CIS3361 Information security Management CH7

prudent

Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any ____ organization would do in similar circumstances.

incident

Organizations typically use three types of performance measures, including those that assess the impact of a(n) ____________________ or other security event on the organization or its mission.

True

Performance measurement is an ongoing, continuous improvement operation.

Mitigation Risk Treatment Strategy

The risk treatment strategy that attempts to reduce the impact of the loss caused by an incident, disaster, or attack through the effective contingency planning and preparation.

False

The risk treatment strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk treatment strategy. __________

Transference Risk Treatment Strategy

The risk treatment strategy that attempts to shift risk to other assets, other processes, or other organizations.

Termination Risk Treatment Strategy

The risk treatment strategy that eliminates all risk associated with an information asset by removing it from service

True

The risk treatment strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk treatment strategy. ____________

Acceptance Risk Treatment Strategy

The risk treatment strategy that indicates the organization is willing to accept the current level of residual risk. As a result, the organization makes a conscious decision to do nothing else to protect an information asset from risk and to accept the outcome from any resulting exploitation.

False

The risk treatment strategy that indicates the organization is willing to accept the current level of risk and do nothing further to protect an information asset is known as the termination risk treatment strategy. ____________

controls

The second step in the NIST SP 800-37 model for security certification and accreditation is to select the appropriate minimum security ____________________ for the system.

an understanding of risk treatment strategies

Treating risk begins with which of the following?

True

Unlike many other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.

True

Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.

baseline

A ____ is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared.".

moving target

A problem with benchmarking is that recommended practices are a(n) ____________________; that is, knowing what happened a few years ago does not necessarily tell you what to do next.

asset valuation

A process of assigning financial value or worth to each information asset.

False

A progression is a measurement of current performance against which future performance will be compared. __________

defense risk treatment strategy

A risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.

mitigation risk treatment strategy

A risk treatment strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.

termination risk treatment strategy

A risk treatment strategy that eliminates all risk associated with an information asset by removing it from service.

acceptance risk treatment strategy

A risk treatment strategy that indicates the organization is willing to accept the current level of risk, is making a conscious decision to do nothing to protect an information asset from risk, and accepts the outcome from any resulting exploitation.

True

A(n) baseline is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared."

characterize the system

According to NIST SP 800-37, the first step in the security controls selection process is to ____.

True

Accreditation is the authorization of an IT system to process, store, or transmit information.

When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.

All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT:

Cost-benefit Analysis (CBA)

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization

cost-benefit analysis (CBA)

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization, is known as __________.

True

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization, is known as cost-benefit analysis (CBA). __________

Operational Feasibility

An examination of how well a particular solution fits within the organization's culture and the extent to which users are expected to accept the solution. Also known as Behavioral Feasibility

Political Feasibility

An examination of how well a particular solution fits within the organization's political environment - for example, the working relationship within the organization's communities of interest or between the organizations and its external environment

Organizational Feasibility

An examination of how well a particular solution fits within the organization's strategic planning objectives and goals

organizational feasibility

An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.

False

An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel, is known as operational feasibility. __________

Technical Feasibility

An examination of how well a particular solution is supportable given the organizations current technological infrastructure and resources, which include hardware, software, networking, and personnel

False

Another problem with benchmarking is that no two organizations are similar.

defense

Application of training and education among other approach elements is a common method of which risk treatment strategy?

manage

Because "organizations ____________________ what they measure," it is important to ensure that individual metrics are prioritized in the same manner as the performance they measure.

competitive disadvantage

Because even the implementation of new technologies does not necessarily guarantee an organization can gain or maintain a competitive lead, the concept of __________ has emerged as organizations strive not to fall behind technologically.

which, how

Benchmarking can help to determine ____ controls should be considered, but it cannot determine ____ those controls should be implemented in your organization.

False

Best security practices (BSPs) balance the need for information access with the need for adequate protection while simultaneously demonstrating social responsibility.

access

Best security practices balance the need for information ____________________ with the need for adequate protection while simultaneously demonstrating fiscal responsibility.

single loss expectancy

By multiplying the asset value by the exposure factor, you can calculate which of the following?

outcome

Collecting project metrics may be even more challenging. Unless the organization is satisfied with a simple tally of who spent how many hours doing which tasks, it needs some mechanism to link the ____ of each project, in terms of loss control or risk reduction, to the resources consumed.

intent

Designing the performance measures collection process requires thoughtful consideration of the ____ of the metric along with a thorough knowledge of how production services are delivered.

True

Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudentorganization would do in similar circumstances. __________

stakeholders

During Phase 1 of the NIST performance measures development process, the organization identifies relevant ____ and their interests in information security measurement.

goals and objectives

During Phase 2 of the NIST performance measures development process, the organization will identify and document the information security performance ____ that would guide security control implementation for the information security program of a specific information system.

value to competitors

Each of the following is a commonly used quantitative approach for asset valuation EXCEPT:

forecasting costs

Each of the following is a recommendation from the FDIC when creating a successful SLA EXCEPT:

cost of IT operations (keeping systems operational during the period of treatment strategy development)

Each of the following is an item that affects the cost of a particular risk treatment strategy EXCEPT:

True

Implementing controls at an acceptable standard—and maintaining them—demonstrates that an organization has performed due diligence.

Single Loss Expectancy (SLE)

In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack (impact). The SLE is the product of the asset's value and the exposure factor.

False

In a cost-benefit analysis, the expected frequency of an attack expressed on a per-year basis is known as the annualized risk of likelihood. __________

Annualized Rate of Occurrence (ARO)

In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis

Annualized Loss Expectancy (ALE)

In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy

recommended

In information security, two categories of benchmarks are used: standards of due care and due diligence and ____ practices.

meaning

In most cases, simply listing the measurements collected does not adequately convey their ____.

Both of these

In reporting InfoSec performance measures, the CISO must also consider ____.

certification

In security management, ____ is "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

accreditation

In security management, ____________________ is the authorization of an IT system to process, store, or transmit information.

False

In some organizations, the terms metrics and best practices are interchangeable.

gap

In the NIST performance measures implementation process, the comparison of observed measurements with target values is known as a ____ analysis.

Delphi

In which technique does a group rate or rank a set of information, compile the results, and repeat until everyone is satisfied with the result?

True

Industries that are regulated by governmental agencies are required to meet government guidelines in their security practices.

performance measurement

Information security ____ is the process of designing, implementing, and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program.

due diligence

It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of ____________________.

due diligence

Maintaining an acceptable level of secure controls over time indicates that an organization has met the standard of ____.

False

NIST recommends the documentation of each performance measure in a customized format to ensure repeatability of measures development, tailoring, collection, and reporting activities.

repeatability

NIST recommends the documentation of performance measures in a format to ensure ____ of measures development, tailoring, collection, and reporting activities.

governance

NIST's Risk Management Framework follows a three-tiered approach, with most organizations working from the top down, focusing first on aspects that affect the entire organization, such as __________.

monitoring and measurement

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine its effectiveness and to estimate the remaining risk?

False

Once developed, information security performance measures must be implemented and integrated into ongoing information security management operations. For the most part, it is sufficient to collect these measures once.

quantify

One of the critical tasks in the measurement process is to assess and ____________________ what will be measured.

True

One of the most popular of the many references that support the development of process improvement and performance measures is The Capability Maturity Model Integrated (CMMI) designed specifically to integrate an organization's process improvement activities across disciplines.

none of these

One of the most popular reference for developing process improvement and performance measures is the ____ model from the Software Engineering Institute at Carnegie Mellon University.

True

One of the priorities in building an information security measures program is determining whether these measures will be macro-focus or micro-focus.

False

One of the three goals of System Certification and Accreditation as defined by NIST is to: define essential maximum security controls for federal IT systems.

Baseline data provides little value to evaluating progress in improving security

Problems with benchmarking include all but which of the following?

More consistent, comparable, and repeatable certifications of InfoSec programs

Security Certification & Accreditation offers several benefits. Which of the following is NOT one of them?

best business practices

Security efforts that seek to provide a superior level of performance in the protection of information are called ____.

disaster recovery plan

Strategies to reestablish operations at the primary site after an adverse event threatens continuity of business operations are covered by which of the following plans in the mitigation control approach?

True

The ISO 27005 Standard for InfoSec Risk Management has a five-stage management methodology that includes risk treatment and risk communication.

risk determination

The ISO 27005 Standard for Information Security Risk Management includes all but which of the following stages?

evaluating alternative strategies

The Microsoft Risk Management Approach includes four phases; which of the following is NOT one of them?

inform

The NIST risk management approach includes all but which of the following elements?

Increasing efficiency for InfoSec performance

The benefits of using information security performance measures include all but which of the following?

single loss expectancy

The calculated value associated with the most likely loss from a single attack.

True

The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.

False

The defense risk treatment strategy may be accomplished by outsourcing to other organizations.

Cost Avoidance

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident

cost avoidance

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________.

cost avoidance

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident.

False

The first phase in the NIST performance measures methodology is to collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets.

cost-benefit analysis

The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization.

zero

The goal of InfoSec is not to bring residual risk to __________; rather, it is to bring residual risk in line with an organization's risk appetite.

corrective

The last phase in the NIST performance measures implementation process is to apply ____________________ actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls.

True

The risk treatment strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk treatment strategy. __________

determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset

The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?

Asset Valuation

The process of assigning financial value or worth to each information asset

asset valuation

The process of assigning financial value or worth to each information asset is known as __________.

all of these

The purpose of NIST SP 800-53 (R3) as part of the NIST System C&A Project is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for ____.

risk appetite

The quantity and nature of risk that organizations are willing to accept.

Defense Risk Treatment Strategy

The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards in an effort to change the likelihood of successful attack on an information asset. Also known as the Avoidance Strategy.

False

The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk treatment strategy, also known as the avoidance strategy. __________

qualitative assessment of many risk components

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

cost-benefit analysis

What is the result of subtracting the postcontrol annualized loss expectancy and the annualized cost of the safeguard from the precontrol annualized loss expectancy?

residual risk

When vulnerabilities have been controlled to the degree possible, what is the remaining risk that has not been completely removed, shifted, or planned for?

OCTAVE

Which alternative risk management methodology is a process promoted by the Computer Emergency Response Team (CERT) Coordination Center (www.cert.org) that has three variations for different organizational needs, including one known as ALLEGRO?

ISO 31000

Which international standard provides a structured methodology for evaluating threats to economic performance in an organization and was developed using the Australian/New Zealand standard AS/NZS 4360:2004 as a foundation?

maintenance

Which of the following affects the cost of a control?

political feasibility

Which of the following determines acceptable practices based on consensus and relationships among the communities of interest?

operational feasibility

Which of the following determines how well a proposed treatment will address user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders?

organizational feasibility

Which of the following determines how well the proposed InfoSec treatment alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization?

technical feasibility

Which of the following determines whether the organization already has or can acquire the technology necessary to implement and support the proposed treatment?

Practical InfoSec budgets and resources for the program

Which of the following is NOT a factor critical to the success of an information security performance program?

...

Which of the following is NOT a goal of the NIST System Certification and Accreditation Project:

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls.

Which of the following is NOT a valid rule of thumb on risk treatment strategy selection?

selective risk avoidance

Which of the following is NOT an alternative to using CBA to justify risk controls?

Use the methodology most similar to what is currently in use.

Which of the following is NOT one of the methods noted for selecting the best risk management model?

assess control impact

Which of the following is not a step in the FAIR risk management framework?

Prepare for data collection

Which of the following is the first phase in the NIST process for performance measures implementation?

transference

Which of the following risk treatment strategies describes an organization's attempt to shift risk to other assets, other processes, or other organizations?

mitigation

Which of the following risk treatment strategies describes an organization's efforts to reduce damage caused by a realized incident or disaster?

metrics; measures

While the terms may be interchangeable in some organizations, typically the term ____ is used for more granular, detailed measurement, while the term ____ is used for aggregate, higher-level results.

Certification

____________________ is defined as "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements."