rather than hard costs and facts-threat modeling is an example of a qualitative approach to risk analysis. Calculating hard costs and facts would be a quantitative or value-based approach.

Question 3

Which of the following is not a characteristic typically considered important when initially considering security countermeasures?

A. Modular in nature
B. Includes an audit function
C. Reasonably priced
D. Defaults to least privileged

Answer 3

C. Reasonably Priced

While a practical concern, the cost of the countermeasure should not be considered until the
characteristics of the countermeasure needed have
been prioritized.

Question 4

California 1386, Sarbanes-Oxley, and HIPAA are examples of what kinds of security
policy directives?
A. Regulatory
B. Administrative
C. Advisory
D. Informative

Answer 4

A. Regulatory

Directives and mandates typically coming from outside the company from the government, legal, or industry authorities are called regulatory policy objectives. Administrative is not one of the three types of policies. Advisory policies address requirements for certain types of behaviors or activities among the workforce. Informative policies address educational awareness.

Question 5

What is the relationship between policies and standards?

A. Policies detail who should do the work, and standards detail why.
B. Policies detail what should be done, and the standards detail how.
C. Policies describe the security vision, and standards detail what should be done.
D. Policies embody general principles, and standards describe who does the work.

Answer 5

B. Policies detail what should be done, and the standards detail how

Policies clearly articulate what is expected from the workforce, and the standards provide specific rules as to how to accomplish these objectives.

Question 6

Management establishes a policy that requires that all information technology professionals must have a college degree with a core emphasis on information
technology, and that all system administrators must have a security certification from an accredited program. By doing so, management has established what?

A. A standard
B. A guideline
C. A baseline
D. A regulation

Answer 6

C. A baseline

Management has set the baseline minimum
requirements for employees working in information
technology. Candidates can have higher qualifications,
but no one working in IT and in the area of server
administration can have lower than specified
qualifications.

Question 7

The operations manager has established the use of uniform checklists for all server maintenance. What has the operations manager done?

A. Established a baseline
B. Established a regulation
C. Established a standard
D. Established a policy

Answer 7

C. Established a Standard

The operations manager has established a
standard, which specifies how hardware will be
maintained. A regulation is a directive usually imposed
from an entity outside the company-such as a mandate
from government, a legal requirement, or an industry
requirement. Policies are usually established by senior
management, rather than line management. The
operations manager may be reacting to a policy
directive that requires uniformity and consistency in
server management. The introduction of the checklists
provided the tools necessary to implement this policy.
Use of the checklists will eventually yield a baseline for
server quality.

Question 8

The operations manager has established that prior to building a server, the employee must first check the inventory to make sure that all the spare parts needed are available, they must sign out those parts, and follow a checklist, finally signing and dating it when done. What has the operations manager created?

A. A baseline
B. A procedure
C. A standard
D. A policy

Answer 8

B. A proceedure

A procedure is the detailed, step-by-step actions needed to achieve a task. By contrast, a policy is usually set by upper management, and provides
general expectations or objectives that need to be
accomplished. Standards are compulsory rules that
implement policies. They provide uniformity of work
quality and worker behavior by describing how the
work will be accomplished. A baseline, on the other
hand, sets the minimum standard for behavior and
work quality.

Question 9

Which of the following is not a reason why data should be classified?

A. Classification forces valuation which can be used to determine risk.
B. Classification is required to determine appropriate access controls.
C. Classification can be used to optimize security budget.
D. Classification is required to develop secure systems.

Answer 9

D. Classification is required to develop secure systems

Data classification is not a requirement of secure systems. Systems can be made secure without any regard to the sensitivity of the data they will handle. However, system investment can be optimized if the data classification, representing its underlying value, is known. Systems handling low sensitivity information, for instance, can require fewer or less rigorous security controls than one that handles top secret information. Knowledge of data classification, therefore, can optimize budgets on development projects, putting money where it is most needed.

Question 10

Which of the following is not a factor in determining the sensitivity of data?

A. Who should be accessing the data
B. The value of the data
C. How the data will be used
D. The level of damage that could be caused should the data be exposed

Answer 10

C. How the data will be used

How the data will be used has no bearing on how sensitive it is. In other words, the data is sensitive not matter how it will be used-even if it is not used at all.

Question 11

What is the chief security responsibility of a data owner?

A. Determine how the data should be preserved
B. Determine the data classification
C. Determine the data value
D. Determine how the data will be used

Answer 11

B. Determine the data classification

Setting the classification for the data drives all other decisions about the data. Determining how the data will be used and who should use it is within the scope of the data owner, but they are functional, rather than security responsibilities. The owner may participate in determining the value of the data, but since its value is a measure relative to all other corporate data assets, it is not usually something the data owner is solely responsible for. Determining how the data will be preserved falls to the role of the data custodian.

Question 12

Mary has been tasked with preliminary planning for a security program. Which of the following would not be within her task scope?

A. Articulate security mission objectives
B. Determine roles and responsibilities
C. Establish the security audit function
D. Evaluate risks and benefits

Answer 12

C. Establish the security audit function

Establishing an audit function represents an activity that the security program might initiate. But first, the program must be established.

Question 13

Besides risk management and risk mitigation, what other factor is used to perform effective risk management?

A. Data valuation
B. Threat and vulnerability assessment
C. Uncertainty analysis
D. Probability factors

Answer 13

C. Uncertainty analysis

Uncertainty analysis lends a dose of reality to risk assessment, which is built mainly on speculation. The risk assessment should be tempered by applying a method that estimates management’s confidence level
in the risk analysis finding and the likelihood of the results remaining valid. Tracking the uncertainty factor
can generate historical data that can be used to refine
risk assessment techniques going forward. Data valuation, threat and vulnerability assessment and
their associated probability factors relate to the risk
analysis part of the risk management activity.

Question 14

Who does the security auditor report to?

A. Data owners
B. Data custodians
C. External audit organization
D. Senior management

Answer 14

D. Senior management

The security auditor is responsible for reporting to senior management about the effectiveness of security controls and their compliance with security policy objectives.

Question 15

What are three fundamental principles of security?

A. Accountability, confidentiality, and integrity
B. Confidentiality, integrity, and availability
C. Integrity, availability, and accessibility
D. Confidentiality, availability, and accessibility

Answer 15

B. Confidentiality, integrity, and availability

It is known as CIA or AIC, which stands for confidentiality, integrity, and availability. These three
concepts are also referred to as the CIA or AIC Triangle. The acronym has changed from CIA to AIC per (ISC)2 rewording.

Question 16

Mary finds that she has “write” privileges to data that she should be able to “read only”. What security principle is Mary able to violate?

A. Confidentiality
B. Accessibility
C. Integrity
D. Availability

Answer 16

C. Integrity

Mary is able to change the data, thereby undermining its intended integrity. Since she had read rights, she is not able to violate confidentiality or availability-the other two main principles. Accessibility is not a term used as one of the primary principles, but it is most closely related to the principle of availability.

Question 17

Business continuity and disaster recovery fall under which category of security control?

A. Preventive
B. Detective
C. Corrective
D. Compensating

Answer 17

D. Compensating

Business continuity and disaster recovery do not contribute directly to organizational security, but they can serve to compensate for security disasters by reducing the time it takes to respond to a security
incident that interrupts business productivity.

Question 18

What is the value of layering security responsibility?

A. Spreads accountability across the organization
B. Focuses specific responsibilities on the roles best able to accomplish them
C. Ensures separation of duties and encourages oversight
D. All of these choices

Answer 18

D. All of these choices

Security is an organizational problem. To optimally secure data and systems requires attention from roles that include senior management, data owners and custodians, security management and professional, auditors and users. Each role is accountable for a specific part in ensuring that corporate assets remain secure. Spreading responsibility across several roles ensures separation of duties and also ensures that in coordinating these efforts management will implement appropriate oversight to ensure no aspect of security will be overlooked.

Question 19

John does systems maintenance for his department and is also responsible for performing the operational security audit once a year. What security management
principle is John violating?

A. Operational integrity
B. Collusion
C. Separation of duties
D. Nondisclosure

Answer 19

C. Separation of duties

Since John was responsible for doing the work on the system, John should not also be the person to assess the quality of the work. This represents a violation of the principle of separation of duties. No worker should be allowed to check his own work. Collusion refers to the extra effort that a dishonest person would have to take to accomplish a malicious task because separation of duties was in place. Operational integrity is a term generally applied to operational processes and doesn’t apply to this case.Nondisclosure is a requirement not to share sensitive information with persons not authorized to receive it.

Question 20

Which of the following are the correct ISO/IEC series mapping that are used as blueprints for organizations to follow when developing their security program:

i. ISO/IEC 27001 - Code of practice providing good practice advice on ISMS (previously known as ISO 17799, itself based on British Standard BS 7799 Part 1
ii. ISO/IEC 27002 - Based on British Standard BS7799 Part 2, which is establishment, implementation, control, and improvement of the Information Security Management System
iii. ISO/IEC 27004 - Designed to assist the satisfactory implementation of information security based on a risk management approach
iv. ISO/IEC 27005 - A standard for information security management measurements
v. ISO/IEC 27006 - A guide to illustrate how to protect personal health information
vi. ISO/IEC 27799 - A guide to the certification/registration process

A. i, ii, iii
B. iv, v
C. All of them
D. None of them

Answer 20

C. All of them???

The correct mappings are listed below:

• ISO/IEC 27001 - Based on British Standard
BS7799 Part 2, which is establishment, implementation,
control, and improvement of the Information Security
Management System
• ISO/IEC 27002 - Code of practice providing good
practice advice on ISMS (previously known as ISO
17799, itself based on British Standard BS 7799 Part 1
• ISO/IEC 27004 - A standard for information
security management measurements
• ISO/IEC 27005 - Designed to assist the
satisfactory implementation of information security
based on a risk management approach
• ISO/IEC 27006 - A guide to the certification/registration process
• ISO/IEC 27799 - A guide to illustrate how to protect personal health information

Question 21

June is creating a security awareness program to inform the workforce of a change in
security policy. Which stage of the common development process of security policy is
June in?

A. Initial and evaluation
B. Development
C. Publication
D. Implementation

Answer 21

C. Publication

The common development process of creating a security policy includes initial and
evaluation, development, approval, publication,
implementation, and maintenance.

Question 22

A hacker has embedded a Trojan horse program on corporate machines that will
trigger on April Fools Day, overwhelming the network with spam messages. What
security principle will this circumstance violate?

O Confidentiality
O Integrity
O Availability
O All of these

Answer 22

c. Availability

When the network is overwhelmed, no one
will be able to access desired information. As data will
be unavailable, the principle being violated is
availability.

Question 23

Which role is accountable for information security?

O Information security professionals
O Senior management
O Security management
O Security auditors

Answer 23

B. Senior Management

Senior management is ultimately accountable
for all organizational risk. As security is an
organizational risk, senior management is ultimately
accountable for information security.

Question 24

Who has the primary responsibility of determining the classification level for
information?

O Functional manager
O Senior management
O Owner
O User

Answer 24

C. Owner

A company can have one specific data owner
or different data owners who have been delegated the
responsibility of protecting specific sets of data. One of
the responsibilities that goes into protecting this
information is properly classifying it.

Question 25

Which group causes the most risk of fraud and computer compromises?

O Employees
O Hackers
O Attackers
O Contractors

Answer 25

A. Employees

It is commonly stated that internal threats
provide 70 to 80 percent of the overall threat to a
company. This is because employees already have
privileged access to a wide range of company assets.
The outsider who wants to cause damage must obtain
this level of access before she can carry out the type of
damage that internal personnel can carry out. A lot of
the damages that are caused by internal employees are
brought about by mistakes and system
misconfigurations.

Question 26

If different user groups with different security access levels need to access the same
information, which of the following actions should management take?

q Decrease the security level on the information to ensure accessibility and
usability of the information
q Require specific approval each time an individual needs to access the
information
O Increase the security controls on the information
O Increase the classification label on the information

Answer 26

C. Increase the security controls on the information

If data is going to be available to a wide
range of people, more security should be implemented
to ensure that only the necessary people access the
data and the operations they carry out are controlled.
The security implemented can come in the form of
authentication and authorization technologies,
encryption, and specific access control mechanisms.

Question 27

What does management need to consider the most when classifying data?

O Type of employees, contractors, and customers who will be accessing the data
O Confidentiality, integrity, and availability
O First assess the risk level and implement the correct countermeasures
O The access controls that will be protecting the data

Answer 27

B. Confidentiality, integrity, and availability

To properly classify data, the data owner
needs to evaluate the confidentiality, integrity, and
availability requirements of the data. Once this is done,
this will dictate what employees, contractors, and users
can access the data. This assessment will also help
determine the controls that should be put into place.

Question 28

Who is ultimately responsible for making sure data is classified and protected?

O Data owners
O Users
O Administrators
O Management

Answer 28

D. Management

The key to this question is the use of the word
“ultimately.” Management is ultimately responsible for
everything that takes place within a company. They
need to make sure data and resources are being
properly protected on an ongoing basis. They can
delegate tasks to others, but they are ultimately
responsible.

Question 29

What is a procedure?

O Rules on how software and hardware must be used within the environment
O Step-by-step directions on how to accomplish a task
q Guidelines on how to approach security situations that are not covered by
standards
O Compulsory actions

Answer 29

B. Step-by-step instructions on how to accomplish a task

Standards are rules that must be followed,
thus they are compulsory. Guidelines are
recommendations. Procedures are step-by-step
instructions.

Question 30

Which factor is the most important item when it comes to ensuring that security is successful in an organization?

O Senior management support
O Effective controls and implementation methods
O Updated and relevant security policies and procedures
O Security awareness by all employees

Answer 30

A. Senior management support

Without senior management’s support a
security program will not receive the necessary
attention, funds, resources, and enforcement
capabilities.

Question 31

When is it acceptable to not take action on an identified risk?

O Never; good security addresses and reduces all risks
O When political issues prevent this type of risk from being addressed
O When the necessary countermeasure is complex
q When the cost of the countermeasure outweighs the value of the asset and
potential loss

Answer 31

D. When the cost of the countermeasure outweighs the value of the asset and potential loss

Companies may decide to live with specific
risks they are faced with because it would cost more to
try and protect themselves than they have a potential
of losing if the threat became real. Countermeasures
are usually complex to a degree and there are almost
always political issues surrounding different risks, but
these are not reasons to not implement a
countermeasure.

Question 32

What are security policies?

O Step-by-step directions on how to accomplish security tasks
O General guidelines to use to accomplish a specific security level
O Broad, high-level statement from the management
O Detailed documents explaining how security incidents should be handled

Answer 32

C. Broad, High-level statement from management

A security policy captures and dictates
senior management’s perspectives and directives on
what role security should play within the company.
They are usually vague and use broad terms so that
they can cover a wide range of items.

Question 33

Which is the most valuable technique when determining if a specific security control
should be implemented?

O Risk analysis
O Cost/benefits analysis
O ALE results
O Identifying the vulnerabilities and threats causing the risk

Answer 33

B. Cost/benefit analysis

A risk analysis is performed to identify risks
and come up with suggested countermeasures. The
ALE tells the company how much it could lose if a
specific threat became real. The ALE value will go into
the cost/benefit analysis, but the ALE does not address
the cost of the countermeasure and the benefit of a
countermeasure.

Question 34

Which best describes the purpose of the ALE calculation?

O Quantifies the security level of the environment
O Estimates the loss possible for a countermeasure
O Quantifies the cost/benefit result
O Estimates the loss potential of a threat in a year span

Answer 34

D. Estimates the loss potential of a threat in a year span

The ALE calculation estimates the potential
loss that can affect one asset from a specific threat
within a one-year time span. This value is used to
figure out the amount of money that should be
earmarked to protect this asset from this threat.

Question 35

Tactical planning is?

O Mid-term
O Long-term
O Day-to-day
O Six months

Answer 35

A. Mid-term

There are three types of goals that make up
the planning horizon: operational, tactical, and
strategic. The tactical goals are mid-term goals that
must be accomplished before the overall strategic goal
is accomplished.

Question 36

What is the definition of a security exposure?

O An instance of being exposed to losses from a threat
O Any potential danger to information or systems
O An information security absence or weakness
O A loss potential of a threat

Answer 36

A. An instance of being exposed to losses from a threat

An exposure means that a vulnerability has
been exploited by a threat agent. Examples are a
hacker accesses a database through an open port on
the firewall, an employee shares confidential
information via e-mail, or a virus infects a computer.

Question 37

An effective security program requires a balanced application of:

O Technical and non-technical methods
O Countermeasures and safeguards
O Physical security and technical controls
O Procedural security and encryption

Answer 37

A Technical and non-technical methods.

Security is not defined by a firewall, an
access control mechanism, a security policy, company
procedures, employee conduct, or authentication
technologies. It is defined by all of these and how they
integrate together within an environment. Security is
not purely technical and it is not purely procedural, but
a mix of the two.

Question 38

A security function defines the expected behavior from a security mechanism, and assurance defines:

O The controls the security mechanism will enforce
O The data classification after the security mechanism has been implemented
O The confidence of the security the mechanism is providing
O Cost/benefit relationship

Answer 38

C. The confidence of the security the mechanism is providing

The functionality describes how a mechanism
will work and behave; this may have nothing to do
with the actual protection it provides. Assurance is the
level of confidence in the protection level a mechanism
will provide. When systems and mechanisms are
evaluated, their functionality and assurance should be
examined and tested individually.

Question 39

Which statement is true when looking at security objectives in the private business sector versus the military sector?

O Only the military has true security.
q Businesses usually care more about data integrity and availability, whereas the
military is more concerned with confidentiality.
q The military requires higher levels of security because the risks are so much
higher.
q The business sector usually cares most about data availability and
confidentiality, whereas the military is most concerned about integrity.

Answer 39

B. Businesses usually care more about data integrity and availability, whereas the military is more concerned with confidentiality.

Businesses will see their threats and risks as
being more important that another organization’s
threats and risks. The military has a rich history of
having to keep their secrets secret. This is usually not as
important in the commercial sector relative to the
military.

Question 40

Which of the following NIST document is used specifically for risk management?

O SP 800-53
O SP 800-63
O SP 800-30
O SP 800-90

Answer 40

C. SP 800-30

NIST Special Publication 800-30 is the Risk
Management Guide for Information Technology
Systems.

Question 41

How do you calculate residual risk?

O Threat x risk x asset value
O (Threat x asset value x vulnerability) x risks
O SLE x frequency = ALE
O (Threats x vulnerability x asset value) x controls gap

Answer 41

D. (Threats x vulnerability x asset value) x controls gap

The equation is more conceptual than it is
practical. It is hard to assign a number to a vulnerability
and a threat individually. What this equation is saying is
look at the potential loss to a specific asset and look at
the controls gap, which means what the specific
countermeasure cannot protect against. What is left is the residual risk. Residual risk is what is left over after a
countermeasure is implemented.

Question 42

Which of the following is not a purpose of doing risk analysis?

O Delegate responsibility
O Quantify impact of potential threats
O Identify risks
q Define the balance between the impact of a risk and the cost of the necessary
countermeasure

Answer 42

A. Delegate responsibility

The other three answers are the main reasons
to carry out a risk analysis. An analysis is not carried
out to delegate responsibilities. Management will take
on this responsibility once the results of the analysis
are reported to them and they understand what
actually needs to be carried out.

Question 43

How does a risk analysis show management how much money to spend per security
measure?

q It shows management how much could be lost if the security measure is not
implemented.
q It calculates the frequency of the risk multiplied by the cost/benefit ratio of the
ALE.
q It shows management how much money could be saved if the security program
was implemented.
O It provides the qualitative severity of the security measure.

Answer 43

A. It shows management how much could be lost if the security measure is not implemented.

The crux of carrying out a risk analysis is to
calculate risk and estimate how much specific threats
could cost the company. From these numbers and
information, management can make a decision on the
best security mechanisms and how much should be
spent on them.

Question 44

Which of the following is not a management role in the process of implementing and maintaining security?

O Support
O Perform risk analysis
O Define purpose and scope
O Delegate responsibility

Answer 44

B. Perform risk analysis

The number one ingredient management
needs to provide when it comes to security is support.
They need to define the role of security, the scope of
security, and the different assessments that will be
carried out, and they will delegate who does what
pertaining to security. They will not carry out the
analysis, but are responsible for making sure one is
done and that they act on the results it provides.

Question 45

Why should the team that is going to perform and review the risk analysis information be made up of people in different departments?

O To make sure the process is fair and that no one is left out.
q They shouldn’t. It should be a small group brought in from outside the
organization because otherwise the analysis is biased and unusable.
O Because people in different departments understand the risks of their department and it ensures that the data going into the analysis is as close to
reality as possible.
q Because the people in the different departments are the ones causing the risks,
so they should be the ones held accountable.

Answer 45

C. Because people in different departments understand the risks of their department and it ensures that the data going into the analysis is as close to reality as possible.

An analysis is only as good as the data that
goes into it. Data pertaining to risks the company faces
should be extracted from the people who understand
the business functions and environment of the
company the best. Each department understands their
own threats and resources, and may have possible
solutions to specific risks that affect their part of the
company.

Question 46

Which best describes quantitative risk analysis?

O Scenario-based analysis to research different security threats
q A method used to apply severity levels to potential loss, probability of loss, and
risks
O A method that assigns monetary values to components in the risk assessment
O A method that is based on gut feelings and opinions

Answer 46

C. A method that assigns monetary values to components in the risk assessment

A quantitative risk analysis assigns monetary
values and percentages to the different components
within the assessment. A qualitative analysis uses
opinions of individuals and a rating system to gauge
the severity level of different threats and the benefits
of specific countermeasures.

Question 47

Why is a truly quantitative risk analysis not possible to achieve?

O It is possible, which is why it is used.
O It assigns severity levels. Thus, it is hard to translate into monetary values.
O It is dealing with purely quantitative elements.
O Quantitative measures must be applied to qualitative elements.

Answer 47

D. Quantitative measures must be applied to qualitative elements.

During a risk analysis, the team is trying to
properly predict the future and all the risks that future
may bring. It is a somewhat subjective exercise and
educated guessing must take place. It is very hard to
properly predict that a flood will take place once in ten
years and cost a company up to $40,000 in damages,
but this is what a quantitative analysis tries to
accomplish.

Question 48

If there are automated tools for risk analysis, why does it take so much time to complete?

O A lot of data has to be gathered to be inputted into the automated tool.
O Management has to approve it and then a team has to be built.
O Risk analysis cannot be automated because of the nature of the assessment.
O Many people have to agree on the same data.

Answer 48

A. A lot of data has to be gathered to be inputted into the automated tool.

An analysis usually takes a long time to
complete because of all the data that must be properly
gathered. There are usually a lot of different sources
for this type of data and properly extracting it is
extremely time consuming. In most situations, it
involves setting up meetings with specific personnel
and going through a question and answer process.

Question 49

Which of the following is a legal term that pertains to a company or individual taking reasonable actions and is used to determine liability?

O Standards
O Due process
O Due care
O Downstream liabilities

Answer 49

C. Due Care

A company’s, or individual’s, actions can be judged by the “prudent man rule,” which looks at how a prudent, or reasonable, man would react in similar situations. Due care means to take these necessary actions to protect the company, its assets, customers, and employees. Computer security has many aspects
pertaining to practicing due care, and if management
does not ensure that these things are in place, they can be found negligent.

Question 50

Which of the following is not an example of due care?

O Providing security awareness training to all employees
O Requiring employees to sign nondisclosure agreements
O Implementing mandatory vacations for all employees
O Allowing a key job function to be completed by one highly qualified employee

Answer 50

D. Allowing a key job function to be completed by one highly qualified employee

The separation of duties ensures that no one
individual carries out critical tasks alone, thus helping
to limit fraud opportunities. A company can be seen as
negligent if they allow one individual to carry out a
critical task that can negatively affect the company as
a whole.

Question 51

Risk should be handled in any of the following ways except:

O Reduce risk
O Accept risk
O Transfer risk
O Reject risk

Answer 51

D. Reject Risk

Rejecting risk and threat potential is a
violation of the due care responsibility that each
company’s management team is held liable for.
Rejecting risk means to ignore that it exists and in turn
not taking any steps to mitigate the risk.

Question 52

The Control Objectives for Information and related Technology (CobiT) is a framework and set of best practices. Which of the following provides an incorrect
characteristic of CobiT?

q Developed by the Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI).
q It defines goals for the controls that should be used to properly manage IT and
to ensure that IT maps to business needs.
q A majority of regulation compliance and audits are built on the CobiT
framework.
O
CobiT is broken down into five domains

Answer 52

D. CobiT is broken down into five domains

The Control Objectives for Information and related
Technology (CobiT) is a framework and set of best
practices developed by the Information Systems Audit
and Control Association (ISACA) and the IT Governance
Institute (ITGI). It defines goals for the controls that
should be used to properly manage IT and to ensure
that IT maps to business needs. CobiT is broken down
into four domains.

Question 53

A data storage company’s number one security goal is to ensure that their data is protected and integrity is achieved. Of the following controls, which best achieves the goal of ensuring integrity?

O Access controls
O Technical controls
O Physical controls
O None of these

Answer 53

A. Access controls

Access controls are used to permit/deny users from
accessing data, which helps to protect its integrity.
There are physical and technical controls that can be
used to provide access control, but there are also
administrative access controls that can help protect the
integrity of the data. Access controls is the more
general answer and encompasses technical and
physical controls.

Question 54

A new security policy has recently been put into place to achieve many company objectives. Which of the following objectives could not be achieved by a security policy?

O Ensuring that all data has a high level of integrity
O Reducing levels of fraudulent activity by employees
O Ensuring higher levels of data accuracy
O Ensuring higher levels of security awareness by employees

Answer 54

C. Ensuring higher levels of data accuracy

Security policies can help companies achieve many
goals, but ensuring that data is entered correctly is no
one of them. It can help improve controls that are put
into place, which could indirectly improve accuracy
levels, but the policy itself would not be useful in this
area. The other objectives can all be achieved directly
by the security policy.

Question 55

Your company’s security director calls a meeting to stress the importance of data integrity within the company. There is a concern because of several violations that have been noticed lately. Of the examples below, which would not be considered an
integrity violation?

O An unauthorized analyst performing a cost analysis on classified information
O An unauthorized data processor making changes to a protected database
q An operations technician making a change to a mainframe configuration setting
by accident
q A senior IT analyst making deliberate and unauthorized changes to user
accounts

Answer 55

A. An unauthorized analyst performing a cost analysis on classified information

An analyst performing an unauthorized task is a
problem, but it jeopardizes the confidentiality of the
data, not the integrity of the data. As long as the
employee is not making changes to the data, the
integrity remains intact. All of the other examples
represent instances where data has been altered.

Question 56

John covertly learns the user ID and password of a higher-ranked technician and uses
the credentials to access certain areas of a network. What term describes what John
has done?

O IP spoofing
O Backdooring
O Masquerading
O Data diddling

Answer 56

C. Masquerading

Masquerading is a term that describes a person who
pretends to be an authorized user to circumvent
established controls.