Chapter 2 Review questions
Who is ultimately responsible for the security of an asset? A. Asset owner B. Auditor C. Custodian D. Risk assessment team
A. Asset owner Some day-to-day responsibility may be passed down to the custodian; however, ultimately the owner is responsible.
After opening a new branch in the Midwest, your company is analyzing buying patterns to determine the relationship between various items purchased. Which of the following best describes this situation? A. Data mining B. Knowledge management C. Data warehouse D. Data standards
A. Data mining Data mining is the process of analyzing data to find and understand patterns and relationships in the data. Answers B, C, and D are incorrect. Knowledge management seeks to make intelligent use of all the knowledge in an organization. A data warehouse is a database that contains data from many different databases. Data standards provide consistent meaning to data shared among different information systems.
Which of the following is the most specific type of security document? A. Procedure B. Standard C. Policy D. Baseline
A. Procedure A procedure is a detailed, in-depth, step-by-step document that lays out exactly what is to be done. It's tied to specific technologies and devices. Standards are tactical documents; policies are high-level documents; and baselines are minimum levels of security that a system, network, or device must adhere to.
With which of the following assessment types do you not work with dollar values, which can make it difficult to communicate the results of the assessment to management? A. Qualitative B. Quantitative C. Numeric mitigation D. Red team
A. Qualitative Qualitative assessment is scenario driven and does not attempt to assign dollar values to components of the risk analysis. Quantitative assessment is based on dollar amounts. Both numeric mitigation and red team are distractors.
Which of the following is the top level of protection for commercial business classification? A. Secret B. Confidential C. Top secret D. Private
B. Confidential Confidential is the top level of data classification for commercial business classification. Answers A, C, and D are incorrect because secret and top secret are both part of the military classification, while private is a lower-level commercial business classification.
Which of the following does not describe an SED? A. Eases compliance B. Slows performance C. Eases use D. Provides strong security
B. Slows performance Self-encrypting hard drives offer many advantages, such as easing compliance issues with items like personally identifiable information. They are easy to use and offer strong encryption. Answer B is correct because SEDs do not slow down performance; they are actually integrated into the hardware and operate at full performance with no impact on user productivity.
Your company is considering implementing NIST 800-53. Which of the following terms refers to the process of modifying security controls to align with the mission of the organization? A. Standards selection B. Tailoring C. Scoping D. Conforming
B. Tailoring Tailoring refers to customizing a standard for an organization. Answers A, C, and D are incorrect: Standards selection involves determining which standard your organization will apply and follow. Scoping involves defining which portion of the standard will be applied. Conforming simply means complying with a standard or standards.
Which of the following endpoint security controls could have been used to potentially prevent malware such as Stuxnet, Conficker, and Flame? A. Implementing disk encryption B. Hardening edge devices C. Blocking removable media D. Enforcing application whitelisting
C. Blocking removable media Restricting removable media may have helped prevent infection from malware that is known to spread via thumb drive or removable media. Answer A is incorrect because encryption of media would not have helped. Answer B is incorrect because edge devices were not specifically targeted. Answer D is incorrect because enforcing application whitelisting would not have prevented advanced persistent threats from executing on local systems.
Which administrative process is driven by the need to protect sensitive data? A. Tailoring B. Scoping C. Information classification D. Asset classification
C. Information classification Organizations use information classification to assign value to information based on its impact should it be exposed or its sensitivity. Answers A, B, and D are incorrect as tailoring is modifying standards to an industry. Scoping is determining which portions of standards to apply. Asset classification is a system for assigning assets to groups, based on a number of common characteristics.
It is important to avoid a situation in which everyone is accountable but no one is responsible. In which of the following groups should a data owner be? A. End users B. Technical managers C. Senior management D. Everyone is responsible; therefore, all groups are owners
C. Senior management Senior management is the ultimate owner because these individuals are responsible for the asset and must answer if data is compromised. Although answer C is the best possible choice, it is important to realize that, in most cases, the data owner is a member of management but might not be the most senior executive within the organization. For example, the CFO would be the data owner for all financial data, the director of human resources would be the data owner for all HR data, and so on. All other answers are incorrect because end users, technical managers, and other employees are not typically the data owners.
Which of the following categories of control can include the logical mechanisms used to control access and authenticate users? A. Administrative B. Clerical C. Technical D. Physical
C. Technical Technical controls can be hardware or software. They are logical mechanisms used to control access and authenticate users, identify unusual activity, and restrict unauthorized access. Clerical is a nonexistent category, and all other answers are incorrect: Administrative controls are procedural, and physical controls include locks, guards, gates, and alarms.
Which of the following shows the proper order? A. Determine SLE, ARO, and ALE and then asset value. B. Determine asset value and then ARO, SLE, and ALE. C. Determine asset value and then SLE, ALE, and SLE. D. Determine asset value and then SLE, ARO, and ALE.
D. Determine asset value and then SLE, ARO, and ALE. The proper order is to determine the asset value and then SLE, ARO, and ALE. Answers A, B, and C are incorrect; they are not in the proper order.
You need to provide protection for sensitive information that will be transmitted between two business units, and you decide to use link encryption. Which of the following statements is incorrect? A. The data packet is encrypted along the communication path. B. The data packet is protected from eavesdropping and sniffing. C. Headers are in plaintext. D. Everything is encrypted from source to destination along the journey.
D. Everything is encrypted from source to destination along the journey. While link encryption does protect a data packet, the header is in plaintext. Answers A, B, and C are incorrect as they are all true statements concerning link encryption. With link encryption, the data packet is encrypted, the packet is protected from sniffing, and headers are in plaintext.
Which of the following SAN solutions is fast, rides on top of Ethernet, and is non-routable? A. SCSI B. iSCSI C. HBA D. FCoE
D. FCoE Fibre Channel over Ethernet (FCoE) can operate at speeds of 10 Gbps and rides on top of the Ethernet protocol. While it is fast, it has a disadvantage in that it is non-routable. Answers A, B, and C are incorrect. SCSI is used for local devices only. iSCSI is a SAN standard used for connecting data storage facilities and allowing remote SCSI devices to communicate. An HBA is used to connect a host system to an enterprise storage device.
Which of the following levels does the military classification system include? A. Confidential, private, sensitive, and public B. Top secret, secret, private, sensitive, and public C. Top secret, confidential, private, sensitive, and unclassified D. Top secret, secret, confidential, sensitive, and unclassified
D. Top secret, secret, confidential, sensitive, and unclassified The military data classification system is widely used within the Department of Defense. This system has five levels of classification (from lowest sensitivity to highest): unclassified, sensitive, confidential, secret, and top secret.