CH 5
1. The upper management of an organization must structure the IT and information security functions to defend the organization's information assets. t/f
t
86. Using the simplified information classification scheme outlined in the text, all information that has been approved by management for public release has a(n) ____________________ classification.
Correct Answer(s): a. external
82. ____________________ is the process of identifying risk, as represented by vulnerabilities, to an organization's information assets and infrastructure, and taking steps to reduce this risk to an acceptable level.
Correct Answer(s): a. Risk management
92. You can determine the relative risk for each of the organization's information assets using a process called risk ____________________.
Correct Answer(s): a. assessment
93. ____________________ is the probability that a specific vulnerability within an organization's assets will be successfully attacked.
Correct Answer(s): a. Likelihood
98. Cost ____________________ is the process of preventing the financial impact of an incident by implementing a control.
Correct Answer(s): a. avoidance
103. A(n) ____________________ is a performance value or metric used to compare changes in the object being measured.
Correct Answer(s): a. baseline
88. A(n) ____________________ policy requires that employees secure all information in appropriate storage containers at the end of each day.
Correct Answer(s): a. clean desk
104. ____________________ feasibility analysis is an assessment of which controls can and cannot occur based on the consensus and relationships among communities of interest.
Correct Answer(s): a. Political
102. ____________________ measures are generally less focused on numbers and are more strategic than metrics-based measures.
Correct Answer(s): a. Process-based
81. ____________________ involves three major undertakings: risk identification, risk assessment, and risk control.
Correct Answer(s): a. Risk management
95. The ____________________ risk control strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.
Correct Answer(s): a. defense
99. A single loss ____________________ is the calculation of the value associated with the most likely loss from an attack.
Correct Answer(s): a. expectancy
94. The combination of an asset's value and the percentage of the asset that might be lost in an attack is known as the loss ____________________.
Correct Answer(s): a. magnitude
96. The ____________________ control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
Correct Answer(s): a. mitigation
87. Overriding an employee's security clearance requires that the employee meet the _________________________ standard.
Correct Answer(s): a. need-to-know b. need to know
105. Behavioral feasibility is also known as ____________________.
Correct Answer(s): a. operational feasibility
101. The difference between an organization's observed and desired performance is often referred to as a ____________________.
Correct Answer(s): a. performance gap
84. When deciding which information assets to track, consider the following asset attributes: people, ____________________, data, software, and hardware.
Correct Answer(s): a. procedures
90. After identifying and performing the preliminary classification of an organization's information assets, the analysis phase moves on to an examination of the ____________________ facing the organization.
Correct Answer(s): a. threats
91. Once the inventory and value assessment are complete, you can prioritize each asset using a straightforward process known as ____________________ analysis.
Correct Answer(s): a. weighted factor b. weighted table
108. What is a cost-benefit analysis (CBA) and how can it be calculated?
Cost-benefit analysis (CBA) is a technique used to compare the total costs of a programme/project with its benefits, using a common metric (most commonly monetary units). This enables the calculation of the net cost or benefit associated with the programme.
16. The threats-vulnerabilities-assets (TVA) worksheet is a document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings. t/f
t
18. If the acceptance strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and may portray an apathetic approach to security in general. t/f
t
21. Some information security experts argue that it is virtually impossible to determine the true value of information and information-bearing assets. t/f
t
10. A data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict the number of people who can access it. t/f
f
11. A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them. t/f
f
17. The defense control strategy is the risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards, but it is not the preferred approach to controlling risk. t/f
f
20. In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack; the SLE is the product of the asset's value and the annualized loss expectancy. t/f
f
15. You cannot use qualitative measures to rank information asset values. t/f
f
76. __________ is simply how often you expect a specific type of attack to occur. a. ARO b. CBA c. ALE d. SLE
*a. ARO
78. __________ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures. a. Qualitative assessment b. A metric-centric model c. Quantitative assessment d. A value-specific constant
*a. Qualitative assessment
56. The concept of competitive _________ refers to falling behind the competition. a. disadvantage b. drawback c. failure d. shortcoming
*a. disadvantage
68. The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range is called the __________. a. loss frequency b. annualized loss expectancy c. likelihood d. benefit of loss
*a. loss frequency
77. The __________ is the difference between an organization's observed and desired performance. *a. performance gap b. objective c. issue delta d. risk assessment
*a. performance gap
58. The first phase of risk management is _________. a. risk identification b. design c. risk control d. risk evaluation
*a. risk identification
64. A _________ assigns a status level to employees to designate the maximum level of classified data they may access. a. security clearance scheme b. data recovery scheme c. risk management scheme d. data classification scheme
*a. security clearance scheme
71. The __________ control strategy attempts to shift risk to other assets, other processes, or other organizations. a. transference b. defense c. acceptance d. mitigation
*a. transference
75. The formal decision-making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) __________. a. ARO b. CBA c. ALE d. SLE
*b. CBA
74. __________ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the flood waters recede. a. IR b. DR c. BC d. BR
*b. DR
61. A(n) _________ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment. a. IP b. FCO c. CTO d. HTTP
*b. FCO
69. _________ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty. a. Loss magnitude b. Risk c. Loss frequency d. Loss
*b. Risk
59. Risk _________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. a. benefit b. appetite c. acceptance d. avoidance
*b. appetite
57. Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems. a. management b. control c. identification d. security
*b. control
70. The _________ control strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. a. termination b. defense c. transference d. mitigation
*b. defense
66. Some people search trash and recycling bins—a practice known as _________—to retrieve information that could embarrass a company or compromise information security. a. shoulder surfing b. dumpster diving c. pretexting d. corporate espionage
*b. dumpster diving
72. The __________ plan specifies the actions an organization can and should take while an adverse event is in progress. An adverse event could result in loss of an information asset or assets, but it does not currently threaten the viability of the entire organization. a. BC b. DR c. IR d. BR
*c. IR
80. __________ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders. a. Organizational b. Technical c. Operational d. Political
*c. Operational
63. Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered "National Security Information," __________ data is the lowest-level classification. a. sensitive b. confidential c. unclassified d. public
*c. unclassified
67. In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores. a. threat assessment b. risk management program c. weighted factor analysis d. data classification scheme
*c. weighted factor analysis
65. Management of classified data includes its storage and _________. a. distribution b. portability c. destruction d. All of the above
*d. All of the above
60. _________ addresses are sometimes called electronic serial numbers or hardware addresses. a. HTTP b. IP c. DHCP d. MAC
*d. MAC
73. The __________ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. a. defense b. transference c. mitigation d. acceptance
*d. acceptance
62. A(n) _________ is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it. a. security clearance scheme b. data recovery scheme c. risk management scheme d. data classification scheme
*d. data classification scheme
79. When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as __________. a. baselining b. best practices c. benchmarking d. standards of due care
*d. standards of due care
89. ____________________ is the process of assigning financial value or worth to each information asset.
Correct Answer(s): a. Asset valuation b. Information asset valuation
97. Of the three types of mitigation plans, the ____________________ plan is the most strategic and long-term, as it focuses on the steps to ensure the continuation of the organization.
Correct Answer(s): a. BC b. Business Continuity c. BC (business continuity) d. business continuity (BC)
100. ____________________ is the process of comparing other organizations' activities against the practices used in one's own organization to produce results it would like to duplicate.
Correct Answer(s): a. Benchmarking
85. ____________________ components account for the management of information in all its states: transmission, processing, and storage.
Correct Answer(s): a. Data b. Information
83. ____________________ include information and the systems that use, store, and transmit information.
Correct Answer(s): a. Information assets
106. One of the first components of risk identification is identification, inventory, and categorization of assets, including all elements, or attributes, of an organization's information system. List and describe these asset attributes.
People comprise employees and nonemployees. Procedures fall into two categories: IT and business standard procedures, and IT and business sensitive procedures. Data components account for the management of information in all its states: transmission, processing, and storage. Software components are assigned to one of three categories: applications, operating systems, or security components. Hardware is assigned to one of two categories: the usual systems devices and their peripherals, and the devices that are part of information security control systems. Hardware components are separated into two categories: devices and peripherals, and networks.
107. When valuing information assets, what criteria could be considered in establishing or determining the value of the assets?
Which information asset is most critical to the organization's success? Which information asset generates the most revenue? Which of these assets plays the biggest role in generating revenue or delivering services? Which information asset would be the most expensive to replace? Which information asset would be the most expensive to protect? Which information asset would most expose the company to liability or embarrassment if revealed?
22. Cost-benefit analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended. t/f
f
23. Process-based measures are performance measures that are focused on numbers and are less strategic than metric-based measures. t/f
f
25. A best practice proposed for a small to medium-sized business will be similar to one used to help design control strategies for a large multinational company. t/f
f
26. One advantage to benchmarking is that best practices change very little over time.
f
27. Baselining is the comparison of past security activities and events against the organization's current performance. t/f
f
28. Operational feasibility is an assessment of whether the organization can acquire the technology necessary to implement and support the proposed control. t/f
f
3. According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to be successful in an engagement. t/f
f
32. Risk -control- is the enumeration and documentation of risks to an organization's information assets. _________________________ t/f
f
33. Risk -acceptance- defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. _________________________ t/f
f
34. -Pervasive- risk is the amount of risk that remains to an information asset even after the organization has applied its desired level of controls. _________________________ t/f
f
35. -TVA- safeguard risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset less the effect of asset value-reducing safeguards. _________________________ t/f
f
36. Within data classification schemes, it is important that all categories used be -classified- and mutually exclusive. _________________________ t/f
f
38. Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization, which is known as a threat -prioritization-. _________________________ t/f
f
39. Risk -mitigation- is the process of assigning a risk rating or score to each information asset. _________________________ t/f
f
4. Knowing yourself means identifying, examining, and understanding the threats facing the organization. t/f
f
41. Loss -event frequency- is the combination of an asset's value and the percentage of it that might be lost in an attack. _________________________ t/f
f
44. A(n) *disaster recovery* plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternate location. _________________________ t/f
f
45. Cost *mitigation* is the process of preventing the financial impact of an incident by implementing a control. _________________________ t/f
f
47. The computed value of the *ALE* compares the costs and benefits of a particular control alternative to determine whether the control is worth its cost. _________________________ t/f
f
49. *Process*-based measures are comparisons based on observed numerical data, such as numbers of successful attacks. _________________________ t/f
f
52. In information security, *benchmarking* is the comparison of past security activities and events against the organization's current performance. _________________________ t/f
f
53. Within organizations, the most important feasibility is *technical* feasibility, which defines what can and cannot occur based on the consensus and relationships between the communities of interest. _________________________ t/f
f
6. Residual risk is the risk that has not been removed, shifted, or planned for after vulnerabilities have been completely resolved. t/f
f
7. Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets.
f
9. Within a data classification scheme, "comprehensive" means that an information asset should fit in only one category. t/f
f
12. When determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts. t/f
t
13. When it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the value incurred from the cost of protecting the information. t/f
t
14. The value of information to the organization's competition should influence the asset's valuation. t/f
t
19. To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited. t/f
t
2. Risk control is the application of controls that reduce the risks to an organization's information assets to an acceptable level. t/f
t
24. Best business practices are often called recommended practices. t/f
t
29. Organizations should communicate with system users throughout the development of the security program, letting them know that changes are coming, and reduce resistance to these expected changes through communication, education, and involvement. t/f
t
30. The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment. t/f
t
37. One way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or -embarrassment- if revealed. _________________________ t/f
t
40. -Likelihood- is the probability that a specific vulnerability within an organization will be the target of an attack. _________________________ t/f
t
42. The -mitigation- control strategy attempts to reduce the impact of a successful attack through planning and preparation. _________________________ t/f
t
43. The most common example of a mitigation procedure is a -contingency plan-. _________________________ t/f
t
46. *Exposure factor* is the expected percentage of loss that would occur from a particular attack. _________________________ t/f
t
48. A(n) *qualitative* assessment is based on characteristics that do not use numerical measures. _________________________ t/f
t
5. In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization. t/f
t
50. *Benchmarking* is the process of comparing other organizations' activities against the practices used in one's own organization to produce results it would like to duplicate. _________________________ t/f
t
51. Security efforts that seek to provide a superior level of performance in the protection of information are referred to as *best business practices*. _________________________ t/f
t
54. Operational feasibility is also known as *behavioral feasibility*. _________________________ t/f
t
55. Sometimes a *risk assessment* report is prepared for a specific IT project at the request of the project manager, either because it is required by organizational policy or because it is good project management practice. _________________________ t/f
t
8. You should adopt naming standards that do not convey information to potential system attackers. t/f
t