INT-2690: CISSP Chapter 1 Security & Risk Management Questions
How do you calculate residual risk?
(Threats x vulnerability x asset value) x controls gap
Which best describes a quantitative risk analysis?
A method that assigns monetary values to components in the risk assessment D. A method that
The new reinforced lock and cage serve as which of the following?
Physical controls
If the financial institution wants to force collusion to take place for fraud to happen successfully in this situation, what should Todd put into place?
Separation of duties
Which of the following is true about data breaches?
They may trigger legal or regulatory requirements
What is the Annualized Loss Expectancy (ALE)?
$48,000
What is the Single Loss Expectancy (SLE) for the facility suffering from a fire?
$480,000 is the correct answer. The annualized loss expectancy formula (SLE× ARO = ALE) is used to calculate the loss potential for one asset experiencing one threat in a 12-month period. The resulting ALE value helps to determine the amount that can be reasonably be spent in the protection of that asset. In this situation, the company should not spend over $480,000 on protecting this asset from the threat of fire. ALE values help organizations rank the severity level of the risks they face so they know which ones to deal with first and how much to spend on each.
What is the value of the firewall to the company?
-$3,000
What is the Annualized Rate of Occurrence (ARO)?
.1
Which of the following best describes what Susan needs to ensure the operations staff creates for proper configuration standardization?
Baselines
Why should the team that will perform and review the risk analysis information be made up of people in different departments?
Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as possible.
To better deal with computer crime, several legislative bodies have taken what steps in their strategy?
Broadened the definition of property to include data
Which is the most valuable technique when determining if a specific security control should be implemented?
Cost/benefits analysis
Which of the following is one of the most likely solutions that Susan will come up with and present to her boss?
Development of standards
Todd wants to be able to prevent fraud from taking place, but he knows that some people may get around the types of controls he puts into place. In those situations he wants to be able to identify when an employee is doing something suspicious. Which of the following incorrectly describes what Todd is implementing in this scenario and what those specific controls provide?
Dual control, which is an administrative detective control that can ensure that two employees must carry out a task simultaneously.
A CISSP canidate signs an ethics statement prior to taking the CISSP examination. Which of the following would be a violation of the (ISC)2 Code of Ethics that could cause the candidate to lose his or her certification
E-mailing information or comments about the exam to other CISSP candidates.
Which best describes the purpose of the ALE calculation?
Estimates the loss potential of a threat in a span of a year
Which of the following standards would be most useful to you in ensuring your information security management system follows industry best practices?
ISO/IEC 27000 series
When can executives be charged with negligence?
If they do not practice due care when protecting resources
The operating system access controls comprise which of the following?
Logical controls
Todd documents several fraud opportunities that the employees have at the financial institution so that management understands these risks and allocates the funds and resources for his suggested solutions. Which of the following best describes the control Todd should put into place to be able to carry out fraudulent investigation activity?
Mandatory vacations
The purpose of initiating emergency procedures right after a disaster takes place is to prevent loss of life and injuries, and to _______________.
Mitigate further damage
OCTAVE, NIST 800-30, and AS/NZS 4360 are different approaches to carrying out risk management within companies and organizations. What are the differences between these methods?
NIST 800-30 is IT based, while OCTAVE and AS/NZS 4360 are corporate based.
What is CobiT and where does it fit into the development of information security systems and security programs?
Open standards for control objectives
What is one of the first steps in developing a business continuity plan?
Perform a business impact analysis.
The fact that the server has been in an unlocked room marked "Room 1" for the last few years means the company was practicing which of the following?
Security through obscurity
Which factor is the most important item when it comes to ensuring security is successful in an organization?
Senior management support
Which of the following would you use to control the public distribution, reproduction, display and adaptation of an original white paper written by your staff?
Trademark
When is it acceptable to not take action on an identified risk?
When the cost of the countermeasure outweighs the value of the asset and potential loss.
What is the ISO/IEC 27799 standard?
A standard on how to protect personal health information
How much does the firewall save the company in loss expenses?
A. $62,000 is the correct answer. The firewall reduced the annualized loss expectancy (ALE) from $92,000 to $30,000 for a savings of $62,000. The formula for ALE is single loss expectancy × annualized rate of occurrence = ALE. Subtracting the ALE value after the firewall is implemented from the value before it was implemented results in the potential loss savings this type of control provides
Many privacy laws dictate which of the following rules?
Agencies cannot use collected data for a purpose different from what it was collected for.
Which of the following is the best way to illustrate to her boss the dangers of the current configuration issues?
Carry out a risk assessment.
Why is a truly quantitative risk analysis not possible to achieve?
Quantitative measures must be applied to qualitative elements
Which of the following describes the company's approach to risk management?
Risk mitigation
The term used to denote a potential cause of an unwanted incident, which may result in harm to a system or organization is
Threat
The international standards bodies ISO and IEC developed a series of standards that are used in organizations around the world to implement and maintain information security management systems. The standards were derived from the British Standard 7799, which was broken down into two main pieces. Organizations can use this series of standards as guidelines, but can also be certified against them by accredited third parties. Which of the following are incorrect mappings pertaining to the individual standards that make up the ISO/IEC 27000 series? i. ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC 27003 outlines the ISMS program's requirements. ii. ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC 27002 outlines the metrics framework. iii. ISO/IEC 27006 outlines the program implementation guidelines, and ISO/IEC 27005 outlines risk management guidelines. iv. ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines the implementation framework.
i, ii, iii, iv
Which of the following has an incorrect definition mapping? i. Civil (Code) Law - Based on previous interpretations of laws ii. Common Law - Rule-based law not precedence based iii. Customary Law - Deals mainly with personal conduct and patterns of behavior iv. Religious Law - Systems Based on religious beliefs of the region
i. Civil (Code) Law - Based on previous interpretations of laws ii. Common Law - Rule-based law not precedence based
he information security industry is made up of various best practices, standards, models, and frameworks. Some were not developed first with security in mind, but can be integrated into an organizational security program to help in its effectiveness and efficiency. It is important to know of all of these different approaches so that an organization can choose the ones that best fit its business needs and culture. Which of the following best describes the approach(es) that should be put into place if an organization wants to integrate a way to improve its security processes over a period of time? i. Information Technology Infrastructure Library should be integrated because it allows for the mapping of IT service process management, business drivers, and security improvement. ii. Six Sigma should be integrated because it allows for the defects of security processes to be identified and improved upon. iii. Capability Maturity Model should be integrated because it provides distinct maturity levels. iv. The Open Group Architecture Framework should be integrated because it provides a structure for process improvement.
ii, iii
