Chapter 7

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk treatment strategy, also known as the avoidance strategy.

False - defense

The risk treatment strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk treatment strategy. __________

False - transference

A risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.

a. defense risk treatment strategy

Which of the following determines how well the proposed InfoSec treatment alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization? a. organizational feasibility b. political feasibility c. technical feasibility d. behavioral feasibility

c

Which of the following risk treatment strategies describes an organization's attempt to shift risk to other assets, other processes, or other organizations? a. acceptance b. avoidance c. transference d. mitigation

c

A risk treatment strategy that indicates the organization is willing to accept the current level of risk, is making a conscious decision to do nothing to protect an information asset from risk, and accepts the outcome from any resulting exploitation.

c. acceptance risk treatment strategy

A security clearance is an access control model in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. __________

True

Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. __________

True

In information security, a security blueprint is a framework or security model customized to an organization, including implementation details. a. True b. False

True

Lattice-based access control specifies the level of access each subject has to each object, if any. a. True b. False

True

A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. __________

False - reference

The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. __________

False - separation

The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. a. True b. False

True

The quantity and nature of risk that organizations are willing to accept.

e. risk appetite

The __________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.

need to know

The __________ risk treatment strategy attempts to shift the risk to other assets, processes, or organizations.

transference transfer

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. __________

False - framework

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as required privilege. __________

False - least

The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. __________

False - methods

In a cost-benefit analysis, the expected frequency of an attack expressed on a per-year basis is known as the annualized risk of likelihood. __________

False - occurrence

The ISO 27005 Standard for InfoSec Risk Management has a five-stage management methodology that includes risk treatment and risk communication. a. True b. False

True

The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. __________

True

What is the result of subtracting the postcontrol annualized loss expectancy and the annualized cost of the safeguard from the precontrol annualized loss expectancy? a. cost-benefit analysis b. exposure factor c. single loss expectancy d. annualized rate of occurrence

a

Which of the following is a generic model for a security program? a. framework b. methodology c. security standard d. blueprint

a

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? a. COBIT b. COSO c. NIST d. ISO

a

An ATM that limits what kinds of transactions a user can perform is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary

b

Application of training and education among other approach elements is a common method of which risk treatment strategy? a. mitigation b. defense c. acceptance d. transferal

b

By multiplying the asset value by the exposure factor, you can calculate which of the following? a. annualized cost of the safeguard b. single loss expectancy c. value to adversaries d. annualized loss expectancy

b

Each of the following is a commonly used quantitative approach for asset valuation EXCEPT: a. value to owners b. value to competitors c. value retained from past maintenance d. value to adversaries

b

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________. a. probability estimate b. cost avoidance c. risk acceptance premium d. asset valuation

b

The goal of InfoSec is not to bring residual risk to __________; rather, it is to bring residual risk in line with an organization's risk appetite. a. de minimus b. zero c. its theoretical minimum d. below the cost-benefit break-even point

b

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine its effectiveness and to estimate the remaining risk? a. analysis and adjustment b. review and reapplication c. monitoring and measurement d. evaluation and funding

c

The Microsoft Risk Management Approach includes four phases; which of the following is NOT one of them? a. conducting decision support b. implementing controls c. evaluating alternative strategies d. measuring program effectiveness

c

Which NIST publication describes the philosophical guidelines that the security team should integrate into the entire InfoSec process, beginning with "Security supports the mission of the organization"? a. SP 800-12, Rev. 1: An Introduction to Information Security (2017) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems (2006) c. SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996) d. SP 800-55, Rev. 1: Performance Measurement Guide for Information Security (2008)

c

Which of the following determines whether the organization already has or can acquire the technology necessary to implement and support the proposed treatment? a. organizational feasibility b. political feasibility c. technical feasibility d. operational feasibility

c

Which of the following is NOT a change control principle of the Clark-Wilson model? a. no changes by unauthorized subjects b. no unauthorized changes by authorized subjects c. no changes by authorized subjects without external validation d. the maintenance of internal and external consistency

c

Which of the following is not a step in the FAIR risk management framework? a. identify scenario components b. evaluate loss event frequency c. assess control impact d. derive and articulate risk

c

Which type of access controls can be role-based or task-based? a. constrained b. content-dependent c. nondiscretionary d. discretionary

c

In information security, a framework or security model customized to an organization, including implementation details, is a _________. a. security standard b. methodology c. security policy d. blueprint

d

In which technique does a group rate or rank a set of information, compile the results, and repeat until everyone is satisfied with the result? a. OCTAVE b. FAIR c. hybrid measures d. Delphi

d

Which of the following determines how well a proposed treatment will address user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders? a. behavioral feasibility b. political feasibility c. technical feasibility d. operational feasibility

d

Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information? a. confidential b. secret c. top secret d. for official use only

d

Which of the following is the original purpose of ISO/IEC 17799? a. Use within an organization to obtain a competitive advantage b. Implementation of business-enabling information security c. Use within an organization to ensure compliance with laws and regulations d. To offer guidance for the management of InfoSec to individuals responsible for their organization's security programs

d

Which of the following risk treatment strategies describes an organization's efforts to reduce damage caused by a realized incident or disaster? a. acceptance b. avoidance c. transference d. mitigation

d

Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion.

e. separation of duties

A process of assigning financial value or worth to each information asset.

h. asset valuation

A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user.

h. task-based controls

Under TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy is known as the __________.

trusted computing base (TCB)

The defense risk treatment strategy may be accomplished by outsourcing to other organizations. a. True b. False

False

__________ is the financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident.

Cost avoidance

Although COBIT was designed to be an IT __________ and management structure, it includes a framework to support InfoSec requirements and assessment needs. a. governance b. policy c. auditing d. awareness

a

Treating risk begins with which of the following? a. an understanding of risk treatment strategies b. applying controls and safeguards that eliminate risk c. understanding the consequences of choosing to ignore certain risks d. rethinking how services are offered

a

The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk __________.

appetite

Which of the following is NOT a category of access control? a. preventative b. mitigating c. deterrent d. compensating

b

A time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary

c

Controls access to a specific set of information based on its content.

c. content-dependent access controls

The COSO framework is built on five interrelated components. Which of the following is NOT one of them? a. control environment b. risk assessment c. control activities d. InfoSec governance

d

The ISO 27005 Standard for Information Security Risk Management includes all but which of the following stages? a. risk assessment b. risk treatment c. risk communication d. risk determination

d

The process of assigning financial value or worth to each information asset is known as __________. a. probability estimate b. cost estimation c. risk acceptance premium d. asset valuation

d

What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them? a. need-to-know b. eyes only c. least privilege d. separation of duties

d

When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being __________.

exploited

which of the following is NOT one of them? a. It was not as complete as other frameworks. b. The standard lacked the measurement precision associated with a technical standard. c. The standard was hurriedly prepared. d. It was feared it would lead to government intrusion into business matters.

f

The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization.

f. cost-benefit analysis

Ratings of the security level for a specified collection of information (or user) within a mandatory access control scheme.

f. sensitivity levels

ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and how to set up a(n) __________.

information security management system (ISMS)

Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects—is known as a __________.

reference monitor

To keep up with the competition, organizations must design and create a __________ environment in which business processes and procedures can function and evolve effectively.

secure

__________ channels are unauthorized or unintended methods of communications hidden inside a computer system, including storage and timing channels.

Covert

Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. a. True b. False

False

The Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. a. True b. False

False

The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as minimal access. a. True b. False

False

The risk treatment strategy that indicates the organization is willing to accept the current level of risk and do nothing further to protect an information asset is known as the termination risk treatment strategy. ____________

False - acceptance

__________ channels are TCSEC-defined covert channels that communicate by modifying a stored object, such as in steganography.

Storage

Because even the implementation of new technologies does not necessarily guarantee an organization can gain or maintain a competitive lead, the concept of __________ has emerged as organizations strive not to fall behind technologically. a. competitive disadvantage b. future shock c. competitive advantage d. innovation hedge

a

All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT: a. When a vulnerability exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being exploited. b. When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility. c. When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. d. When the potential loss is substantial, apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss.

b

Each of the following is a recommendation from the FDIC when creating a successful SLA EXCEPT: a. determining objectives b. forecasting costs c. defining requirements d. setting measurements

b

Which control category discourages an incipient incident—e.g., video monitoring? a. preventative b. deterrent c. remitting d. compensating

b

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. residual risk b. risk appetite c. risk assurance d. risk termination

b

Which of the following determines acceptable practices based on consensus and relationships among the communities of interest? a. organizational feasibility b. political feasibility c. technical feasibility d. operational feasibility

b

Which piece of the Trusted Computing Base's security system manages access controls? a. trusted computing base b. reference monitor c. covert channel d. verification module

b

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"? a. Bell-LaPadula b. TCSEC c. ITSEC d. Common Criteria

b

Controls implemented at the discretion or option of the data user.

b. DAC

A risk treatment strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.

b. mitigation risk treatment strategy

As part of the CBA, __________ is the value to the organization of using controls to prevent losses associated with a specific vulnerability

benefit

Each of the following is an item that affects the cost of a particular risk treatment strategy EXCEPT: a. cost of maintenance (labor expense to verify and continually test, maintain, train, and update) b. cost of development or acquisition (hardware, software, and services) c. cost of implementation (installing, configuring, and testing hardware, software, and services) d. cost of IT operations (keeping systems operational during the period of treatment strategy development)

d

Which international standard provides a structured methodology for evaluating threats to economic performance in an organization and was developed using the Australian/New Zealand standard AS/NZS 4360:2004 as a foundation? a. ISO 27001 b. ISO 27005 c. NIST SP 800-39 d. ISO 31000

d

Which of the following affects the cost of a control? a. liability insurance b. CBA report c. asset resale d. maintenance

d

Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones? a. Clark-Wilson b. Bell-LaPadula c. Common Criteria d. Biba

d

Access is granted based on a set of rules specified by the central authority.

d. rule-based access controls

A risk treatment strategy that eliminates all risk associated with an information asset by removing it from service.

d. termination risk treatment strategy

The approach known as the avoidance strategy is more properly known as the __________ risk treatment strategy.

defense

The risk treatment strategy that seeks to reduce the impact of a successful attack through the use of IR, DR, and BC plans is __________.

mitigation mitigate

A progression is a measurement of current performance against which future performance will be compared. __________

False - baseline

Dumpster exploitation is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. __________

False - diving

An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel, is known as operational feasibility. __________

False - technical

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? a. qualitative assessment of many risk components b. quantitative valuation of safeguards c. subjective prioritization of controls d. risk analysis estimates

a

In information security, a framework or security model customized to an organization, including implementation details, is known as a template. __________

False - blueprint

In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). __________

False - capabilities

In which form of access control is access to a specific set of information contingent on its subject matter? a. content-dependent access controls b. constrained user interfaces c. temporal isolation d. none of these

a

The Information Security __________ is a managerial model provided by an industry working group, National Cyber Security Partnership, which provides guidance in the development and implementation of organizational InfoSec structures and recommends the responsibilities that various members should have in an organization. a. Governance Framework b. Security Blueprint c. Risk Model d. Compliance Architecture

a

The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices primarily for __________. a. managing the development and operation of IT infrastructures b. operation of IT control systems to improve security c. managing the security infrastructure d. developing secure Web applications

a

This NIST publication provides information on the elements of InfoSec, key roles and responsibilities, an overview of threats and vulnerabilities, a description of the three NIST security policy categories, and an overview of the NIST RM Framework and its use, among other topics needed for a foundation in InfoSec. a. SP 800-12, Rev. 1: An Introduction to Information Security (2017) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems (2006) c. SP 800-34, Rev. 1: Contingency Planning Guide for Federal Information Systems (2010) d. SP 800-55, Rev. 1: Performance Measurement Guide for Information Security (2008)

a

Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following? a. access control list b. capabilities table c. access matrix d. sensitivity level

a

Which access control principle limits a user's access to the specific information required to perform the currently assigned task? a. need-to-know b. eyes only c. least privilege d. separation of duties

a

A framework or security model customized to an organization, including implementation details.

a. blueprint

The selective method by which systems specify who may use a particular resource and how they may use it is called __________.

access control

Under the Common Criteria, which term describes the user-generated specifications for security requirements? a. Target of Evaluation (ToE) b. Protection Profile (PP) c. Security Target (ST) d. Security Functional Requirements (SFRs)

b

In information security, a framework or security model customized to an organization, including implementation details, is known as a(n) __________.

blueprint

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information is known as __________. a. rubbish surfing b. social engineering c. dumpster diving d. trash trolling

c

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following? a. preventative b. deterrent c. corrective d. compensating

c

Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary? a. need-to-know b. eyes only c. least privilege d. separation of duties

c

Which of the following specifies the authorization level that each user of an information asset is permitted to access, subject to the need-to-know principle? a. discretionary access controls b. task-based access controls c. security clearances d. sensitivity levels

c

In the COSO framework, __________ activities include those policies and procedures that support management directives.

control

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a(n) __________.

framework

One of the TCSEC's covert channels, which communicate by modifying a stored object.

g. storage channel

A TCSEC-defined covert channel, which transmits information by managing the relative timing of events.

i. timing channel

Within TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security

j. TCB

The calculated value associated with the most likely loss from a single attack.

j. single loss expectancy

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is called __________.

least privilege

To design a security program, an organization can use a(n) __________, which is a generic outline of the more thorough and organization-specific blueprint.

security model framework

In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack (impact) is known as __________. It is the product of the asset's value and the exposure factor.

single loss expectancy (SLE)

. The __________ risk treatment strategy eliminates all risk associated with an information asset by removing it from service.

termination

When vulnerabilities have been controlled to the degree possible, what is the remaining risk that has not been completely removed, shifted, or planned for? a. residual risk b. risk appetite c. risk assurance d. risk tolerance

a

Which of the following determines how well the proposed InfoSec treatment alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization? a. organizational feasibility b. political feasibility c. technical feasibility d. behavioral feasibility

a

Which of the following is NOT one of the methods noted for selecting the best risk management model? a. Use the methodology most similar to what is currently in use. b. Study known approaches and adapt one to the specifics of the organization. c. Hire a consulting firm to provide a proprietary model. d. Hire a consulting firm to develop a proprietary model.

a

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization, is known as __________. a. annualized loss expectancy (ALE) b. cost-benefit analysis (CBA) c. single loss expectancy (SLE) d. annualized rate of occurrence (ARO)

b

Which alternative risk management methodology is a process promoted by the Computer Emergency Response Team (CERT) Coordination Center (www.cert.org) that has three variations for different organizational needs, including one known as ALLEGRO? a. OCTAVE b. FAIR c. ANDANTE d. DOLCE

a

Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data at the organization's competitors. a. True b. False

False

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization, is known as cost-benefit analysis (CBA). __________

True

Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. a. True b. False

True

The risk treatment strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk treatment strategy. __________

True

The risk treatment strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk treatment strategy. ____________

True

Unlike many other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. a. True b. False

True

The managerial tutorial equivalent of NIST SP 800-12, providing overviews of the roles and responsibilities of a security manager in the development, administration, and improvement of a security program, is NIST __________. a. SP 800-100: Information Security Handbook: A Guide for Managers (2007) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems (2006) c. SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996) d. SP 800-110, Rev. 1: Manager's Introduction to Information Security (2016)

a

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a __________. a. framework b. security plan c. security standard d. blueprint

a

NIST's Risk Management Framework follows a three-tiered approach, with most organizations working from the top down, focusing first on aspects that affect the entire organization, such as __________. a. governance b. information and information flows c. policy d. environment of operation

a

One of the most widely referenced InfoSec management models, known as Information Technology—Code of Practice for Information Security Management, is also known as __________. a. ISO 27002 b. IEC 27100 c. NIST SP 800-12 d. IEEE 801

a

The NIST risk management approach includes all but which of the following elements? a. inform b. assess c. frame d. respond

a

The __________ risk treatment strategy indicates the organization is willing to accept the current level of residual risk.

acceptance

Strategies to reestablish operations at the primary site after an adverse event threatens continuity of business operations are covered by which of the following plans in the mitigation control approach? a. incident response plan b. business continuity plan c. disaster recovery plan d. damage control plan

c

The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following? a. determined the level of risk posed to the information asset b. performed a thorough cost-benefit analysis c. determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset d. assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability

c

Which of the following is NOT a valid rule of thumb on risk treatment strategy selection? a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls. d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.

c

The __________ risk treatment strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards in an effort to change the likelihood of a successful attack on an information asset.

defense

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident.

g. cost avoidance

An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.

i. organizational feasibility

An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources is known as __________.

technical feasibility


Ensembles d'études connexes

2.1.8 - Safety and Protection - Practice Questions

View Set

Descubre 2 Chapter 2 Test review

View Set

LearningCurve 14c. Social-Cognitive Theories and the Self

View Set