Term Test 1 Flashcards
Which of the following contains the primary goals and objectives of security? A. A network's border perimeter B. The CIA Triad C. A stand-alone system D. The Internet
B. The CIA Triad
\_\_\_\_\_\_\_\_\_\_ refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed. A. Seclusion B. Concealment C. Privacy D. Criticality
C. Priv1acy
Which of the following is NOT considered a violation of confidentiality? A. Stealing passwords B Eavesdropping C. Hardware destruction D. Social engineering
C. Hardware destruction
If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can \_\_\_\_\_\_\_\_\_\_\_ the data, objects, and resources. A. Control B. Audit C. Access D. Repudiate
C.. Access
What element of data categorization management can override all other forms of access control? A. Classification B. Physical access C. Custodian responsibilities D. Taking ownership
D. Taking ownership
What is the primary goal of change management? A. Maintaining documentation B. Keeping users informed of changes C. Allowing rollback of failed changes D. Preventing security compromises
D. Preventing security compromises
What are the two common data classification schemes?
A. Military and private sector
B. Personal and government
C. Private sector and unrestricted sector
D. Classified and unclassified
A. Military and private sector
data classifications are used to focus security controls over all but which of the following? A. Storage B. Processing C. Layering D. Transfer
C. Layering
Which of the folowing is not ocnsidered an example of data hiding?
A. Preventing an authorized reader of an object from deleting that object
B. Keeping a database from being asccessed by unauthorized visitors
C. Restricting a subject at a lower classfication level from accessing data at a higher classification level
D. Preventing an application from acessing hardware directly
A. Preventing an authorized reader of an object from deleting that object
Which of the following is the weakest element in any security solution? A.Software products B. Internet connections C. Security policies D. Humans
D. Humans
What is the first step that individiuals responsible for the development of a business continuity plan should perform? A. BCP team selction B. Business organization analysis C. Resource requirements analysis D. Legal and regulatory assessment
B. Business organization analysis
Which one of the followiing BIA terms identifies the amount of money a business expects to lose to a given risk each year? A. ARO B. SLE C. ALE D. EF
C. ALE
You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches?
A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000
B. $2,700,000
You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)?
A. $750,000
B. $1.5 million
C. $7.5 million
D. $15 million
A. $750,000
Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases?
A. Resource prioritization
B. Likelihood assessment
C. Strategy development
D. Provisions and processes
C. Strategy development
The strategy development task bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP.
Which resource should you protect first when designing continuity plan provisions and processes?
A. Physical plant
B. Infrastructure
C. Financial
D. People
D. People
Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?
A. 0.01
B. $10,000,000
C. $100,000
D. 0.10
B. $10,000,000
In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?
A. Strategy development
B. Business impact assessment
C. Provisions and processes
D. Resource prioritization
C. Provisions and processes
In the provisions and processes phase, the BCP team actually designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.
What type of plan outlines the procedures to follow when a disaster interrupts the normal operations of a business?
A. Business continuity plan
B. Business impact assessment
C. Disaster recovery plan
D. Vulnerability assessment
C. Disaster recovery plan
Of the individuals listed, who would provide the best endorsement for a business continuity plan’s statement of importance?
A. Vice president of business operations
B. Chief information officer
C. Chief executive officer
D. Business continuity manager
C. Chief executive officer
When an employee is to be terminated, which of the following should be done?
A. Inform the employee a few hours before they are officially terminated.
B. Disable the employee’s network access just as they are informed of the termination.
C. Send out a broadcast email informing everyone that a specific employee is to be terminated.
D. Wait until you and the employee are the only people remaining in the building before announcing the termination.
B. Disable the employee’s network access just as they are informed of the termination.
Which of the following is not an element of the risk analysis process?
A. Analyzing an environment for risks
B. Creating a cost/benefit report for safeguards to present to upper management
C. Selecting appropriate safeguards and implementing them
D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage
C. Selecting appropriate safeguards and implementing them
Which of the following would generally not be considered an asset in a risk analysis?
A. A development process
B. An IT infrastructure
C. A proprietary system resource
D. Users’ personal files
D. Users’ personal files
Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects?
A. Identification
B. Availability
C. Encryption
D. Layering
B. Availability
Which of the following is not a valid definition for risk?
A. An assessment of probability, possibility, or chance
B. Anything that removes a vulnerability or protects against one or more specific threats
C. Risk = threat * vulnerability
D. Every instance of exposure
B. Anything that removes a vulnerability or protects against one or more specific threats
How is single loss expectancy (SLE) calculated?
A. Threat + vulnerability
B. Asset value ($) * exposure factor
C. Annualized rate of occurrence * vulnerability
D. Annualized rate of occurrence * asset value * exposure factor
B. Asset value ($) * exposure factor
How is the value of a safeguard to a company calculated?
A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard
B. ALE before safeguard * ARO of safeguard
C. ALE after implementing safeguard + annual cost of safeguard - controls gap
D. Total risk - controls gap
A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard
What security control is directly focused on preventing collusion?
A. Principle of least privilege
B. Job descriptions
C. Separation of duties
D. Qualitative risk analysis
C. Separation of duties
While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk?
A. Virus infection
B. Damage to equipment
C. System malfunction
D. Unauthorized access to confidential information
B. Damage to equipment
You’ve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change?
A. Exposure factor
B. Single loss expectancy
C. Asset value
D. Annualized rate of occurrence
D. Annualized rate of occurrence
Which criminal law was the first to implement penalties for the creators of viruses, worms, and other types of malicious code that cause harm to computer system(s)?
A. Computer Security Act
B. National Infrastructure Protection Act
C. Computer Fraud and Abuse Act
D. Electronic Communications Privacy Act
C. Computer Fraud and Abuse Act