Information Security and Risk Management

Which of the following is the least sensitive data classification scheme? a. Unclassified b. Unclassified but sensitive c. Secret d. Confidential

Unclassified Choice (a) is the correct answer. Data that is not sensitive or classified is unclassified. This is least sensitive category while secret is the high sensitive category.

Data containing trade secrets is an example of which of the following data classification schemes? a. Classified b. Unclassified c. Unclassified but sensitive d. Confidential

Unclassified but sensitive Choice (c) is the correct answer. Classified category includes sensitive, confidential, secret, and top secret. Unclassified category is public information, while unclassified but sensitive category requires some protection as in the case of trade secrets.

An information technology operational plan answers all of the following questions except: a. How do we get there? b. When will it be done? c. What is our goal? d. Who will do it?

What is our goal? Choice (c) is the correct answer. An IT operational plan describes how the organization will implement the strategic plan. Usually, this plan answers the following questions: How do we get there? (choice a), When will it be done? (choice b), Who will do it? (choice d). What is our goal? (choice c) is answered by the strategic plan.

An effective mechanism for documenting and reporting business managers' risk determination is to require a: a. List of sign-off letters b. List of system vulnerabilities c. List of annual loss estimates d. List of system threats

List of sign-off letters Choice (a) is the correct answer. A sign-off letter requirement would help ensure that business managers carefully considered their decisions before finalizing them.

Residual risk is calculated as which of the following? a. Known risks minus unknown risks b. Actual risks minus probable risks c. Probable risks minus possible risks d. Potential risks minus covered risks

Potential risks minus covered risks Choice (d) is the correct answer. Potential risks include all possible and probable risks. Countermeasures cover some but not all potential risks.

Which of the following deals with detailed steps to accomplish a particular task? a. Policies b. Procedures c. Standards d. Guidelines

Procedures Choice (b) is the correct answer. Procedures are detailed steps to be followed by users and systems personnel to accomplish a particular task.

Which of the following assists in complying with others? a. A policy b. A procedure c. A standard d. A guideline

A procedure Choice (b) is the correct answer. Procedures normally assist in complying with applicable policies, standards, and guidelines since they deal with specific steps to carry out a specific task.

With respect to computer security, confidentiality does not mean which of the following? a. Non-repudiation b. Secrecy c. Privacy d. Sensitivity

Non-repudiation Choice (a) is the correct answer. Non-repudiation is a part of the integrity goal, while secrecy, privacy, sensitivity, and criticality are part of the confidentiality goal.

The time allowed to accomplish the risks analysis should be compatible with its: a. Facilities b. Equipment c. Software d. Objectives

Objectives Choice (d) is the correct answer. The time allowed to accomplish the risk analysis should be compatible with its objectives. Large facilities with complex, multi-shift operations and many files will require more time to complete than single-shift, limited production facilities.

The least effective technique in ensuring that new risks and policies are communicated is: a. Once-a-year memorandums b. Monthly bulletins c. Intranet websites d. New employee training sessions

Once-a-year memorandums Choice (a) is the correct answer. The security awareness manager will ensure that new risks and policies are communicated promptly and that employees are periodically reminded of existing policies through means such as monthly bulletins, an intranet web site, and presentations to new employees. Once-a-year memorandums are too infrequent, too formal, and ineffective.

A common technique for making an organization's IS systems security policies more useful is to distinguish between: a. Policies and procedures b. Policies and guidelines c. Principles and practices d. Policies and standards

Policies and guidelines Choice (b) is the correct answer. Policies generally outline fundamental requirements that top management consider to be imperative, while guidelines provide more detailed rules for implementing the broader policies. Guidelines, while encouraged, are not considered to be mandatory.

To ensure that IS security policies serve as the foundation of information systems security programs, organizations should link: a. policies to standards b. policies to business risks c. policies to procedures d. policies to controls

Policies to business risks Choice (b) is the correct answer. Developing a comprehensive set of policies is the first step in establishing an organization-wide security program. The policy should be linked to business risks and adjusted on a continuing basis to respond to newly identified risks or areas of misunderstanding.

Which of the following security goals is meant for "intended uses only"? a. Confidentiality b. Integrity c. Availability d. Accountability

Availability Choice (c) is the correct answer. Availability is for intended uses only and not for any other uses.

Which of the following is a prerequisite to IT security training? a. Certification b. Education c. Awareness d. Training

Awareness Choice (c) is the correct answer. Awareness, training, and education are all important processes for helping staff members carry out their roles and responsibilities for information technology security, but they are not the same. Awareness programs are a prerequisite to IT security training. Training is more formal and more active than awareness activities and is directed toward building knowledge and skills to facilitate job performance. Education integrates all of the security skills and competencies of the various functional specialists and adds a multi-disciplinary study of concepts, issues, and principles. Normally, organizations seldom require evidence of qualification or certification as a condition of appointment.

Unacceptable risk is which of the following? 1. Attacker's cost < gain 2. Loss anticipated > threshold 3. Attacker's cost > gain 4. Loss anticipated < threshold a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 3 and 4

1 and 2 Choice (a) is the correct answer. Unacceptable risk is a situation where an attacker's cost is less than gain and where loss anticipated by an organization is greater than its threshold level. Choice (d) results in accepting the risk. The organization's goals should be to increase attacker's cost and to reduce an organization's loss.

Staffing decisions and hiring procedures are critical in solving computer-related security issues and problems. Which of the following is the correct sequence of steps involved in the staffing process? 1. Determining the sensitivity of the position 2. Defining the job duties 3. Filling the position 4. Determining the access levels a. 1, 2, 3, 4 b. 2, 4, 3, 1 c. 2, 4, 1, 3 d. 1, 4, 2 3

2, 4, 1, 3 Choice (c) is the correct answer. Personnel issues are closely linked to logical access controls. Early in the process of defining a position, security issues should be identified and dealt with. Once a position has been broadly defined (Step 2), the responsible supervisor should determine the type of computer access level needed for the position (Step 4). Knowledge of the job duties and access levels that a particular position will require is necessary for determining the sensitivity of the position. The responsible supervisor should correctly identify position sensitivity levels so that appropriate, cost-effective screening can be completed (Step 1). Once a position's sensitivity has been determined, the position is ready to be staffed. Background screening helps determine whether a particular individual is suitable for a given position (Step 3).

Which of the following is the correct sequence of steps to be followed in application software change control process? 1. Test the changes 2. Plan for changes 3. Initiate change request 4. Release software changes a. 1, 2, 3, and 4 b. 2, 1, 3, and 4 c. 3, 2, 1, and 4 d. 4, 3, 1, and 2

3, 2, 1, 4 Choice (c) is the correct answer. Any application software change must start with a change request from a functional user. An IT person will plan, test, and release the change after approved by the functional user.

To be useful, a risk assessment methodology should use: a. Complex methods b. Specialized software tools c. A simple process d. Technical experts

A simple process Choice (c) is the correct answer. A risk assessment methodology should be a relatively simple process that could be adapted to various organizational units and involves a mix of individuals with knowledge of the business operations and technical aspects of the organization's systems and security controls.

The amount of risk an organization can handle should be based on which of the following: a. Technological level b. Acceptable level c. Affordable level d. Measurable level

Acceptable level Choice (b) is the correct answer. Often, losses cannot be measured in monetary terms alone. Risk should be handled at an acceptable level for an organization. Both affordable and technological levels vary with the type of organization (e.g., small, medium, or large size; technology dependent or not).

The costs and benefits of security techniques should be measured in monetary terms where possible. Which of the following is the most effective means to measure the cost of addressing relatively frequent threats? a. Single-occurrence losses b. Annual loss expectancy c. Fatal losses d. Catastrophic losses

Annual loss expectancy Choice (b) is the correct answer. Annualized loss expectancy (ALE) is the estimated loss expressed in monetary terms at an annual rate, for example, dollars per year. The ALE for a given threat with respect to a given function or asset is equal to the product of the estimates of occurrence rate, loss potential, and vulnerability factor. Choice (a) is incorrect because a single-occurrence loss (SOL) is the loss expected to result from a single occurrence of a threat. It is determined for a given threat by first calculating the product of the loss potential and vulnerability factor for each function and asset with respect to the threat being analyzed. Then the products are summed to generate the SOL for the threat. Since the SOL does not depend on an estimate of the threat's occurrence rate, it is particularly useful for evaluating rare but damaging threats. If a threat's SOL estimate is unacceptably high, it is prudent risk management to take security actions to reduce the SOL to an acceptable level. Both fatal losses (choice c) and catastrophic losses (choice d) are big and rare. Fatal losses involve loss of human life and catastrophic loss incurs great financial loss. In short, ALE is useful for addressing relatively frequent threats while SOL and fatal or catastrophic losses address rare threats.

Which of the following meets the criteria for an IT strategic plan? a. Developing enterprise information technology models b. Initiating work process redesign c. Conducting business systems planning d. Assessing internal and external environment

Assessing internal and external environment d. Assessing internal and external environment Choice (d) is the correct answer. Strategic planning is long-range thinking. Planners apply analytic techniques, provides a framework for bounding the scope and presenting the results of long-range thinking. A strategic planning approach should foster strategic thinking and innovation, assess the organization's mission, vision, and strategies, define the IT mission, vision, and goals, and assess the internal and external environment. Internal influences are those that have implications for managing the organization such as customers, competitors, contractors, vendors, and user organizations (i.e., internal environment). External influences are broad in scope, imposed from the outside, and uncontrollable by the organization. An organization derives its challenges and opportunities from external influences such as financial community, governments, and industry (i.e., external environment). Choices (a), (b), and (c) are examples of IT approaches to augment the development of strategic plans and include enterprise IT models, work process redesign, and business systems planning. Enterprise models (choice a) provide a means for examining the current environment. They do not foster the development of an organizational direction (i.e., mission, vision). Hence, they do not meet the criteria for strategic planning. Choice (b) is incorrect. Work process redesign is synonymous with the following concepts: business reengineering, business process improvement, and business process design. This approach helps managers to define relationships and activities within the organization. Choice (c) is incorrect. Business systems planning is used to identify information requirements, but does not consider strategic methodologies. Information planning approaches do not study organizational cultural issues or provide a strategic work focus.

Which of the following areas of software configuration management is executed last? a. Identification b. Change control c. Status accounting d. Audit

Audit Choice (d) is the correct answer. There are four elements of configuration management. The first element is configuration identification (choice a), consisting of selecting the configuration items for a system and recording their functional and physical characteristics in technical documentation. The second element is configuration change control (choice b), consisting of evaluation, coordination, approval or disapproval, and implementation of changes to configuration items after formal establishment of their configuration identification. The third element is configuration status accounting (choice c), consisting of recording and reporting of information that is needed to manage a configuration effectively. The fourth element is software configuration audit (choice d), consisting of periodically performing a review to ensure that the SCM practices and procedures are rigorously followed. Auditing is performed last after all the elements are in place to determine whether they are properly working.

If manual controls over program changes were weak, which of the following controls would be effective? a. Automated software management b. Written policies c. Written procedures d. Written standards

Automated software management Choice (a) is the correct answer. In general, automated controls compensate for the weaknesses in or lack of manual controls. An automated software management system helps in strengthening controls by moving programs from production to test libraries and back. It minimizes human errors in moving wrong programs or forgetting to move the right ones. Written policies, procedures, and standards are equally necessary in manual and automated environments.

Who must bear the primary responsibility for determining the level of protection needed for IS resources? a. Information systems security specialists b. Business managers c. Security managers d. Systems auditors

Business managers Choice (b) is the correct answer. Business managers should bear the primary responsibility for determining the level of protection needed for information systems resources that support business operations. In this regard, business managers should be held accountable for managing the information security risks associated with their operations, much as they would for any other type of business risk.

The amount of security does not depend on which of the following? a. Business sense b. Good management practices c. Due diligence reviews d. Countermeasure costs

Countermeasure costs Choice (d) is the correct answer. Since there is no uniform standard or assessment method available currently, cost is only one factor of consideration. A due diligence review is an evaluation of an organization's internal control systems and operations prompted by a major acquisition or disposition or changes in management and operations.

Effective information security starts at which level? a. Auditor level b. Functional user level c. IT security analyst level d. CEO level

CEO level Choice (d) is the correct answer. Effective information security, to that matter any security, starts at the CEO level. This means having a policy on managing threats, responsibilities, and obligations, which will be reflected in employee conduct, ethics, and procurement policies and practices. Information security must be fully integrated into all relevant organizational policies, which can occur only when security consciousness exists at all levels.

Security training is usually not given to which of the following parties? a. Information systems security staff b. Functional users c. Computer operations staff d. Corporate security staff

Computer operations staff Choice (c) is the correct answer. The security training program should be specifically tailored to meet the needs of computer operations staff so that they can handle problems that have security implications.

Three major security goals promoted by ISC2 include which of the following? a. Usability, integrity, and availability b. Integrity, confidentiality, and authenticity c. Accuracy, assurance, and accountability d. Confidentiality, integrity, and availability

Confidentiality, integrity, and availability Choice (d) is the correct answer. Potential risks include all possible and probable risks. Countermeasures cover some but not all potential risks.

During the system design of data input control procedures, consideration should be least given to which of the following items? a. Authorization b. Validation c. Configuration d. Error notification

Configuration Choice (c) is the correct answer. Configuration management is a procedure for applying technical and administrative direction and monitoring to (1) identify and document the functional and physical characteristics of an item or system, (2) control any changes to such characteristics, and (3) record and report the change, process, and implementation status. Choices (a), (b), and (d) are incorrect. The authorization process may be manual or automated. All authorized transactions should be recorded and entered into the system for processing. Validation is ensuring that the entering data meets predefined criteria in terms of its attributes. Error notification is as important as error correction.

Which of the following is not part of risk analysis? a. Assets b. Threats c. Vulnerabilities d. Countermeasures

Countermeasures Choice (d) is the correct answer. Countermeasures and safeguards come after performing risk analysis. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Assets, threats, and vulnerabilities are part of risk analysis exercise.

From a risk management viewpoint, which of the following options is not acceptable? a. Accept the risk b. Assign the risk c. Avoid the risk d. Defer the risk

Defer the risk Choice (d) is the correct answer. Deferring risk means either ignoring the risk at hand or postponing the issue from further consideration. If the decision to defer the risk is a calculated one, it is hoped that management had the necessary data. "Accept the risk" is satisfactory when the exposure is small and the protection cost is high. "Assign the risk" is used when it costs less to assign the risk to someone else than to directly protect against it. "Avoid the risk" means placing necessary measures so that a security incident will not occur at all or so that a security event becomes less likely or costly.

Which of the following is not an example of a trade secret? a. Customer lists b. Supplier names c. Technical specifications d. Employee names

Employee names Choice (d) is the correct answer. In order to qualify as a trade secret, information must be of competitive value or advantage to the owner or his business. Trade secrets can include technical information and customer and supplier lists. Employee names do not come under the trade secret category since they are somewhat public information, requiring protection from recruiters.

Surveys and statistics indicate that the greatest threat to any computer system is: a. Untrained or negligent users b. Vendors and contractors c. Hackers and crackers d. Employees

Employees Choice (d) is the correct answer. Employees of all categories are the greatest threat to any computer system because they are trusted the most. They have access to the computer system, they know the physical layout of the area, and they could misuse the power and authority. Most trusted employees have an opportunity to perpetrate fraud if the controls in the system are weak. The consequence of untrained or negligent users (choice a) is the creation of errors and other minor inconveniences. Although vendors and contractors (choice b) are a threat, they are not as great as employees. With proper security controls, threats arising from hackers and crackers (choice c) can be minimized, if not completely eliminated. Hackers access computer systems for fun, while crackers cause major damage to computer systems.

Which of the following is a better method to ensure that IS security issues have received appropriate attention by senior management of an organization? a. Establish a technical-level committee b. Establish a policy-level committee c. Establish a control-level committee d. Establish a senior-level committee

Establish a senior-level committee Choice (d) is the correct answer. Some organizations have established senior-level committees to ensure that information technology issues, including information security, receive appropriate attention.

What should be the last step in a risk assessment process performed as a part of a business continuity plan? a. Consider possible threats b. Establish recovery priorities c. Assess potential impacts d. Evaluate critical needs

Establish recovery priorities Choice (b) is the correct answer. The correct sequence is a-c-d-b. First step: Possible threats include natural (e.g., fires, floods, earthquakes), technical (e.g., hardware/software failure, power disruption, communications interference), and human (e.g., riots, strikes, disgruntled employees, sabotage). Second step: Assess impacts from loss of information and services from both internal and external sources. This includes financial condition, competitive position, customer confidence, legal/regulatory requirements, and cost analysis to minimize exposure. Third step: Evaluate critical needs. This evaluation also should consider timeframes in which a specific function becomes critical. This includes functional operations, key personnel, information, processing systems, documentation, vital records, and policies and procedures. Final step: Establish priorities for recovery based on critical needs.

Establishing a data ownership program should be the responsibility of: a. Functional users b. Internal auditors c. Data processors d. External auditors

Functional users Choice (a) is the correct answer. Functional users own the data in computer systems. Therefore, they have an undivided interest and responsibility in establishing a data ownership program. Choices (b) and (d) are incorrect because internal/external auditors have no responsibility in establishing a data ownership program even though they recommend one. Choice (c) is incorrect because data processors are custodians of the users' data.

Which of the following is an optional requirement for organizations? a. Policies b. Procedures c. Standards d. Guidelines

Guidelines Choice (d) is the correct answer. Guidelines assist users, systems personnel, and others in effectively securing their systems. Guidelines are suggestive and are not compulsory within an organization.

When performing risk analysis, annual loss exposure is calculated as: a. Impact multiplied by frequency of occurrence b. Impact minus frequency of occurrence c. Impact plus frequency of occurrence d. Impact divided by frequency of occurrence

Impact multiplied by frequency of occurrence Choice (a) is the correct answer. Quantitative means of expressing both potential impact and estimated frequency of occurrence are necessary to perform a risk analysis. The essential elements of a risk analysis are an assessment of the damage that can be caused by an unfavorable event and an estimate of how often such an event may happen in a period of time. Because the exact impact and frequency cannot be specified accurately, it is only possible to approximate the loss with an annual loss exposure, which is the product of the estimated impact in dollars and the estimated frequency of occurrence per year. The product of the impact and the frequency of occurrence would be the statement of loss.

Establishing an IS security function program within an organization should be the responsibility of: a. Information systems management b. Internal auditors c. Compliance officers d. External auditors

Information systems management Choice (a) is the correct answer. Both IS management and functional user management have a joint and shared responsibility in establishing an information systems security function within an organization. It is because the functional user is the data owner and IS management is the data custodian. Internal/external auditors and compliance officers have no responsibility in actually establishing such a function although they make recommendations to management to establish such a function.

In which of the following planning techniques are the information needs of the organization defined? a. Strategic planning b. Tactical planning c. Operational planning d. Information systems planning

Information systems planning Choice (d) is the correct answer. Four types of planning help organizations identify and manage IS resources: strategic, tactical, operational, and information systems planning. IS planning is a special planning structure designed to focus organizational computing resource plans on its business needs. IS planning provides a three phased structured approach for an organization to systematically define, develop, and implement all aspects of its near- and long-term information needs. Strategic planning (choice a) defines the organization's mission, goal, and objectives. It also identifies the major computing resource activities the organization will undertake to accomplish these plans. Tactical planning (choice b) identifies, schedules, manages, and controls the tasks necessary to accomplish individual computing resource activities, using a shorter planning horizon than strategic planning. It involves planning projects, acquisitions, and staffing. Operational planning (choice c) integrates tactical plans and support activities and defines the short-term tasks that must be accomplished to achieve the desired results.

A key characteristic that should be common to all information systems security central groups is: a. Organizational reporting relationships b. Information systems security responsibilities c. Information systems security technical assistance d. Support received from other organizational units

Information systems security responsibilities Choice (b) is the correct answer. The two key characteristics that a security central group should have include (1) clearly defined information security responsibilities and (2) dedicated staff resources to carry out these responsibilities.

Which of the following is a somewhat stable document? a. Information technology strategic plan b. Information technology operational plan c. Information technology security plan d. Information technology training plan

Information technology strategic plan Choice (a) is the correct answer. The IT strategic plan sets the broad direction and goals for managing information within the organization and supporting the delivery of services to customers. It should be derived from and relate to the organization's strategic plan. The plan typically contains an IT mission statement, a vision describing the target IT environment of the future, an assessment of the current environment, and broad strategies for moving into the future. An IT strategic plan is a somewhat stable document. It does not require annual updates. An organization should periodically review and update this plan as necessary to reflect significant changes in the IT mission or direction. The strategies presented in the IT strategic plan provide the basis for the IT operational plan. Choice (b) is incorrect. An IT operational plan describes how the organization will implement the strategic plan. The operational plan identifies logical steps for achieving the IT strategic vision. It may present an implementation schedule, identify key milestones, define project initiatives, and include resources (e.g., funding and personnel) estimates. The operational plan should identify dependencies among the IT strategies and present a logical sequence of project initiatives to assure smooth implementation. Choices (c) and (d) are incorrect because they are components of the IT operational plan. Security plans (choice c) should be developed for an organization or an individual system. These plans document the controls and safeguards for maintaining information integrity and preventing malicious/accidental use, destruction, or modification of information resources within the organization. Training plans (choice d) document the types of training the IT staff will require to effectively perform their duties. The plans in choices (b), (c), and (d) are in a constant state of flux.

What can be done with the residual risk? a. It can be either assigned or accepted b. It can be either identified or evaluated c. It can be either reduced or calculated d. It can be either exposed or assessed

It can either be assigned or accepted Choice (a) is the correct answer. Residual risk is the remaining risk after countermeasures (controls) cover the risk population. The residual risk is either assigned to a third party (e.g., insurance company) or accepted by management as part of doing business. It may not be cost effective to further reduce residual risk.

A risk event that is an identifiable uncertainty is termed: a. Known unknown b. Unknown unknown c. Known known d. Unknown known

Known unknown Choice (a) is the correct answer. Known unknown fits the description. Choice (b) is incorrect because unknown is a risk event whose existence cannot be imagined. There is no risk in choice (c) because everything is known. Choice (d) is a distracter as it is a meaningless phrase.

Effective security measures cannot be maintained due to which of the following reasons? a. Lack of awareness b. Lack of a policy c. Lack of a procedure d. Lack of enforcement

Lack of enforcement Choice (d) is the correct answer. If employees see that management is not serious about security policy enforcement, they will not pay attention to security, thus minimizing its effectiveness.

Protection mechanisms defined in security design architecture include which of the following? a. Layering, abstraction, and data hiding b. Isolation, segmentation, and separation c. Security kernel, reference monitor, and system high d. Accountability, integrity, and confidentiality

Layering, abstraction, and data hiding Choice (a) is the correct answer. Layering, abstraction, and data hiding are part of security design architecture. All the other choices deal with security control architecture.

Which of the following is not an example of IT mission statements? a. Streamlining work processes through automation b. Maintaining reliability and timeliness of information c. Anticipating technological advances and problems d. Minimizing the cost to the organization by using information technology efficiently

Maintaining reliability and timeliness of information Choice (b) is the correct answer. The IT mission supports the organization's mission provided in its strategic plan. The IT mission statement identifies the basic concept of IT, the reason IT exists, and how IT supports the organization's mission. The IT mission statement may be examined three times during the planning process: at the beginning, after analyzing the current environment, and at the end. The IT organization collects, manages, controls, disseminates, and protects the information used by the organization. IT supports the organization's mission by streamlining work processes through automation (choice a), anticipating technological advances and problems (choice c), and minimizing the cost to the organization by using IT efficiently (choice d). Maintaining reliability and timeliness of information (choice b) is a goal statement. Goals specify objectives that support the organization's mission.

The focus of risk management is that risk must be: a. Eliminated b. Prevented c. Avoided d. Managed

Managed Choice (d) is the correct answer. Risk must be managed since it cannot be completely eliminated or avoided. Some risks cannot be prevented in a cost effective manner.

Risk management consists of risk assessment and risk mitigation. Which of the following is not an element of risk mitigation? a. Measuring risk b. Selecting appropriate safeguards c. Implementing and test safeguards d. Accepting residual risk

Measuring risk Choice (a) is the correct answer. The term risk management is commonly used to define the process of determining risk, applying controls to reduce the risk, and then determining if the residual risk is acceptable. Risk management supports two goals: measuring risk (risk assessment) and selecting appropriate controls that will reduce risk to an acceptable level (risk mitigation). Therefore, measuring risk is part of risk assessment. Choices (b) through (d) are incorrect because they are elements of risk mitigation. Risk mitigation involves three steps: determining those areas where risk is unacceptable; selecting effective safeguards, and valuating the controls; and determining if the residual risk is acceptable.

An important measure of success for any IT project is whether the: a. Project was completed on time b. Project was completed within budget c. Project manager has conserved organizational resources d. Project has achieved its projected benefits

Project has achieved its projected benefits Choice (d) is the correct answer. One of the critical attributes for successful IT investments requires that organizations should use projected benefits, not project completion on time and within budget as important measures of success for any IT project (choices a and b). Business goals should be translated into objectives, results-oriented measures of performance, both quantitative and qualitative, which can form the basis for measuring the impact of IT investments. Management regularly monitors the progress of ongoing IT projects against projected cost, schedule, performance, and delivered benefits. It does not matter whether the project manager has conserved organizational resources as long as the project has achieved its projected benefits (choice c). Achievement of choices (a), (b), and (c)) does not automatically achieve choice (d).

A risk analysis provides management all of the following except: a. Preventing the occurrence of a harmful event b. Reducing the impact of occurrence of a harmful event c. Ranking critical applications d. Recognizing that a potential for loss exists

Ranking critical applications Choice (c) is the correct answer. A risk analysis provides senior management with information to base decisions on whether it is best to prevent the occurrence of a harmful event, to reduce the impact of such occurrences, or to simply recognize that a potential for loss exists. The risk analysis should help managers compare the cost of the probable consequences to the cost of effective safeguards. Ranking critical applications comes after the risk analysis is completed. Critical applications are those without which the organization could not function. Proper attention should be given to ensuring that critical applications and software are sufficiently protected against loss.

What is the first thing to do upon unfriendly termination of an employee? a. Complete a sign-out form immediately b. Send employee to the accounting department for the last paycheck c. Remove the system access quickly d. Send employee to the human resource department for benefits status

Remove the system access quickly Choice (c) is the correct answer. Whether the termination is friendly or unfriendly, the best security practice is to disable the system access quickly. Out-processing often involves a sign-out form initialed by each functional manager with an interest in the separation of the employee. The sign-out form is a type of checklist. Sending the employee to the accounting and human resource departments may be done later.

A useful technique for impressing the users about the importance of organization-wide IS security policies is: a. Making policies available through the Internet b. Ensuring policies are available through physical bulletin boards c. Requiring a signed statement from all users that they have read the policies d. Ensuring policies are available through electronic bulletin boards

Requiring a signed statement from all users that they have read the policies Choice (c) is the correct answer. A statement is required from new users at the time access to information system resources was first provided and from all users periodically, usually once a year. Requiring a signed statement can serve as a useful technique for impressing on the users the importance of understanding organizational policies. In addition, if the user was later involved in a security violation, the statement can serve as evidence that he had been informed of organizational policies.

What should be done when an employee leaves an organization? a. Review of recent performance evaluation b. Review of human resource policies c. Review of non-disclosure agreements d. Review of organizational policies

Review of non-disclosure agreements Choice (c) is the correct answer. When an employee leaves an organization, he should be reminded of nondisclosure agreements that he signed upon his hiring. This agreement includes measures to protect confidential and proprietary information such as trade secrets and inventions.

A deviation from an organization-wide security policy means: a. Risk acceptance b. Risk assignment c. Risk reduction d. Risk containment

Risk acceptance Choice (a) is the correct answer. In order to deviate from an organization-wide security policy, the business unit management needs to prepare a letter explaining the reason for the deviation and recognizing and accepting the related risk.

Security safeguards and controls cannot do which of the following? a. Risk reduction b. Risk avoidance c. Risk elimination d. Risk analysis

Risk analysis Choice (d) is the correct answer. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Risks analysis is a management exercise performed before deciding on specific safeguards and controls. Choices (a), (b), and (c) are part of risk mitigation, which results from applying the selected safeguards and controls.

An information technology operational plan does not include: a. Risk assessment b. Project descriptions c. Project resource estimates d. Project implementation schedules

Risk assessment Choice (a) is the correct answer. Risk assessment is part of the IT strategic plan along with mission, vision, goals, environmental analysis, strategies, and critical success factors. Typically a strategic plan covers a five year time span and is updated annually. IT operational planning begins when strategic planning ends. During operational planning, an organization develops a realistic implementation approach for achieving its vision based on its available resources. An IT operational plan consists of three main parts: project descriptions (choice b), resource estimates (choice c), and implementation schedules (choice d). Depending upon its size and the complexity of its projects, an organization may also include the following types of documents as part of its operational plan: security plan summary, information plans, and information technology plans.

Risk is the possibility of something adverse happening to an organization. Which of the following step is the most difficult one to accomplish in a risk management process? a. Risk identification b. Risk assessment c. Risk mitigation d. Risk maintenance

Risk assessment Choice (b) is the correct answer. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk. Risk management includes two primary and one underlying activities. Risk assessment and risk mitigation are the primary activities, and uncertainty analysis is the underlying one. Risk assessment, the process of analyzing and interpreting risk, is comprised of three basic activities: (1) determining the assessment's scope and methodology, (2) collecting and synthesizing data, and (3) interpreting the risk. A risk assessment can focus on many different areas such as: technical and operational controls to be designed into a new application and the use of telecommunications, a data center, or an entire organization. Because of the nature of the scope and the extent of risk assessment, it is the most difficult one to accomplish. Risk identification and maintenance (choices a and d) are not the most difficult to accomplish since they are the by-products of the risk assessment process. Risk mitigation (choice c) involves the selection and implementation of cost-effective security controls to reduce risk to a level acceptable to management, within applicable constraints. Again, risk mitigation comes after the completion of the risk assessment process.

Risk management is made up of primary and secondary activities. Which of the following is an example of a secondary activity? a. Risk data sources b. Risk assessment c. Risk mitigation d. Risk methodology

Risk data sources Choice (a) is the correct answer. Risk management must often rely on speculation, best guesses, incomplete data, and many unproven assumptions. The data are another source of uncertainty and are an example of a secondary activity. Data for risk analysis normally come from two sources: statistical data and expert analysis. Both have shortcomings. For example, the sample may be too small, or expert analysis may be subjective based on assumptions made. Risk assessment (choice b), the process of analyzing and interpreting risk, comprises three basic activities: (1) determining the assessment's scope and methodology, (2) collecting and synthesizing data, and (3) interpreting the risk. Risk mitigation (choice c) involves the selection and implementation of cost-effective security controls to reduce risk to a level acceptable to management, within applicable constraints. Risk methodology (choice d) is a part of risk assessment. It can be formal or informal, detailed or simplified, high or low level, quantitative (computationally based) or qualitative (based on descriptions or rankings), or a combination of these. No single method is best for all users and all environments. Choices (b), (c), and (d) are examples of primary activities.

Which of the following is the correct equation in risk management? a. Risk management = Risk research + Risk analysis b. Risk management = Risk analysis + Risk avoidance c. Risk management = Risk assessment + Risk mitigation d. Risk management = Risk transfer + Risk acceptance

Risk management = Risk assessment + Risk mitigation Choice (c) is the correct answer. Risk management includes risk assessment and risk mitigation. Risk assessment is also called risk analysis. Risk mitigation includes risk transfer, risk reduction, risk avoidance, and risk acceptance. Risk research is a part of risk analysis.

Selection and implementation of security controls refer to which of the following? a. Risks analysis b. Risk mitigation c. Risk assessment d. Risk management

Risk mitigation Choice (b) is the correct answer. Risk mitigation involves the selection and implementation of security controls to reduce risks to an acceptable level. Risk analysis is the same as risk assessment. Risk management includes both risk analysis and risk mitigation.

Which of the following is closely linked to risk acceptance? a. Risk detection b. Risk prevention c. Risk tolerance d. Risk correction

Risk tolerance Choice (c) is the correct answer. Risk tolerance is the level of risk an entity or a manager is willing to assume or accept in order to achieve a potential desired result. Some managers accept more risk than others due to their personal affinity toward risk.

Business data classification schemes usually do not include which of the following? a. Private b. Public c. For internal use only d. Secret

Secret Choice (d) is the correct answer. The data classification terms such as secret and top secret are used by government. The terms used in the other choices belong to business data classification scheme.

The scope of the information technology tactical plan does not include: a. Budget plans b. Application system development and maintenance plans c. Technical support plans d. Service objectives

Service objectives Choice (d) is the correct answer. Effective plans focus attention on objectives, help anticipate change and potential problems, serve as the basis for decision making, and facilitate control. IT plans are based on the overall organization's plans. The IT strategic, tactical, and operational plans provide direction and coordination of activities necessary to support mission objectives, ensure that the IT meets user requirements, and enable IT management to cope effectively with current and future changing requirements. Detailed plans move from abstract terms to closely controlled implementation schedules. Service objectives (choice d) are part of the IT operational plan along with performance objectives. Operational plans are based on the tactical plan but are more specific, providing a framework for daily activity. The focus of operational plans is on achieving service objectives. Tactical plans span approximately one year's time. Tactical plans address a detailed view of IT activities and focus on how to achieve IT objectives. Tactical plans include budgetary information detailing the allocation of resources or funds assigned to IT components. Often, the budget is the basis for developing tactical plans. The scope of an IT tactical plan includes budget plans (choice a), application system development and maintenance plans (choice b), and technical support plans (choice c).

Electronic-mail policy is an example of which of the following? a. Advisory policy b. Regulatory policy c. Specific policy d. Informative policy

Specific policy Choice (c) is the correct answer. Advisory, regulatory, and informative policies are broad in nature and cover many topics and areas of interest. E-mail policy is an example of specific policy dealing with communication between and among individuals.

There are many different ways to identify individuals or groups who need specialized or advanced training. Which of the following methods is least important to consider when planning for such training? a. Job categories b. Job functions c. Specific systems d. Specific vendors

Specific vendors Choice (d) is the correct answer. One method is to look at job categories (choice a), such as executives, functional managers, or technology providers. Another method is to look at job functions (choice b), such as system design, system operation, or system user. A third method is to look at the specific technology and products used, especially for advanced training for user groups and training for a new system (choice c). Specific vendors are least important during planning but important in implementation.

Which of the following security risk assessment techniques use a group of experts as the basis for making decisions or judgments? a. Risk assessment audits b. The Delphi method c. Expert systems d. Scenario-based threats

The Delphi method Choice (b) is the correct answer. The Delphi method is a group decision-making technique. The rationale for using this technique is that it is sometimes difficult to get a consensus on the cost or loss value and the probabilities of loss occurrence. Group members do not meet face-to-face. Rather, each group member independently and anonymously writes down suggestions and submits comments that are then centrally compiled. This process of centrally compiling the results and comments is repeated until full consensus is obtained. Risk assessment audits (choice a) are incorrect because these audits do not provide the same consensus as reached by a group of experts available in the Delphi method. Usually, audits are performed by one or two individuals, not by groups. Expert system (choice c) is incorrect because it is a computer-based system developed with the knowledge of human experts. It does not reach a consensus as a group of people. Scenario based threats (choice d) are incorrect because possible threats are identified based on scenarios by a group of people. However, it does not have the same consensus reached as in the Delphi method. The process of submitting results and comments make the Delphi method more useful than the other methods.

To overcome resistance to a change, which of the following approaches provide the best solution? a. The change is well planned b. The change is fully communicated c. The change is implemented in a timely way d. The change is fully institutionalized

The change is fully institutionalized Choice (d) is the correct answer. Managing change is a difficult process. People resist change due to a certain amount of discomfort that a change may bring. It does not matter how well the change is planned, communicated or implemented if it is not spread throughout the organization evenly. Institutionalizing the change means changing the climate of the company. This needs to be done in a consistent and orderly manner. Any major change should be done using a pilot approach. After a number of pilots have been successfully completed, it is time to use these success stories as levers to change the entire company.

Sensitivity criteria for a computer-based information system are not defined in terms of which of the following? a. The value of having an application system b. The cost of developing and maintaining an application system c. The value of having the needed information d. The cost of not having an application system

The cost of developing and maintaining an application system Choice (b) is the correct answer. Sensitivity criteria are largely defined in terms of the value of having, or the cost of not having, an application system or needed information.

Which of the following security objective is most important in a computer security program? a. The objective must be specific b. The objective must be clear c. The objective must be achievable d. The objective must be well defined

The objective must be achievable Choice (c) is the correct answer. The first step in the management process is to define security objectives for the specific system. A security objective needs to be more specific (choice a); it should be concrete and well defined (choice d). It also should be stated so that it is clear (choice b) and most importantly that the objective is achievable (choice c). An example of a security objective is that only individuals in the accounting and personnel departments are authorized to provide or modify information used in payroll processing.

In terms of information systems security, a risk is defined as which of the following combinations? a. Attack plus vulnerability b. Threat plus attack c. Threat plus vulnerability d. Threat plus breach

Threat plus vulnerability Choice (c) is the correct answer. A vulnerability is a weakness in security policy, procedure, personnel, management, administration, hardware, software, or facilities affecting security that may allow harm to an information system. The presence of a vulnerability does not in itself cause harm. It is a condition that may allow the information system to be harmed by an attack. A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction or modification of data or denial of service. An attack is an attempt to violate data security. A risk is the probability that a particular threat will exploit a particular vulnerability of a system. An exposure is an instance of vulnerability in which losses may result from the occurrence of one or more attacks. A countermeasure is any action, control, device, procedure, technique, or other measure that reduces the vulnerability of a threat to a system. A breach is the successful circumvention or disablement of a security control, with or without detection, which if carried to completion, could result in a penetration of the system.

With respect to computer security, integrity does not mean which of the following? a. Accuracy b. Authenticity c. Completeness d. Timeliness

Timeliness Choice (d) is the correct answer. Timeliness is a part of the availability goal, while accuracy, authenticity, and completeness are part of the integrity goal.

The main feature of software configuration management is: a. Tracing of all software changes b. Identifying individual components c. Using computer-assisted software engineering (CASE) tools d. Using compilers and assemblers

Tracing of all software changes Choice (a) is the correct answer. It is important to remember that software configuration management (SCM) is practiced and integrated into the software development process throughout the entire life cycle of the product. One of the main features of SCM is the tracing of all software changes. Choice (b) is incorrect because identifying individual components is a part of configuration identification function. The goals of configuration identification are (1) to create the ability to identify the components of the system throughout its life cycle and (2) to provide traceability between the software and related configuration identification items. Choices (c) and (d) are examples of technical factors. SCM is essentially a discipline applying technical and administrative direction and surveillance for managing the evolution of computer program products during all stages of development and maintenance. Some examples of technical factors include use of CASE tools, compilers, and assemblers.

Which of the following have similar structures and complementary objectives? a. Training and awareness b. Hackers and users c. Compliance and common sense d. Need-to-know and threats

Training and awareness Choice (a) is the correct answer. Training makes people learn new things and be aware of new issues and procedures. They have similar objectives, that is, to learn a new skill or knowledge. Hence, they complement with each other. Choice (b) is incorrect. A hacker is a person who attempts to compromise the security of an IT system, especially those whose intention is to cause disruption or obtain unauthorized access to data. On the other hand, a user has the opposite objective, to use the system to fulfill his job duties. Hence, they conflict with each other. Choice (c) is incorrect. Compliance means following the standards, rules, or regulations with no deviations allowed. On the other hand, common sense tells people to deviate when conditions are not practical. Hence, they conflict with each other. Choice (d) is incorrect. Need-to-know means a need for access to information to do a job. Threats are actions or events that, if realized, will result in waste, fraud, abuse, or disruption of operations. Hence, they conflict with each other.

Which of the following methods for handling a risk involves a third party? a. Accept risk b. Eliminate risk c. Reduce risk d. Transfer risk

Transfer risk Choice (d) is the correct answer. An insurance company or a third party is involved in transferring risk. All the other three choices do not involve a third party since they are handled within an organization.

When developing IS security policies, organizations should pay particular attention to which of the following? a. User education b. User awareness c. User behavior d. User training

User behavior Choice (c) is the correct answer. A relatively new risk receiving particular attention in organizational policies is user behavior. Some users may feel no compunction against browsing sensitive organizational computer files or inappropriate Internet sites if there is no clear guidance on what types of user behaviors are acceptable. These risks did not exist before the extensive use of networks, electronic mail, and the Internet.

Software configuration management should primarily address which of the following questions? a. How software evolves during system development? b. How software evolves during system maintenance? c. What constitutes a software product at any point in time? d. How a software product is planned?

What constitute a software product at any point in time? Choice (c) is the correct answer. Software configuration management (SCM) is a discipline for managing the evolution of computer products, both during the initial stages of development and through to maintenance and final product termination. Visibility into the status of the evolving software product is provided through the adoption of SCM on a software project. Software developers, testers, project managers, quality assurance staff, and the customer benefit from SCM information. SCM answers the following questions: (1) What constitutes the software product at any point in time? (2) What changes have been made to the software product? How a software product is planned, developed, or maintained does not matter because it describes the history of a software product's evolution (choices a, b, and d).

The effectiveness of a computer security policy can be compromised: a. When a policy is published b. When a policy is reexamined c. When a policy is tested d. When a policy enforcement is predictable

When a policy enforcement is predictable Choice (d) is the correct answer. Computer security policies should be made public but the actual enforcement procedures should be kept private. This is to prevent policy from being compromised when enforcement is predictable. The surprise element makes unpredictable enforcements more effective than predictable ones. Choice (a) is incorrect because policies should be published so that all affected parties are informed. Choice (b) is incorrect because policies should be routinely reexamined for workability. Choice (c) is incorrect because policies should be tested to ensure the accuracy of assumptions.