Professional Documents
Culture Documents
TRUE/FALSE
2. “If you realize you do not know the enemy, you will gain an advantage in
every battle." (Sun Tzu)
10. Comprehensive means that an information asset should fit in only one
category.
12. When determining the relative importance of each asset, refer to the
organization’s mission statement or statement of objectives to determine which elements are
essential, which are supportive, and which are merely adjuncts.
13. The amount of money spent to protect an asset is based in part on the value of
the asset.
18. To determine if the risk is acceptable or not, you estimate the expected loss
the organization will incur if the risk is exploited.
21. Some argue that it is virtually impossible to determine the true value of
information and information-bearing assets.
22. CBAs cannot be calculated after controls have been functioning for a time.
23. Metrics-based measures are generally less focused on numbers and more
strategic than process-based measures.
ANS: F PTS: 1 REF: 157
25. A best practice proposed for a small home office setting is appropriate to help
design control strategies for a multinational company.
26. One problem with benchmarking is that there are many organizations that are
identical.
29. Every organization should have the collective will and budget to manage
every threat by applying controls.
30. The results from risk assessment activities can be delivered in a number of
ways: a report on a systematic approach to risk control, a project-based risk assessment, or a
topic-specific risk assessment.
MODIFIED TRUE/FALSE
ANS: F, identification
3. Mutually exclusive means that all information assets must fit in the list
somewhere. _________________________
ANS: F, Comprehensive
PTS: 1 REF: 129
ANS: F, assessment
ANS: F, assessment
ANS: F, Issue
9. The most common of the mitigation procedures is the disaster recovery plan.
_________________________
10. The mitigate control strategy attempts to reduce the impact caused by the
exploitation of vulnerability through planning and preparation.
_________________________
11. Likelihood risk is the risk to the information asset that remains even after the
application of controls. _________________________
ANS: F, Residual
12. A(n) disaster recovery plan dictates the actions an organization can and
perhaps should take while an incident is in progress. _________________________
13. Benefit is the value that an organization realizes by using controls to prevent
losses associated with a specific vulnerability. _________________________
14. A(n) exposure factor is the expected percentage of loss that would occur from
a particular attack. _________________________
15. ALE determines whether or not a particular control alternative is worth its
cost. _________________________
ANS: F, CBA
ANS: F
Metrics
Quantitative
18. Within best practices, the optimum standard is a subcategory of practices that
are typically viewed as “the best of the best.” _________________________
ANS: F, gold
19. Security efforts that seek to provide a superior level of performance in the
protection of information are referred to as best business practices.
_________________________
ANS: F, baselining
ANS: F, political
23. Risk measure defines the quantity and nature of risk that organizations are
willing to accept as they evaluate the tradeoffs between perfect security and unlimited
accessibility. _________________________
ANS: F, appetite
24. Major risk is a combined function of (1) a threat less the effect of threat-
reducing safeguards, (2) a vulnerability less the effect of vulnerability reducing safeguards,
and (3) an asset less the effect of asset value-reducing safeguards.
_________________________
ANS: F, Residual
MULTIPLE CHOICE
5. Many corporations use a ____ to help secure the confidentiality and integrity
of information.
a. system classification c. data hierarchy
scheme
b. data restoration d. data classification
scheme scheme
ANS: D PTS: 1 REF: 126
10. There are individuals who search trash and recycling — a practice known as
____ — to retrieve information that could embarrass a company or compromise information
security.
a. side view c. recycle diving
b. dumpster diving d. garbage collection
ANS: B PTS: 1 REF: 129
11. In a(n) ____, each information asset is assigned a score for each of a set of
assigned critical factor.
a. OPSEC c. weighted factor
analysis
b. COMSEC d. data classification
scheme
ANS: C PTS: 1 REF: 133
12. ____ equals likelihood of vulnerability occurrence times value (or impact)
minus percentage risk already controlled plus an element of uncertainty.
a. Probability c. Possibility
b. Risk d. Chance
ANS: B PTS: 1 REF: 144
13. The ____ security policy is an executive-level document that outlines the
organization’s approach and attitude towards information security and relates the strategic
value of information security within the organization.
a. general c. issue-specific
b. agency d. system-specific
ANS: A PTS: 1 REF: 144
14. The ____ security policy is a planning document that outlines the process of
implementing security in the organization.
a. program c. issue-specific
b. agency d. system-specific
ANS: A PTS: 1 REF: 144
16. The ____ strategy attempts to prevent the exploitation of the vulnerability.
a. suspend control c. transfer control
b. defend control d. defined control
ANS: B PTS: 1 REF: 146
17. The ____ strategy attempts to shift risk to other assets, other processes, or
other organizations.
a. transfer control c. accept control
b. defend control d. mitigate control
ANS: A PTS: 1 REF: 147
18. The actions an organization can and perhaps should take while an incident is
in progress should be specified in a document called the ____ plan.
a. BC c. IR
b. DR d. BR
ANS: C PTS: 1 REF: 148
19. ____ plans usually include all preparations for the recovery process,
strategies to limit losses during the disaster, and detailed steps to follow when the smoke
clears, the dust settles, or the floodwaters recede.
a. IR c. BC
b. DR d. BR
ANS: B PTS: 1 REF: 148
20. The ____ strategy is the choice to do nothing to protect a vulnerability and to
accept the outcome of its exploitation.
a. avoidance of risk c. mitigation
b. transference d. accept control
ANS: D PTS: 1 REF: 149
21. The formal decision making process used when considering the economic
feasibility of implementing information security controls and safeguards is called a(n) ____.
a. ARO c. ALE
b. CBA d. SLE
ANS: B PTS: 1 REF: 152
22. ____ is simply how often you expect a specific type of attack to occur.
a. ARO c. ALE
b. CBA d. SLE
ANS: A PTS: 1 REF: 154
23. When organizations adopt levels of security for a legal defense, they may
need to show that they have done what any prudent organization would do in similar
circumstances. This is referred to as a(n) ____.
a. due diligence action c. golden standard
action
b. best practice d. standard of due care
ANS: D PTS: 1 REF: 157
24. ____ feasibility analysis examines user acceptance and support, management
acceptance and support, and the overall requirements of the organization’s stakeholders.
a. Organizational c. Operational
b. Technical d. Political
ANS: C PTS: 1 REF: 162
25. Risk ____ defines the quantity and nature of risk that organizations are
willing to accept as they evaluate the tradeoffs between perfect security and unlimited
accessibility.
a. benefit c. acceptance
b. appetite d. avoidance
ANS: B PTS: 1 REF: 163
COMPLETION
ANS: Assets
PTS: 1 REF: 120
ANS: Data
ANS:
electronic serial
MAC address
hardware address
6. All information that has been approved by management for public release has
a(n) ____________________ classification.
ANS: external
ANS: clearance
ANS: clean
9. Once the inventory and value assessment are complete, you can prioritize
each asset using a straightforward process known as ____________________ analysis.
ANS: threats
11. You can assess the relative risk for each of the vulnerabilities by a process
called risk ____________________.
ANS: assessment
ANS: Likelihood
ANS: technologies
ANS: mitigation
ANS:
BC
Business Continuity
BC (business continuity)
business continuity (BC)
ANS: avoidance
ANS: valuation
ANS: expectancy
ANS: Benchmarking
ANS: gap
ANS: diligence
ANS: baseline
ANS: feasibility
ESSAY
ANS:
People comprise employees and nonemployees.
Procedures fall into two categories: IT and business standard procedures, and IT and business
sensitive procedures.
Data components account for the management of information in all its states: transmission,
processing, and storage.
Software components are assigned to one of three categories: applications, operating systems,
or security components.
Hardware is assigned to one of two categories: the usual systems devices and their
peripherals, and the devices that are part of information security control systems.
Hardware components are separated into two categories: devices and peripherals, and
networks.
2. List seven key areas identified by Microsoft as best security practices for
home users.
ANS:
1. Use antivirus software.
2. Use strong passwords.
3. Verify your software security settings.
4. Update product security.
5. Build personal firewalls.
6. Back up early and often.
7. Protect against power surges and loss.
ANS:
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your
computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer
anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your
computer anymore.
Law #4: If you allow a bad guy to upload programs to your Web site, it’s not your Web site
anymore.
Law #8: An out-of-date virus scanner is only marginally better than no virus scanner at all.
Law #9: Absolute anonymity isn’t practical, in real life or on the Web.
Law #10: Technology is not a panacea.