Test 2 Management of InfoSec/Forensics
Likelihood
Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.
Single Loss Expectancy
By multiplying the asset value by the exposure factor, you can calculate ________________.
Control
In the COSO framework, ___________ activities include those policies and procedures that support management directives.
False
MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof. True or False?
True
The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack. True or False
True
Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. True or False?
Disaster Recovery Plan
Strategies to limit losses before and during a disaster is covered by what plan in the mitigation control approach?
Inform
The NIST risk management approach includes all but what element?
Appetite
The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.
Maintenance
What affects the cost of a control?
Risk Appetie
What can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
Mitigation
What describes an organization's efforts to reduce damage caused by a realized incident or disaster?
Manufacturer's Part Number
What distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
qualitative assessment of many risk components
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
Interaction with trainer is possible
What is a advantage of the formal class method of training?
Resource intensive, to the point of being inefficient
What is a disadvantage of the one-on-one training method?
MAC address
What is a network device attribute that is tied to the network interface?
IP Address
What is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
Estimate Control Strength
What is a step in Stage 2 - Evaluate Loss Event Frequency of the FAIR risk management framework?
Outdated Servers
What is an example of a technological obsolescence threat?
Vulnerabilities
What is defined as specific avenues that threat agents can exploit to attack an information asset?
Hire expert consultants
What is not a step in the process of implementing training?
Reduce the incidence of accidental security breaches
What is the SETA program designed to do?
Identify program scope, goals, and objectives
What is the first step in the process of implementing training?
Security Newsletter
What is the most cost-effective method for disseminating security information and news to employees.
Organizational Culture.
What is the most influential in determining how to structure an information security program?
Cost-Benefit analysis
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
Exploted
When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.
It should be tested wih multiple browsers
Which of the following is true about a company's InfoSec awareness Web site?
Discretionary access controls
Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle?
Delphi
In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
threat
The __________ level and an asset's value should be a major factor in the risk control strategy selection.
Need-to-know
The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.
Compliance/Audit
Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
Biba
Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones.
Defense
Application of training and education is a common method of which risk control strategy?
Relative
As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.
factor analysis
As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.
Corrective
Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?
Cost of Prevention
Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
Executive management must develop corporate-wide policies
Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, what isn't one of them?
False
Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. True or False
True
Lattice-based access control specifies the level of access each subject has to each object, if any. True or False?
False
Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.
Management
Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
True
Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. True or False
False
Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. True or False?
True
Small organizations spend more per user on security than medium- and large-sized organizations. True or False?
True
The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. True or False?
Risk Determination
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but what?
Infosec Community Analysis
The Microsoft Risk Management Approach includes four phases. What is NOT one of them?
Transferal
The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.
SETA
The ____________________________ program is designed to reduce the incidence of accidental security breaches by members of the organization.
True
The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. True or False?
Awareness
The goal of a security ____________________ program is to keep information security at the forefront of users' minds on a daily basis.
Risk Analysis
The identification and assessment of levels of risk in an organization describes _______________________________.
Consultant
The information security ____________________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program.
Calculating the risks to which assets are exposed in their current setting
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
Access Control Lists
Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?
False
Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data in the outside world. True or False?
True
Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. True or False?
No changes by authorized subjects without external validation
What is NOT a change control principle of the Clark-Wilson model?
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
What is NOT a valid rule of thumb on risk control strategy selection?
Uncertainty Percentage
What is NOT among the typical columns in the ranked vulnerability risk worksheet?
Listing assets in order of importance
What is the final step in the risk identification process?
Benefit
What is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk, and how much risk exists for the asset.
Documented control strategy
What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
Risk assessment
Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
Security Model
Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?
COBIT
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec. and was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute?
TCSEC
Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?
Security Awareness
A SETA program consists of three elements: security education, security training, and _____________________________.
False
A security blueprint is the outline of the more thorough security framework. True or False?
Builders
A study of information security positions can be classifies into one of three types:___________________________ are the real technical types, who create and install security solutions.
Uncertainty
An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
Assessment
An organization carries out a risk ______________________ function to evaluate risks present in IT initiatives and/or systems.
Assets
An organization's information security program refers to the structure and organization of the effort that strives to contain the risks to the information __________________ of the organization.
Comprehensive
Classification categories must be ____________________ and mutually exclusive.
Comprehensive
Classification categories must be mutually exclusive and _________________________.
PhysicaL
GGG security is commonly used to describe which aspect of security?
False
Having an established risk management program means that an organization's assets are completely protected. True or False?
Risk assessment factors
The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability is the definition of __________________________________.
By adding barriers
The purpose of SETA is to enhance security. What is not one of them?
Mitigation
The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ____________________ .
False
The security education, training, and awareness (SETA) program is designed to reduce the incidence of external security attacks. True or False?
Technology product
The three methods for selecting or developing advanced technical training are by job category, by job function, and by _____________________________.
False
Threats from insiders are more likely in a small organization than in a large one. True or False?
Security Model
To design a security blueprint, an organization can use a(n) ____________________, which is a generic blueprint offered by a service organization.
Need-to-know
Which access control principle limits a user's access to the specific information required to perform the currently assigned task?
Least Privilege
Which access control principle specifies that members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties?
Planning
Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
Private
Which of the following is NOT one of the five levels in the U.S. military data classification scheme?
Covert
____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels.
Assigning a value to each information asset
Two of the activities involved in risk management include identifying risks and assessing risks. What activity is part of the risk identification process?
Physical Location
What does NOT apply to software information assets?
Nondiscretionary
Which type of access controls can be role-based or task-based?