Scribd Logo
Upload

Welcome to Scribd!

  • Security Analyst Chapter 2 - Policies, Procedures, and Risk

    Uploaded by

    MYMY
    12 views7 pages

    Original Title

    CYAC_WB02

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views7 pages

    Security Analyst Chapter 2 - Policies, Procedures, and Risk

    Uploaded by

    MYMY

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Security Analyst

    Chapter 2 - Policies, Procedures, and Risk


    Review Questions:

    1. There are two types of Security Policies; Technical and Administrative.


    A. True
    B. False

    2. The easiest way to do risk analysis is to use quantitative numbers.


    A. True
    B. False

    3. When the right people have the right administrative privileges, it is called what
    below?
    A. Principal of Correct Access
    B. Principal of Most Privilege
    C. Principal of Administrative Control
    D. Principal of Least Privilege

    4. One method to remind a company's employee about the acceptable use policy is
    to use what below?
    A. Warning banners at login
    B. Verbal announcements during work hours
    C. Periodic emails throughout the year
    D. Copy of the policy in the break room

    5. Which of the items below are examples of Security Policy? (Choose all that
    apply)
    A. Ergonomic policy
    B. Access control policy
    C. BYOB policy
    D. BYOD policy
    E. Firewall policy

    6. Policies are very dynamic and change with technology, whereas Procedures are
    fairly static and are not prone to change.
    A. True
    B. False
    7. The Acceptable Use policy must be signed on a regular basis due to potential
    legal issues.
    A. True
    B. False

    8. Which of the four different policy levels below is the most practical one to
    implement?
    A. Promiscuous policy
    B. Prudent policy
    C. Permissive policy
    D. Paranoid policy

    9. What is the principal called where a company can demonstrate that they are
    doing everything possible to uphold a policy and prevent certain kinds of events
    from occurring with respect to their system?
    A. Principal of Protection
    B. Principal of Due Process
    C. Principal of Due Diligence
    D. Principal of Legal Ramifications

    10. Third party vendors do not need to sign a company's acceptable use policy.
    A. True
    B. False

    11. Which of the risk scenarios below would be the most prudent to implement?
    A. Remove the risk
    B. Transfer the risk
    C. Mitigate the risk
    D. Accept the risk

    12. If you’ve done a good job of Risk Assessment, you should be very aware of
    security.
    A. True
    B. False

    13. You would, firstly, run an automated tool during the 'vulnerability and threat
    assessment' step in the "Assessing and Evaluating Risk" procedure.
    A. True
    B. False
    14. Given the threat landscape, there are no simple solutions and security
    awareness is essential.
    A. True
    B. False

    15. In which of the steps in assessing and evaluating risk below would you identify
    mission critical processes?
    A. Evaluate security controls
    B. Vulnerability and threat assessment
    C. Inventory
    D. Analysis, decision, and documentation
    Answer Key:

    1. A
    "There are two types of Security Policies; Technical and Administrative" is a true
    statement.

    2. B
    "The easiest way to do risk analysis is to use quantitative numbers" is a false
    statement.

    3. D
    When the right people have the right administrative privileges, it is called
    Principal of Least Privilege.

    4. A
    One method to remind a company's employee about the acceptable use policy is
    to use warning banners at login.

    5. B, D, E
    Access control policy, BYOD policy, and Firewall policy are examples of Security
    Policy.

    6. B
    "Policies are very dynamic and change with technology, whereas Procedures are
    fairly static and are not prone to change" is a false statement.

    7. A
    "The Acceptable Use policy must be signed on a regular basis due to potential
    legal issues" is a true statement.

    8. B
    Prudent policy is the most practical one to implement.

    9. C
    The principal is called Principal of Due Diligence.

    10. B
    "Third party vendors do not need to sign a company's acceptable use policy" is a
    false statement.
    11. C
    Mitigate the risk would be the most prudent to implement.

    12. A
    "If you’ve done a good job of Risk Assessment, you should be very aware of
    security" is a true statement.

    13. A
    "You would, firstly, run an automated tool during the 'vulnerability and threat
    assessment' step in the "Assessing and Evaluating Risk" procedure" is a true
    statement.

    14. A
    "Given the threat landscape, there are no simple solutions and security
    awareness is essential" is a true statement.

    15. C
    In Inventory you would identify mission critical processes.

    You might also like