ITM Chapter 1-3 Quiz
Ryan is assisting with his organization's annual business impact analysis effort. He's been asked to assign quantitative values to assets as part of the priority identification exercise. What unit of measure should he use? A. Monetary B. Utility C. Importance D. Time
A. The quantitative portion of the priority identification should assign asset values in monetary units. The organization may also choose to assign other values to assets, but non-monetary measures should be part of a qualitative, rather than a quantitative, assessment.
You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. A. $750,000 B. $1.5 million C. $7.5 million D. $15 million
A. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an ALE of $750,000.
A. Inappropriate information disclosure C. Data loss D. Downtime F. Failure to achieve sufficient return on investment
Annaliese's organization is undergoing a period of increased business activity where they are conducting a large number of mergers and acquisitions. She is concerned about the risks associated with those activities. Which of the following are examples of those risks? (choose all that apply.) A. Inappropriate information disclosure B. Increased worker compliance C. Data loss D. Downtime E. Additional insight into the motivations of inside attacker F. Failure to achieve sufficient return on investment
James was recently asked by his organization's CIO to lead a core team of four experts through a business continuity planning process for his organization. What is the first step that this core team should undertake? A. BCP team selection B. Business organization analysis C. Resource requirements analysis D. Legal and regulatory assessment
B. As the first step of the process, the business organization analysis helps guide the remainder of the work. James and his core team should conduct this analysis and use the results to aid in the selection of team members and the design of the BCP process.
The Risk Management Framework (RMF) provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF has seven steps or phases. Which phase of the RMF focuses on determining whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation are reasonable? A. Categorize B. Authorize C. Assess D. Monitor
B. Authorize
Company proprietary data are discovered on a public social media posting by the CEO. While investigating, a significant number of similar emails were discovered to have been sent to employees, which included links to malicious sites. Some employees report that they had received similar messages to their personal email accounts as well. What improvements should the company implement to address this issue? (Choose two.) A. Deploy a web application firewall. B. Block access to personal email from the company network. C. Update the company email server. D. Implement multifactor authentication (MFA) on the company email server. E. Perform an access review of all company files. F. Prohibit access to social networks on company equipment.
B. Block access to personal email from the company network. F. Prohibit access to social networks on company equipment.
While performing a risk analysis, you identify a threat of fire and a vulnerability of things being flammable because there are no fire extinguishers. Based on this information, which of the following is a possible risk? A. Virus infection B. Damage to equipment C. System malfunction D. Unauthorized access to confidential information
B. Damage to equipment
_________________ is the process of adding new employees to the organization, having them review and sign policies, be introduced to managers and coworkers, and be trained in employee operations and logistics. A. Reissue B. Onboarding C. Background checks D. Site survey
B. Onboarding
After repeated events of retraining, a particular worker was caught for the fourth time attempting to access documents that were not relevant to their job position. The CSO decides this was the last chance and the worker is to be fired. The CSO reminds you that the organization has a formal termination process that should be followed. Which of the following is an important task to perform during the termination procedure to reduce future security issues related to this ex-employee? A. Return the exiting employee's personal belongings. B. Review the nondisclosure agreement. C. Evaluate the exiting employee's performance. D. Cancel the exiting employee's parking permit.
B. Review the nondisclosure agreement.
Often a _____________ is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group's work activities. _____________ are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors. A. CISO(s) B. Security champion(s) C. Security auditor(s) D. Custodian(s)
B. Security champion(s)
Lighter than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario? A. 0.01 B. $10 million C. $100,000 D. 0.10
B. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).
You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy (SLE) of your shipping facility to avalanches? A. $3 million B. $2,700,000 C. $270,000 D. $135,000
B. The single loss expectancy (SLE) is the product of the asset value (AV) and the exposure factor (EF). From the scenario, you know that the AV is $3 million and the EF is 90 percent; based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.
Which of the following could be classified as a form of social engineering attack? (Choose all that apply.) A. A user logs in to their workstation and then decides to get a soda from the vending machine in the stairwell. As soon as the user walks away from their workstation, another person sits down at their desk and copies all the files from a local folder onto a network share. B. You receive an email warning about a dangerous new virus spreading across the internet. The message tells you to look for a specific file on your hard drive and delete it, since it indicates the presence of the virus. C. A website claims to offer free temporary access to their products and services but requires that you alter the configuration of your web browser and/or firewall in order to download the access software. D. A secretary receives a phone call from a person claiming to be a client who is running late to meet the CEO. The caller asks for the CEO's private cell phone number so that they can call them.
B. You receive an email warning about a dangerous new virus spreading across the internet. The message tells you to look for a specific file on your hard drive and delete it, since it indicates the presence of the virus. C. A website claims to offer free temporary access to their products and services but requires that you alter the configuration of your web browser and/or firewall in order to download the access software. D. A secretary receives a phone call from a person claiming to be a client who is running late to meet the CEO. The caller asks for the CEO's private cell phone number so that they can call them.
The board of directors of Clashmore Circuits conducts an annual review of the business continuity planning process to ensure that adequate measures are in place to minimize the effect of a disaster on the organization's continued viability. What obligation are they satisfying by this review? A. Corporate responsibility B. Disaster requirement C. Due diligence D. Going concern responsibility
C. A firm's officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place. This is an element of corporate responsibility, but that term is vague and not commonly used to describe a board's responsibilities. Disaster requirement and going concern responsibilities are also not risk management terms.
During a risk management project, an evaluation of several controls determines that none are cost-effective in reducing the risk related to a specific important asset. What risk response is being exhibited by this situation? A. Mitigation B. Ignoring C. Acceptance D. Assignment
C. Acceptance
In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team? A. Strategy development B. Business impact analysis C. Provisions and processes D. Resource prioritization
C. In the provisions and processes phase, the BCP team designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.
Ricky is conducting the quantitative portion of his organization's business impact analysis. Which one of the following concerns is least suitable for quantitative measurement during this assessment? A. Loss of a plant B. Damage to a vehicle C. Negative publicity D. Power outage
C. It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis. The other items listed here are all more easily quantifiable.
Which of the following is a true statement in regard to vendor, consultant, and contractor controls? A. Using business email compromise (BEC) is a means to ensure that organizations providing services maintain an appropriate level of service agreed on by the service provider, vendor, or contractor and the customer organization. B. Outsourcing can be used as a risk response option known as acceptance or appetite. C. Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved. D. Risk management strategies implemented by one party do not cause additional risks against or from another party.
C. Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved.
Chris is completing the risk acceptance documentation for his organization's business continuity plan. Which one of the following items is Chris least likely to include in this documentation? A. Listing of risks deemed acceptable B. Listing of future events that might warrant reconsideration of risk acceptance decisions C. Risk mitigation controls put in place to address acceptable risks Rationale for determining that risks were acceptable
C. Risk mitigation controls to address acceptable risks would not be in the BCP. The risk acceptance documentation should contain a thorough review of the risks facing the organization, including the determination as to which risks should be considered acceptable and unacceptable. For acceptable risks, the documentation should include a rationale for that decision and a list of potential future events that might warrant a reconsideration of that determination. The documentation should include a list of controls used to mitigate unacceptable risks, but it would not include controls used to mitigate acceptable risks, since acceptable risks do not require mitigation.
You have performed a risk assessment and determined the threats that represent the most significant concern to your organization. When evaluating safeguards, what is the rule that should be followed in most cases? A. The expected annual cost of asset loss should not exceed the annual costs of safeguards. B. The annual costs of safeguards should equal the value of the asset. C. The annual costs of safeguards should not exceed the expected annual cost of asset value loss. D. The annual costs of safeguards should not exceed 10 percent of the security budget.
C. The annual costs of safeguards should not exceed the expected annual cost of asset value loss.
Lighter than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario? What is the annualized loss expectancy? A. 0.01 B. $10 million C. $100,000 D. 0.10
C. The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.
Renee is reporting the results of her organization's BIA to senior leaders. They express frustration at all of the detail, and one of them says, "Look, we just need to know how much we should expect these risks to cost us each year." What measure could Renee provide to best answer this question? A. ARO B. SLE C. ALE D. EF
C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.
Tracy is preparing for her organization's annual business continuity exercise and encounters resistance from some managers who don't see the exercise as important and feel that it is a waste of resources. She has already told the managers that it will only take half a day for their employees to participate. What argument could Tracy make to best address these concerns? A. The exercise is required by policy. B. The exercise is already scheduled and canceling it would be difficult. C. The exercise is crucial to ensuring that the organization is prepared for emergencies. D. The exercise will not be very time-consuming.
C. This question requires that you exercise some judgment, as do many questions on the CISSP exam. All of these answers are plausible things that Tracy could bring up, but we're looking for the best answer. In this case, that is ensuring that the organization is ready for an emergency—a mission-critical goal. Telling managers that the exercise is already scheduled or required by policy doesn't address their concerns that it is a waste of time. Telling them that it won't be time-consuming is not likely to be an effective argument because they are already raising concerns about the amount of time requested.
What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions? A. Education B. Awareness C. Training D. Termination
C. Training
Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance? A. Vice president of business operations B. Chief information officer C. Chief executive officer Business continuity manager
C. You should strive to have the highest-ranking person possible sign the BCP's statement of importance. Of the choices given, the chief executive officer (CEO) has the highest ranking.
C. Hardware destruction caused by arson
Confidentiality, integrity, and availability are typically viewed as the primary goals and objectives of a secure infrastructure. Which of the following is not considered a violation on confidentiality? A. Stealing passwords using a keystroke logging tool? B. Eavesdropping on wireless network communication? C. Hardware destruction caused by arson? D. Social engineering that tricks a user into providing personal information to a false website.
A. Holistic Approach B. End-to-End Governance System C. Provide Stakeholder Value E. Dynamic Governance System
Control Objectives for Information and Related Technology (COBIT) is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT is based on six key principles for governance and management of enterprise IT. Which of the following are among these key principles? (Choose all that apply) A. Holistic Approach B. End-to-End Governance System C. Provide Stakeholder Value D. Maintaining Authenticity and Accountability E. Dynamic Governance System
During a meeting of company leadership and the security team, discussion focuses on defining the value of assets in dollars, inventorying threats, predicting the specific amount of harm of a breach, and determining the number of times a threat could cause harm to the company each year. What is being performed? A. Qualitative risk assessment B. Delphi technique C. Risk avoidance D. Quantitative risk assessment
D. Quantitative risk assessment
Brian is developing continuity plan provisions and processes for his organization. What resource should he protect as the highest priority in those plans? A. Physical plant B. Infrastructure C. Financial D. People
D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization's employees!
Matt is supervising the installation of redundant communications links in response to a finding during his organization's BIA. What type of mitigation provision is Matt overseeing? A. Hardening systems B. Defining systems C. Reducing systems Alternative systems
D. This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.
You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the annualized loss expectancy? A. $3 million B. $2,700,000 C. $270,000 D. $135,000
D. This problem requires you to compute the annualized loss expectancy (ALE), which is the product of the single loss expectancy (SLE) and the annualized rate of occurrence (ARO). From the scenario, you know that the ARO is 0.05 (or percent). From question 8, you know that the SLE is $2,700,000. This yields an ALE of $135,000.
A, B, C, D, E, F, G, H, I. All of the listed options are terms that relate to or are based on defense in depth: layering, classifications, zones, realms, compartments, silos, segmentations, lattice structure, and protection rings.
Defense in depth is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. Which of the following are terms that relate to or are based on defense in depth? (Choose all that apply.) A. Layering B. Classifications C. Zones D. Realms E. Compartments F. Silos G. Segmentations H. Lattice structure I. Protection rings
A. Due diligence is establishing a plan, policy , and process to protect the interests of an organization. D. Due care is practicing the individual activities that maintain the security effort.
In today's business environment, prudence is mandatory. Show due diligence and due care is the only way to disprove negligence in an occurrence of loss. Which of the following are true statements? (Choose all that apply.) A. Due diligence is establishing a plan, policy , and process to protect the interests of an organization. B. Due care is developing a formalized security structure continuing a security policy, standards, baselines, guidelines, and procedures. C. Due diligence is the continued application of a security structure onto the IT infrastructure of an organization. D. Due care is practicing the individual activities that maintain the security effort. E. Due care is knowing what should be done and planning for it. F. Due diligence is doing the right action an the right time.
C. Process for Attack Simulation and Threat Analysis (PASTA) is a seven-stage threat modeling methodology. PASTA is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected. Visual, Agile, and Simple Threat (VAST) is a threat modeling concept that integrates threat and risk management into an Agile programming environment on a scalable basis. Microsoft uses a Security Development Lifecycle (SDL) with the motto "Secure by Design, Secure by Default, Secure in Deployment and Communication" (also known as SD3+C). STRIDE is a threat categorization scheme developed by Microsoft.
It's common to pair threats with vulnerabilities to identify threats that can exploit assets and represent significant risks to the organization. An ultimate goal of threat modeling is to prioritize the potential threats against an organization's valuable assets. Which of the following is a risk-centric threat-modeling approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected? A. VAST B. SD3+C C. PASTA D. STRIDE
B. Availability
James recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated? A. Identification B. Availability C. Encryption D. Layering
D. security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external resources.
Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which of the following is true about security governance? A. Security governance ensures that the requested activity or access to an object is possible given the rights and privileges. B. Security governance is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions. C. Security governance is a documented set of best IT security practices that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. D. security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external resources.
D. When confidential documents are exposed to unauthorized entities, this is described by the I in STRIDE, which represents information disclosure. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
STRIDE is often used in relation to assessing threats against applications or operating systems. When confidential documents are exposed to unauthorized entities, which element of STRIDE is used to reference that violation? A. S B. T C. R D. I E. D F. E
B. A policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. A standard defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls. A procedure is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. A guideline offers recommendations on how security requirements are implemented and serves as an operational guide for both security professionals and users. III is the definition of a baseline, which was not included as a component option.
Security documentation is an essential element of a successful security program. Understanding the components is an early step in crafting the security documentation. Match the following components to their respective definitions. 1 Policy 2 Standard 3 Procedure 4 Guideline 1 A detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. 2 A document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. 3 A minimum level of security that every system throughout the organization must meet. 4 Offers recommendations on how security requirements are implemented and serves as an operational guide for both security professionals and users. 5 Defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls. A. 1 - I; 2 - IV; 3 - II; 4 - V B. 1 - II; 2 - V; 3 - I; 4 - IV C. 1 - IV; 2 - II; 3 - V; 4 - I D. 1 - V; 2 - I; 3 - IV; 4 - III
B. The CIA Triad
Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives of security? A. A network's border perimeter B. The CIA Triad C. AAA services D. Ensuring that subject activities are recorded
A new web application was installed onto the company's public web server last week. Over the weekend a malicious hacker was able to exploit the new code and gained access to data files hosted on the system. This is an example of what issue? A. Inherent risk B. Risk matrix C. Qualitative assessment D. Residual risk
A. Inherent risk
B. This scenario describes a proactive approach to threat modeling, which is also known as the defensive approach. A reactive approach or adversarial approach to threat modeling takes place after a product has been created and deployed. There is no threat modeling concept known as qualitative approach. Qualitative is typically associated with a form of risk assessment.
A development team is working on a new project. During the early stages of systems development, the team considers the vulnerabilities, threats, and risks of their solution and integrates protections against unwanted outcomes. What concept of threat modeling is this? A. Threat hunting B. Proactive approach C. Qualitative approach D. Adversarial approach
B. Security professional
A security role is the part of an individual plays in the overall scheme of security implementation and administration within an organization. What is the security role that has the functional responsibility for security, including writing the security policy and implementing it? A. Senior management B. Security professional C. Custodian D. Auditor
During the annual review of the company's deployed security infrastructure, you have been reevaluating each security control selection. How is the value of a safeguard to a company calculated? A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard B. ALE before safeguard * ARO of safeguard C. ALE after implementing safeguard + annual cost of safeguard - controls gap D. Total risk - controls gap
A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard
Which of the following are valid definitions for risk? (Choose all that apply.) A. An assessment of probability, possibility, or chance B. Anything that removes a vulnerability or protects against one or more specific threats C. Risk = threat * vulnerability D. Every instance of exposure E. The presence of a vulnerability when a related threat exists
A. An assessment of probability, possibility, or chance C. Risk = threat * vulnerability D. Every instance of exposure
Due to recent organization restructuring, the CEO believes that new workers should be hired to perform necessary work tasks and support the mission and goals of the organization. When seeking to hire new employees, what is the first step? A. Create a job description. B. Set position classification. C. Screen candidates. D. Request résumés.
A. Create a job description.
Darren is concerned about the risk of a serious power outage affecting his organization's data center. He consults the organization's business impact analysis and determines that the ARO of a power outage is 20 percent. He notes that the assessment took place three years ago and no power outage has occurred. What ARO should he use in this year's assessment, assuming that none of the circumstances underlying the analysis have changed? A. 20 percent B. 50 percent C. 75 percent D. 100 percent
A. The annualized rate of occurrence (ARO) is the likelihood that the risk will materialize in any given year. The fact that a power outage did not occur in any of the past three years doesn't change the probability that one will occur in the upcoming year. Unless other circumstances have changed, the ARO should remain the same.
Your organization is courting a new business partner. During the negotiations the other party defines several requirements of your organization's security that must be met prior to the signing of the SLA and business partners agreement (BPA). One of the requirements is that your organization demonstrate their level of achievement on the Risk Maturity Model (RMM). The requirement is specifically that a common or standardized risk framework is adopted organization-wide. Which of the five possible levels of RMM is being required of your organization? A. Preliminary B. Integrated C. Defined D. Optimized
C. Defined
Helen is working on her organization's resilience plans, and her manager asks her whether the organization has sufficient technical controls in place to recover operations after a disruption. What type of plan would address the technical controls associated with alternate processing facilities, backups, and fault tolerance? A. Business continuity plan B. Business impact analysis C. Disaster recovery plan D. Vulnerability assessment
C. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.
Jake is conducting a business impact analysis for his organization. As part of the process, he asks leaders from different units to provide input on how long the enterprise resource planning (ERP) system could be unavailable without causing irreparable harm to the organization. What measure is he seeking to determine? A. SLE B. EF C. MTD D. ARO
C. The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.
B. In this scenario, Cathy should void the authorization to operate (ATO) of this vendor. This situation describes the fact that the vendor is not meeting minimal security requirements which are necessary to the protection of the service and its customers. Writing a report is not a sufficient response to this discovery. You may have assumed Cathy does or does not have the authority to perform any of the other options, but there is no indication of Cathy's position in the organization. It is reasonable for a CEO to ask the CISO to perform such an evaluation. Regardless, the report should be submitted to the CISO, not the CIO, whose focus is primarily on ensuring that information is used effectively to accomplish business objectives, not that such use is secure. Reviewing terms and conditions will not make any difference in this scenario, as those typically apply to customers, not internal operations. And reviewing does not necessarily cause a change or improvement to insecure practices. A vendor-signed NDA has no bearing on this scenario.
Cathy's employer has asked her to perform a documentation review of the policies and procedures of a third-party supplier. This supplier is just the final link in a software supply chain. Their components are being used as a key element of an online service operated for high-end customers. Cathy discovers several serious issues with the vendor, such as failing to require encryption for all communications and not requiring multifactor authentication on management interfaces. What should Cathy do in response to this finding? A. Write up a report and submit it to the CIO. B. Void the ATO of the vendor. C. Require that the vendor review their terms and conditions. D. Have the vendor sign an NDA.
Darcy is leading the BCP effort for her organization and is currently in the project scope and planning phase. What should she expect will be the major resource consumed by the BCP process during this phase? A. Hardware B. Software C. Processing time D. Personnel
D. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.
The CSO has expressed concern that after years of security training and awareness programs, the level of minor security violations has actually increased. A new security team member reviews the training materials and notices that it was crafted four years ago. They suggest that the materials be revised to be more engaging and to include elements that allow for the ability to earn recognition, team up with coworkers, and strive toward a common goal. They claim these efforts will improve security compliance and foster security behavior change. What is the approach that is being recommended? A. Program effectiveness evaluation B. Onboarding C. Compliance enforcement D. Gamification
D. Gamification
You have been tasked with overseeing the security improvement project for your organization. The goal is to reduce the current risk profile to a lower level without spending considerable amounts of money. You decide to focus on the largest concern mentioned by your CISO. Which of the following is likely the element of the organization that is considered the weakest? A. Software products B. Internet connections C. Security policies D. Humans
D. Humans
A, B, D. These statements are true: (A) Each link in the supply chain should be responsible and accountable to the next link in the chain; (B) Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips; and (D) Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms. The remaining option is incorrect. Even if a final product seems reasonable and performs all necessary functions, that does not provide assurance that it is secure or that it was not tampered with somewhere in the supply chain.
Supply chain risk management (SCRM) is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations. Which of the following are true statements? (Choose all that apply.) A. Each link in the supply chain should be responsible and accountable to the next link in the chain. B. Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips. C. If the final product derived from a supply chain meets expectations and functional requirements, it is assured to not have unauthorized elements. D. Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms.
B, C, E, F, G. The five key concepts of decomposition are trust boundaries, dataflow paths, input points, privileged operations, and details about security stance and approach. Patch or update version management is an important part of security management in general; it is just not a specific component of decomposition. Determining open vs. closed source code use is not an element of decomposition.
The next step after threat modeling is reduction analysis. Reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements. Which of the following are key components to identify when performing decomposition? (Choose all that apply.) A. Patch or update versions B. Trust boundaries C. Dataflow paths D. Open vs. closed source code use E. Input points F. Privileged operations G. Details about security stance and approach
A. Minimum security requirements should be modeled on your existing security policy. This is based on the idea that when working with a third party, that third party should have at least the same security as your organization. A third-party audit is when a third-party auditor is brought in to perform an unbiased review of an entity's security infrastructure. This audit may reveal where there are problems, but the audit should not be the basis of minimum security requirements for a third party. On-site assessment is when you visit the site of the organization to interview personnel and observe their operating habits. This is not the basis for establishing minimum security requirements for a third party. Vulnerability scan results, like third-party audits, may reveal concerns, but it is not the basis for establishing minimum security requirements for a third party.
Whenever an organization works with a third party, its supply chain risk management (SCRM) processes should be applied. One of the common requirements is the establishment of minimum security requirements of the third party. What should these requirements be based on? A. Existing security policy B. Third-party audit C. On-site assessment D. Vulnerability scan results
A. ITIL
Which security framework was initially crafted by a government for domestic use but is now an international standard, which is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change; which focuses on understanding how IT and security need to be to be integrated with and aligned to the objectives of an organization; and which is often used as a starting point for the crafting of a customized IT security solution within an establishment infrastructure? A. ITIL B. ISO 27000 C. CIS D. CSF
C. Strategic plan
You have been tasked with crafting a long-term security plan that is fairly stable. It needs to define the organization's security purpose. It also needs to define the security function and align it to the goals, mission, and objectives of the organization. What are you being asked to create? A. Tactical plan B. Operational plan C. Strategic plan D. Rollback plan
D. Though not explicitly stating hardware, this scenario describes a typical and potential risk of a supply chain, that a hardware risk results in the presence of a listening mechanism in the final product. This scenario does not provide information that would indicate that the supply chain risk is focused on software, services, or data.
Your organization has become concerned with risks associated with the supply chain of their retail products. Fortunately, all coding for their custom product is done in-house. However, a thorough audit of a recently completed product revealed that a listening mechanism was integrated into the solution somewhere along the supply chain. The identified risk is associated with what product component in this scenario? A. Software B. Services C. Data D. Hardware
