CS 307 Exam 2

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Prohibits a high level subject from sending messages to a lower level object

* property (write property)

The identification of assets, including all the elements of an organization's system: people, procedures, data, software, hardware, and networking elements

Assessment

Section of the risk worksheet that lists each vulnerable asset

Asset

Section of the risk worksheet that shows the results for this asset from the weighted factor analysis worksheet

Asset Impact

This attribute describes the function of each asset

Asset Type

This is used to facilitate the tracking of assets. These are unique numbers assigned to assets and permanently affixed to assets during the acquisition process

Asset tag

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?

Assigning a value to each information asset

A confidentiality model or "state machine reference model" that ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances

Bell-LaPadula (BLP) confidentiality model

An alternative to feasibility that is the process of seeking out and studying the practices used in other organizations that produce the results you desire in your organization

Benchmarking

The comparison of two related measurements

Benchmarking

The value to the organization of using controls to prevent losses associated with a specific vulnerability

Benefit

An access control model that is similar to BLP and is based on the premise that higher levels of integrity are more worthy of trust than lower levels

Biba integrity model

In InfoSec, a framework or security model customized to an organization, including implementation details

Blueprint

An international standard for computer security certification that is considered the successor to TCSEC and ITSEC

Common Criteria for Information Technology Security Evaluation ("CC")

This refers to the organizational unit that controls the asset

Controlling Entity

True or False: A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme

False

True or False: A security ​monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects.

False

True or False: An approach to combining risk identification, risk assessment, and risk appetite into a single strategy is known as risk protection

False

True or False: An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment

False

True or False: Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information

False

True or False: The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege.

False

True or False: The information technology management community of interest often takes on the leadership role in addressing risk

False

The COSO framework is built on five interrelated components. Which of the following is NOT one of them?

InfoSec Governance

Must lead the way with skill, professionalism, flexibility, and subject expertise as it works with the other communities of interest to balance the constant trade-offs between information's ease of use and security

InfoSec Management

Standards that are used for reference or comparison and often serve as the stepping-off point for emulation and adoption

InfoSec models

An international set of criteria for evaluating computer systems, very similar to TCSEC

Information Technology System Evaluation Criteria (ITSEC)

Assembles information about information assets and their impact on or value to the organization

Information asset classification worksheet

This attribute specifies where an asset can be found on the organization's network

Logical Location

Which of the following is an attribute of a network device is physically tied to the network interface?

MAC address

This attribute does not only apply to software elements. Nevertheless, some organizations may have license terms that indicate where software can be used. This may include systems leased at remote locations, often described as being "in the cloud"

Physical Location

Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair

Ranked vulnerability risk worksheet

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

Relative value

Comparative judgements intended to ensure that the most valuable information assets are given the highest priority when managing risk

Relative values

What is a disadvantage of the one-on-one training method?

Resource intensive, to the point of being inefficient

The identification and assessment of levels of risk in an organization describes which of the following?

Risk analysis

What function includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

Risk assessment

Section of the risk worksheet where someone enters the figure calculated by multiplying the asset impact and its likelihood

Risk-rating Factor

The _________ program is designed to reduce the occurrence of accidental security breaches by members of the organization

SETA

Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?

Security Model and Framework (Both A&B)

A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access

Security clearance

Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle?

Security clearances

The InfoSec security principle that requires significant tasks to be split up so that more than one individual is required to complete them

Separation of duties

This is a number that uniquely identifies a specific device

Serial Number

Prohibits a subject of lower clearance from reading an object of higher clearance but allows a subject with higher clearance level to read an object at a lower level

Simple security property (read property)

Because licenses for software products are often tied to specific version numbers, geographic locations, or even specific users, this data may require specialized efforts to track

Software Licensing Data

This attribute includes information about software and firmware versions, and for hardware devices, the current field change order number

Software Version, Update Revision, or FCO Number

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?

TCSEC

Combines the output from the information asset identification and prioritization with the threat identification and prioritization and identifies potential vulnerabilities in the "triples"; also incorporates extant and planned controls

TVA worksheet

Determining whether the organization already has or can acquire the technology necessary to implement and support them

Technical feasibility

Removing or discontinuing the information asset from the organization's operating environment

Termination

These play a key role in understanding how the organization needs to react to a successful attack, particularly in its plans for incident response, disaster recovery, and business continuity

attack scenarios

What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?

cost-benefit analysis

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization

cost-benefit analysis (CBA)

______ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels.

covert

Unauthorized or unintended methods of communications hidden inside a computer system

covert channels

Assessing risks includes determining the ________ that vulnerable systems will be attacked by specific threats.

likelihood

The probability that a specific vulnerability within an organization will be the target of an attack

likelihood

Which of the following affects the cost of a control?

maintenance

Risk _______ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated

management

Which of the following is NOT a category of access control?

mitigating

The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ______

mitigation

Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?

mitigation

The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation

mitigation risk control strategy

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?

monitoring and measurement

The _________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.

need to know

Which access control principle limits a user's access to the specific information required to perform the currently assigned task?

need to know

Which type of access controls can be role-based or task-based?

nondiscretionary

An examination of how well a particular solution fits within the organization's culture and the extent to which users are expected to accept the solution

operational feasibility

An examination of how well a particular solution fits within the organization's strategic planning objectives and goals

organizational feasibility

Examines how well the proposed InfoSec alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization

organizational feasibility

Which of the following is an example of a technological obsolescence threat?

outdated servers

In some corporate models, the list of risk management components may be simplified into these three groups

people, processes and technology

GGG security is commonly used to describe which aspect of security?

physical

Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?

planning

The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?

risk determination

The recognition, enumeration, and documentation of risks to an organization's information assets

risk identification

Within TCB, a conceptual piece of the system that manages access controls--in other words, it mediates all access to objects by subjects

reference monitor

As each information asset is identified, categorized, and classified, a ______ value must also be assigned to it.

relative

The risk to information assets that remains even after current controls have been applied

residual risk

An approach to combining risk identification, risk assessment, and risk appetite into a single strategy

risk analysis

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility

risk appetite

A formal document developed by the organization that specifies its overall willingness to accept risk to its information assets, based on a synthesis of individual risk tolerances

risk appetite statement

A determination of the extent to which an organization's information assets are exposed to risk

risk assessment

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____

risk assessment estimate factors

The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level

risk management

Also known as risk tolerance

risk threshold

The assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization's overall risk appetite

risk tolerance

True or False: A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access.

True

True or False: A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable

True

What is an advantage of the user support group form of training?

Usually conducted in an informal social setting

Section of the risk worksheet that lists each uncontrolled vulnerability

Vulnerability

Section of the risk worksheet that states the likelihood of the realization of the vulnerability by a threat agent as indicated in the vulnerability analysis step

Vulnerability Likelihood

Assigns a ranked value or impact weight to each information asset

Weighted criteria analysis worksheet

The process of assigning financial value or worth to each information asset

asset valuation

Project __________ is a description of a project's features, capabilities, functions, and quality level, used as the basis of a project plan

scope

To keep up with the competition organizations must design and create a ______ environment in which business processes and procedures can function and evolve effectively

secure

A SETA program consists of three elements: security education, security training, and _________

security awareness

To design a security program, an organization can use a(n) ________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.

security model

What is the most cost-effective method for disseminating security information and news to employees?

security newsletter

Which person would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?

security technician

At this stage of risk identification, managers identify the organization's information assets, classify and categorize them into useful groups, and prioritize them by overall importance

self examination

Risk identification begins with the process of what?

self examination

By multiplying the asset value by the exposure factor, you can calculate which of the following?

single loss expectancy

In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack. Also the product of the asset's value and the exposure factor

single loss expectancy (SLE)

A TCSEC-defined covert channel that communicates by modifying a stored object, such as in steganography

storage channels

An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking and personnel

technical feasibility

Advanced technical training can be selected or developed based on what?

technology product

The three methods for selecting or developing advanced technical training are by job category, by job function, and by _________

technology product

A time-release safe is an example of which type of access control?

temporal isolation

The risk control strategy that eliminates all risk associated with an information asset by removing it from service

termination risk control strategy

An evaluation of the threats to information assets, including a determination of their potential to endanger the organization

threat assessment

A TCSEC-defined covert channel that communicates by managing the relative timing of events

timing channels

The ________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.

transference

The risk control strategy that attempts to shift risk to other assets, other processes, and other organizations

transference risk control strategy

Under TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy

trusted computing base (TCB)

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?

uncertainty

What is defined as specific avenues that threat agents can exploit to attack an information asset?

vulnerabilities

What is the final step in the risk identification process?

Listing assets in order of importance

Access controls that are implemented by a central authority

Nondiscretionary controls

Which piece of the Trusted Computing Base's security system manages access controls?

reference monitor

At the end of the risk identification process, an organization should have these two things

1. A prioritized list of assets and their vulnerabilities 2. A prioritized list of threats facing the organization

Four phases of Microsoft's security risk management process

1. Accessing risk 2. Conducting decision support 3. Implementing controls 4. Measuring program effectiveness

What are the three common approaches to implement the defense risk control strategy?

1. Application of Policy 2. Application of Training and Education 3. Implementation of Technology

What are the five basic strategies to control the risks that arise from vulnerabilities?

1. Defense 2. Transference 3. Mitigation 4. Acceptance 5. Termination

What are the three communities of interest in reducing risk?

1. General management 2. IT management 3. InfoSec management

What are the three communities of interest directly linked to managing the risks of information assets?

1. InfoSec 2. IT 3. Management and Users

What are the five levels of consequences?

1. Insignificant 2. Minor 3. Moderate 4. Major 5. Catastrophic

Five stages of the ISO 27005 risk management methodology

1. Risk assessment 2. Risk treatment 3. Risk acceptance 4. Risk communication 5. Risk monitoring and review

How many general categories of threats to InfoSec are there?

12

What are the five qualitative likelihood assessment levels?

A. Almost Certain B. Likely C. Possible D. Unlikely E. Rare

Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control

Acceptance

Maintained by means of a collection of policies, programs to carry out those policies and technologies that enforce policies

Access control

Regulate the admission of users into trusted areas of the organization

Access controls

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?

COBIT

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?

Calculating the severity of risks to which assets are exposed in their current setting

In a lattice based access control, the row of attributes associated with a particular subject (such as a user)

Capabilities table

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?

Cost of prevention

Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk

Defense

In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?

Delphi

Access controls that are implemented at the discretion or option of the data user

Discretionary access controls (DACs)

An alternative to feasibility that occurs when an organization adopts a certain minimum level of security

Due care and Due diligence

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information

Dumpster diving

True or False: The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy.

False

True or False: The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy.

False

True or False: The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.

False

True or False: Threats from insiders are more likely in a small organization than in a large one

False

​True or False: The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures.

False

Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises

Field Change Order (FCO)

In InfoSec, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including InfoSec policies, security education, and training programs, and technological controls. Also known as a security model

Framework

Must structure the IT and InfoSec functions in ways that will result in the successful defense of the organization's information assets, including data, hardware, software, procedures and people

General Management

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?

IP address

Must serve the IT needs of the broader organization and at the same time exploit the special skills and insights of the InfoSec community

IT management

What is a key component of a risk management strategy?

Identification, Classification and Prioritization of the organization's information assets

What is an advantage of the formal class method of training?

Interaction with trainer is possible

This attribute may be useful for network devices and servers at some organizations, but it rarely applies to software

Internet Protocol (IP) Address

What is true about a company's InfoSec awareness Web site?

It should be tested with multiple browsers

Requires identifying which information assets are valuable to the organization, categorizing and classifying those assets, and understanding how they are currently being protected

Knowing Yourself

Identifying, examining, and understanding the threats facing the organization's information assets

Knowing the Enemy

A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects

Lattice based access control

The data access principle that ensures no necessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary

Least privilege

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?

Legal management must develop corporate-wide standards

A required, structured data classification scheme that rates each collection of information as well as each user. These ratings are often referred to as sensitivity or classification levels

Mandatory access control (MAC)

This attribute can be useful for analyzing threat outbreaks when specific manufacturers announce specific vulnerabilities

Manufacturer Name

This number that identifies exactly what the asset is, can be very useful in the later analysis of vulnerabilities because some threats apply only to specific models of certain devices and/or software components

Manufacturer's Model or Part Number

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

Manufacturer's model or part number

The network operating system uses this number to identify specific network devices. The client's network software uses it to recognize traffic that it needs to process

Media Access Control (MAC) Address

Reducing the impact to information assets should an attacker successfully exploit a vulnerability

Mitigation

A nonprofit organization designed to support research and development groups that have recieved federal funding

Mitre

The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks

Need-to-know

Which of the following is NOT a change control principle of the Clark-Wilson model?

No changes by authorized subjects without external validation

Refers to user acceptance and support, management acceptance and support and the system's compatibility with the requirements of the organization's stakeholders

Operational Feasibility

An InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detention controls

Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE Method)

Which variable is the most influential in determining how to structure an information security program?

Organizational culture

Considers what can and cannot occur based on the consensus and relationships among the communities of interest

Political feasibility

What is true about the security staffing, budget, and needs of a medium-sized organization?

They have larger information security needs than a small organization

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

Threats-vulnerabilities-assets worksheet

Shifting risks to other areas or to outside entities

Transference

True or False: Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA).

True

True or False: Each organization has to determine its own project management methodology for IT and information security projects

True

True or False: Planners need to estimate the effort required to complete each task, subtask, or action step

True

True or False: The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know.

True

True or False: Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.

True

An older DoD system certification and accreditation standard that defines the criteria for assessing the access controls in a computer system. Also known as the rainbow series due to the color coding of the individual documents that made up the criteria

Trusted Computer System Evaluation Criteria (TCSEC)

Which of the following is NOT a valid rule of thumb on risk control strategy selection?

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation

acceptance risk control strategy

Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?

access control list

In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy

annualized loss expectancy (ALE)

In a cost benefit analysis, the expected frequency of an attack, expressed on a per-year basis

annualized rate of occurrence (ARO)

The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ____

appetite

Which of the following is not a step in the FAIR risk management framework?

assess control impact

An organization carries out a risk _________ function to evaluate risks present in IT initiatives and/or systems.

assessment

An alternative to feasibility that is derived by comparing measured actual performance against established standards for the measured category

baseline

The purpose of SETA is to enhance security in all but which of the following ways?

by adding barriers

Classification categories must be mutually exclusive and which of the following?

comprehensive

The information security _________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program.

consultant

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as what?

corrective

The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident

cost avoidance

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it

data classification scheme

Application of training and education is a common method of which risk control strategy?

defense

The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Also known as avoidance strategy

defense risk control strategy

Which control category discourages an incipient incident?

deterrent

What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?

documented control strategy

What is the criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards?

economic feasibility

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?

evaluating alternative strategies

As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ________ worksheet

factor analysis

Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information?

for official use only

What is the biggest problem in using a quantitative approach to risk determination?

guesstimation

Self examination in risk identification is used for...

identifying weaknesses and the threats they present

Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?

incident response plan

The NIST risk management approach includes all but which of the following elements?

inform

Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary?

least privilege

An examination of how well a particular solution fits within the organization's political environment

political feasibility

Which of the following determines acceptable practices based on consensus and relationships among the communities of interest?

political feasibility

Which of the following attributes does NOT apply to software information assets?

product dimensions

_________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work

projectitis

An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures

qualitative assessment

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

qualitative assessment of many risk components

What is the final summarized document of Risk Assessment?

ranked vulnerability risk worksheet

What is the SETA program designed to do?

reduce the incidence of accidental security breaches

An extreme level of risk tolerance whereby the organization is unwilling to allow any successful attacks or suffer any loss to an information asset

zero tolerance risk exposure


Kaugnay na mga set ng pag-aaral

Airframe Chapters (Aircraft Finishes)

View Set

Lingüística morfología Quizlet 2

View Set

California: Real Estate Principles - Chapter 25

View Set