When thinking about how wireless clients work on wireless networks, which statement best describes a challenge for IT teams?

rather

it is to bring residual risk in line with an organization's risk appetite. 6. Briefly describe the five basic strategies to control risk that result from vulnerabilities. Defense—Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk Transference—Shifting risks to other areas or to outside entities Mitigation—Reducing the impact to information assets should an attacker successfully exploit a vulnerability Acceptance—Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control Termination—Removing or discontinuing the information asset from the organization's operating environment 7. Explain two practical guidelines to follow in risk treatment strategy selection. - When a vulnerability (flaw or weakness) exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. - When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. - When the attacker's potential gain is greater than the costs of attack: Apply protections to increase the attacker's cost or reduce the attacker's gain by using technical or managerial controls. - When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. 8. Once an organization has estimated the worth of various assets, what three questions must be asked to calculate the potential loss from the successful exploitation of a vulnerability? What damage could occur, and what financial impact would it have? What would it cost to recover from the attack, in addition to the financial impact of damage? What is the single loss expectancy for each risk? 9. Describe operational feasibility. Operational feasibility refers to user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders. Operational feasibility is also known as behavioral feasibility. An important aspect of systems development is obtaining user buy-in on projects. If the users do not accept a new technology, policy, or program, it will inevitably fail. 10. What are the four stages of a basic FAIR analysis? Stage 1—Identify Scenario Components Stage 2—Evaluate Loss Event Frequency (LEF) Stage 3—Evaluate Probable Loss Magnitude (PLM) Stage 4—Derive and Articulate Risk 11. In information security, a framework or security model customized to an organization, including implementation details, is a ___ blueprint______. 12. In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a _____ framework_____. 13. One of the most widely referenced InfoSec management models, known as Information Technology—Code of Practice for Information Security Management, is also known as ___ ISO 27002_______. 14. The managerial tutorial equivalent of NIST SP 800-12, providing overviews of the roles and responsibilities of a security manager in the development, administration, and improvement of a security program, is NIST __ SP 800-100: Information Security Handbook: A Guide for Managers (2007)________. 15. Which NIST publication describes the philosophical guidelines that the security team should integrate into the entire InfoSec process, beginning with "Security supports the mission of the organization"? SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996) 16. Which NIST publication provides information on the elements of InfoSec, key roles and responsibilities, an overview of threats and vulnerabilities, a description of the three NIST security policy categories, and an overview of the NIST RM Framework and its use, among other topics needed for a foundation in InfoSec? SP 800-12, Rev. 1: An Introduction to Information Security (2017) 17. Although COBIT was designed to be an IT ___ governance_______ and management structure, it includes a framework to support InfoSec requirements and assessment needs. 18. The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices primarily for __ managing the development and operation of IT infrastructures________. 19. The Information Security __ Governance Framework ________ is a managerial model provided by an industry working group, National Cyber Security Partnership, which provides guidance in the development and implementation of organizational InfoSec structures and recommends the responsibilities that various members should have in an organization. 20. Under the Common Criteria, which term describes the user-generated specifications for security requirements? Protection Profile (PP) 21. What are the five principles that are focused on the governance and management of IT, as specified by COBIT 5? Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management 22. Access controls are built on three key principles. List and briefly define them. Least privilege: The principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. Need-to-know: Limits a user's access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function. Separation of duties: A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion. 23. There are seven access control methodologies categorized by their inherent characteristics. List and briefly define them. • Directive—Employs administrative controls, such as policy and training, designed to proscribe certain user behavior in the organization • Deterrent—Discourages or deters an incipient incident

develop a plan to serve as the roadmap for closing the gap identified in Phase 2. This includes determining the range of corrective actions

prioritizing corrective actions based on overall risk mitigation goals, and selecting the most appropriate corrective actions. Phase 4: Develop the business case. Phase 5: Obtain resources

1. Because even the implementation of new technologies does not necessarily guarantee an organization can gain or maintain a competitive lead

the concept of __ competitive disadvantage________ has emerged as organizations strive not to fall behind technologically. 2. Treating risk begins with? an understanding of risk treatment strategies 3. Application of training and education among other approach elements is a common method of which risk treatment strategy? defense 4. Strategies to reestablish operations at the primary site after an adverse event threatens continuity of business operations are covered by which of the following plans in the mitigation control approach? disaster recovery plan 5. The goal of InfoSec is not to bring residual risk to ___ zero_______

collect

aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis). Phase 3: Identify corrective actions

for example

anti-malware software • Corrective—Remedies a circumstance or mitigates damage done during an incident

for example

changes to a firewall to block the recurrence of a diagnosed attack • Recovery—Restores operating conditions back to normal

for example

data backup and recovery software • Compensating—Resolves shortcomings, such as requiring the use of encryption for transmission of classified data over unsecured networks 24. One approach used to categorize access control methodologies is based on the controls' operational impact on the organization. What are these categories, as described by NIST? Management Operational (or administrative) Technical 25. When hiring security personnel, which of the following should be conducted before the organization extends an offer to any candidate, regardless of job level? background check 26. Employees pay close attention to job __ performance evaluations________, and including InfoSec tasks in them will motivate employees to take more care when performing these tasks. 27. Incorporating InfoSec components into periodic employee performance evaluations can ____ heighten InfoSec awareness ______. 28. Organizations are required by privacy laws to protect sensitive or personal employee information, including _____ personally identifiable information (PII)_____. 29. Contract employees—or simply contractors—should not be allowed to do what? Wander freely in and out of facilities. 30. Workers typically hired to perform specific services for the organization and hired via a thirdparty organization are known as ___ contract employees_______. 31. List the four factors critical to the success of an InfoSec performance program, according to NIST SP 800-55, Rev. 1. Strong upper-level management support Practical InfoSec policies and procedures Quantifiable performance measurements Results-oriented measurement analysis 32. The process of implementing a performance measures program recommended by NIST involves six phases. List and describe them. Phase 1: Prepare for data collection

identify

define, develop, and select information security measures. Phase 2: Collect data and analyze results

close the gap by implementing the recommended corrective actions in the security program or in the security controls. 33. What are the two major activities into which the InfoSec measurement development process recommended by NIST is divided? 1. Identification and definition of the current InfoSec program 2. Development and selection of specific measurements to gauge the implementation

effectiveness, efficiency, and impact of the security controls 34. Briefly describe at least five types of background checks. - Identity checks: personal identity validation - Education and credential checks: institutions attended, degrees and certifications earned, and certification status - Previous employment verification: where candidates worked, why they left, what they did, and for how long - Reference checks: validity of references and integrity of reference sources - Worker's compensation history: claims from worker's compensation - Motor vehicle records: driving records, suspensions, and other items noted in the applicant's public record - Drug history: drug screening and drug usage, past and present - Medical history: current and previous medical conditions, usually associated with physical capability to perform the work in the specified position - Credit history: credit problems, financial problems, and bankruptcy - Civil court history: involvement as the plaintiff or defendant in civil suits - Criminal court history: criminal background, arrests, convictions, and time served 35. The Hartford insurance company estimates that, on average, ___ over 40 percent of_______ businesses that don't have a disaster plan go out of business after a major loss like a fire, a break-in, or a storm. 36. Contingency planning is primarily focused on developing ___ plans for unexpected adverse events_______. 37. The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster are known as ___ contingency planning_______. 38. The team responsible for designing and managing the IR plan by specifying the organization's preparation, reaction, and recovery from incidents is known as the __ computer security incident response team (CSIRT)________. 39. The group of senior managers and project members organized to conduct and lead all CP efforts is known as the ____ crisis management planning team (CMPT)______. 40. What is the final stage of the business impact analysis when using the NIST SP 800-34 approach? Identify recovery priorities for system resources. 41. At what point in the incident life cycle is the IR plan initiated? when an incident is detected that affects the organization 42. What are the major components of contingency planning? Business impact analysis (BIA) Incident response plan (IR plan) Disaster recovery plan (DR plan) Business continuity plan (BC plan) 43. What teams are involved in contingency planning and contingency operations? Contingency planning management team Incident response team Disaster recovery team Business continuity team 44. Explain the difference between a business impact analysis and the risk management process. One of the fundamental differences between a BIA and the risk management process is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect the information. The BIA assumes that these controls have been bypassed, have failed, or have otherwise proved ineffective, that the attack succeeded, and that the adversity being defended against has come to fruition. 45. When undertaking the BIA, what should the organization consider? Scope Plan Balance Objective Follow-up 46. ____ Threats, Assets, Vulnerabilities______ are a component of the "security triple." 47. A(n) ____ configuration______ item is a hardware or software item that is to be modified and revised throughout its life cycle. 48. A ____ version______ is the recorded condition of a particular revision of a software or hardware configuration item. 49. To evaluate the performance of a security system, administrators must establish system performance _____ baselines_____. 50. Control _____ performance_____ baselines are established for network traffic and for firewall performance and IDPS performance. 51. Why should agencies monitor the status of their programs? Agencies should monitor the status of their programs to ensure that: - Ongoing information security activities are providing appropriate support to the agency mission - Policies and procedures are current and aligned with evolving technologies, if appropriate - Controls are accomplishing their intended purpose 52. List the four steps to developing a CM plan. The four steps in developing the CM plan are: - Establish baselines - Identify configuration - Describe the configuration control process - Identify a schedule for configuration audits 53. List the five domains of the security maintenance model. The security maintenance model is based on five subject areas or domains: - External monitoring - Internal monitoring - Planning and risk assessment - Vulnerability assessment and remediation - Readiness and review True or False 1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. ________T____ 2. The defense risk treatment strategy may be accomplished by outsourcing to other organizations. ______F______ 3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. _____T_______ 4. Unlike many other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. T 5. The ISO 27005 Standard for InfoSec Risk Management has a five-stage management methodology that includes risk treatment and risk communication. _____T______ 6. In information security, a security blueprint is a framework or security model customized to an organization, including implementation details. ______________T___________ 7. The Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. _____F______ 8. Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. _____F_______ 9. Lattice-based access control specifies the level of access each subject has to each object, if any. _____T______ 10. Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data at the organization's competitors. F 11. The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as minimal access. _____F______ 12. Temporary workers—often called temps—may not be subject to the contractual obligations or general policies that govern other employees. ______T______ 13. Using a practice called baselining, you are able to compare your organization's efforts to those of other organizations you feel are similar in size, structure, or industry. F 14. A company striving for "best security practices" makes every effort to establish security program elements that meet every minimum standard in their industry. F 15. One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?" ____T______ 16. Performance measurements are seldom required in today's regulated InfoSec environment. _____F_______ 17. In most organizations, the COO is responsible for creating the IR plan. F 18. When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan. F 19. A hot site is a fully configured computing facility that includes all services, communications links, and physical plant operations. ____T_________ 20. In a cold site there are only rudimentary services, with no computer hardware or peripherals. T 21. Training should be as specialized as possible

personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster. ____T________ 22. If an organization deals successfully with change and has created procedures and systems that can be adjusted to the environment

the existing security improvement program will probably continue to work well. T 23. Over time, policies and procedures may become inadequate due to changes in the organization's mission and operational requirements, threats, or the environment. _____ T ________ 24. An effective information security governance program requires no ongoing review once it is well established. F 25. A general guideline for performance of hard drives suggests that when the amount of data stored on a particular hard drive averages 95% of available capacity for a prolonged period, you should consider an upgrade for the drive. F 26. Documentation procedures are not required for configuration and change management processes. _______F______ 27. A management model such as the ISO 27000 series deals with methods to maintain systems. F 28. External monitoring entails forming intelligence from various data sources and then giving that intelligence context and meaning for use by decision makers within the organization. ______T______