Chapter 2 Information Security Fundamentals Exam Questions
Which is more important to a business—its information or its information technology? A. Neither, since it is the business logic and business processes that give the business its competitive advantage. B. The information is more important, because all that the information technology does is make the information available to people to make decisions with. C. The information technology is more important, because without it, none of the data could be transformed into information for making decisions with. D. Both are equally important, because in most cases, computers and communications systems are where the information is gathered, stored, and made available.
B. People make decisions based on what they know, what they remember, and what they observe; that data, information, and knowledge are independent of the paper, books, computers, or radio waves that brought those observations to them in the first place. Options C and D confuse the role of the technologies with the information itself; option A is a true statement that does not address the actual question.
As the IT security director, Paul does not have anybody looking at systems monitoring or event logging data. Which set of responsibilities is Paul in violation of? A. Due care B. Due diligence C. None of the above D. Both due care and due diligence
B. The fact that systems monitoring and event data is collected at all indicates that Paul or his staff determined it was a necessary part of keeping the organization's information systems secure—they took (due) care of those responsibilities. But by not reviewing the data to verify proper systems behavior and use, or to look for potential intrusions or compromises, Paul has not been diligent.
Due diligence means: A. Paying your debts completely, on time B. Doing what you must do to fulfill your responsibilities C. Making sure that actions you've taken to fulfill your responsibilities are working correctly and completely D. Reading and reviewing the reports from subordinates or from systems monitoring data
C. Options A and B are both examples of due care; due diligence is the verification that all is being done well and that nothing is not done properly. Option D can be an important part of due diligence but is missing the potential for follow-up action.
Suppose that you work for a business or have a business as your client. As an SSCP, which of the following groups do you have responsibilities to? (Choose all that apply.) A. Coworkers, managers, and owners of the business that employs you (or is your client) B. Competitors of the business that employs you or is your client C. Customers, suppliers, or other companies that work with this business D. People and groups that have nothing to do with this business
A, B, C, D. Options A and C represent direct or indirect stakeholders in the business that employs the SSCP. Options B and D represent other members of society, and you owe them professional service as an SSCP as well. The service you owe others in the marketplace would not include divulging your employer's private data, of course!
What do we use protocols for? (Choose all that apply.) A. To conduct ceremonies, parades, or how we salute superiors, sovereigns, or rulers B. To have a conversation with someone and keep disagreement from turning into a hostile, angry argument C. To connect elements of computer systems together so that they can share tasks and control each other D. As abstract design tools when we are building systems, although we don't actually build hardware or software that implements a protocol E. None of the above
A, B, C. Option D is incorrect; almost everything that holds our IT world together is done via directly building protocols into hardware and software. Options A, B, and C are correct, and they show the human social communications need for signaling one another about the communication we're trying to achieve.
When you compare safety to security for information systems, which of the following statements are correct? (Choose all that apply.) A. When information security measures fail to keep critical data available and correct, the resulting system malfunctions could lead to loss of revenue, property damage, injury, or death. B. Operating a system in an unsafe manner could introduce information that further corrupts the system, violates its integrity, or leads to it crashing, which violates availability needs. C. Keeping a system safe also means "safe from harm," and thus means much the same as keeping it secure. D. Safe system operation is the responsibility of its designers, builders, and operators; the information security people have no role in that, and thus safety and security are unrelated concepts.
A, C. "Safety" for information systems can mean keeping the system from suffering damage, keeping the system from failing in ways that cause damage, or both. Thus, Options A and C are correct, though they are different aspects of safety. Option B is true, but it reverses cause and effect. Option D is incorrect because it tries to separate safety and security when they are in fact related to each other.
John works as the chief information security officer for a medium-sized chemical processing firm. Which of the following groups of people would not be stakeholders in the ongoing operation of this business? A. State and local tax authorities B. Businesses in the immediate neighborhood of John's company C. Vendors, customers, and others who do business with John's company D. The employees of the company
A. All other groups have a valid personal or financial interest in the success and safe operation of the company; a major chemical spill or a fire producing toxic smoke, for example, could directly injure them or damage their property. Although tax authorities might also suffer a loss of revenues in such circumstances, they are not involved with the company or its operation in any way.
Explain the relationship between confidentiality and privacy, if any. A. Confidentiality is about keeping information secret so that we retain advantage or do not come to harm; privacy is about choosing who can enter into one's life or property. B. Confidential information is information that must be kept private, so they really have similar meanings. C. Privacy laws allow criminals to hide their actions and intentions from society, but confidentiality allows for the government to protect defense-related information from being leaked to enemies. D. Confidentiality is the freedom to choose with whom you share information; privacy refers to information that is specifically about individuals' lives, activities, or interests.
A. Keeping information secret means agreeing to limit or control how (or if) that information can be passed on to others. Privacy is the freedom from intrusion into your own affairs, person, property or ideas. The other options either confuse confidentiality with privacy or do not use the concepts correctly.
Why is the preamble to (ISC)2's Code of Ethics important to us as SSCPs? A. It is vital to understand the code because it sets purpose and intention; it's our mission statement as professionals. B. It sounds like it ought to be important, but it just states personal values; the canons tell us what to do and why that matters. C. It's not that important, since it only provides a context for the canons, which are the real ethical responsibilities that we have. D. It sets the priorities for us to address, highest to lowest, starting with the profession, the organization, the people we work for or our customers, and then society as a whole.
A. Option A correctly interprets the words themselves of the preamble. Option B is incorrect. The preamble does not set personal values (such as honesty); these are in the canons and tied to actions we should take. Option C misses the point of the purpose of the code.
Jayne discovers that someone in the company's HR department has been modifying employee performance appraisals. If done without proper authorization, this would be what kind of violation? A. Integrity B. Confidentiality C. Availability D. Privacy
A. The correctness or wholeness of the data may have been violated, inflating some employees' ratings while deflating others. This violates the presumed integrity of the appraisal data. Presumably, HR staff have legitimate reasons to access the data, and even enter or change it, so it is not a confidentiality violation; since the systems are designed to store such data and make it available for authorized use, privacy has not been violated. Appraisals have not been removed, so there are no availability issues.
How does business logic relate to information security? A. Business logic represents decisions the company has made and may give it a competitive advantage over others in the marketplace; it needs to be protected from unauthorized disclosure or unauthorized change. Processes that implement the business logic need to be available to be run or used when needed. Thus, confidentiality, integrity, and availability apply. B. Business logic for specific tasks tends to be common across many businesses in a given market or industry; therefore, there is nothing confidential about it. C. Business logic should dictate the priorities for information security efforts. D. Business logic is important during process design; in daily operations, the company uses its IT systems to get work done, so it has no relationship to operational information security concerns.
A. The sequence of steps in a process (such as a recipe for baking a cake) reflects the logic and knowledge of what needs to be done, in what order, and within what limits, as well as the constraints to achieve the desired conditions or results. That's what business logic is. Most businesses know how to do something that they do better, faster, or cheaper than their competitors, and thus their business logic gives them an advantage in the marketplace.
Protection of intellectual property (IP) is an example of what kind of information security need? A. Privacy B. Confidentiality C. Availability D. Integrity
B. Disclosure of intellectual property in unauthorized ways can end up giving away any competitive advantage that IP might have had for the business.
Do the terms cybersecurity, information assurance, and information security mean the same thing? (Choose all that apply.) A. No, because cyber refers to control theory, and therefore cybersecurity is the best term to use when talking about securing computers, computer networks, and communications systems. B. Yes, but each finds preference in different markets and communities of practice. C. No, because cybersecurity is about computer and network security, information security is about protecting the confidentiality and integrity of the information, and information assurance is about having reliable data to make decisions with. D. No, because different groups of people in the field choose to interpret these terms differently, and there is no single authoritative view.
B, D. In many respects the debate about what to call what we're studying is somewhat meaningless. Option D shows that in different communities the different terms are held in greater or lesser favor. It is how people use terms that establishes their meaning and not what a "language authority" declares the terms to mean. Option B describes this common use of different terms as if they are different ideas—defense and intelligence communities, for example, prefer "cybersecurity," whereas financial and insurance risk managers prefer "information assurance." And yet defense will use "information assurance" to refer to what senior commanders need when making decisions, and everybody talks about "information security" as if all it involves is the hard, technical stuff—but didn't cybersecurity cover that? Options A and C are other incomplete expressions of these ideas.
We often hear people talk about the need for information systems to be safe and reliable. Is this the same as saying that they need to be secure? A. No, because reliability has to do with failures of equipment, errors in software design or use, or bad data used as input, whereas security is focused on keeping the systems and their data safe from intrusion or unwanted change. B. Yes, because the objective of information security is to increase our confidence that we can make sound and prudent decisions based on what those information systems are telling us, and in doing so cause no harm. C. Yes, because all information and information systems are built by humans, and humans make mistakes, so we need strong safety rules and procedures to keep from causing harm. D. No, but they have ideas in common. For example, data integrity can lead to unsafe operation, but information security by itself cannot identify possible safety consequences.
B. Option A ignores that failures in security design or practice can lead to data input or systems usage that might be safe and reliable tomorrow, for example, but not today. Option C, true as far as it goes, does not address security at all. Option D ignores that the vulnerability assessments that should drive security measures are all based on consequences if the risk becomes real.
How do you turn data into knowledge? A. These are both names for the same concepts, so no action is required. B. You use lots of data to observe general ideas and then test those ideas with more data you observe, until you can finally make broad, general conclusions. These conclusions are what are called knowledge. C. You apply data smoothing and machine learning techniques, and the decision rules this produces are called knowledge. D. You have to listen to the data to see what it's telling you, and then you'll know.
B. This is the scientific method in action: make observations, ask questions, make informed guesses, get more data, and see if it fits what you think you've learned thus far. Repeat until you are highly confident.
Your company uses computer-controlled machine tools on the factory floor as part of its assembly line. This morning, you've discovered that somebody erased a key set of machine control parameter files, and the backups you have will need to be updated and verified before you can use them. This may take most of the day to accomplish. What information security attribute is involved here? A. Confidentiality B. Integrity C. Availability D. Due care
B. Although it is clear that the necessary parameter files are not available, this seems to have been caused because somebody could violate the integrity requirements of those files—deleting them does not seem to have been an authorized change.
At a job interview, Fred is asked by the interviewer about activities, pictures, and statements he's made by posting things on his Facebook and LinkedIn pages. This question by the interviewer: A. Is a violation of Fred's right to privacy, as those posts were done on Fred's private pages B. Doesn't worry Fred, as the conversation with the interviewer is confidential C. Is a legitimate one, since these pages are published by Fred, and therefore they are speech he has made in public places D. Doesn't worry Fred, as he took those pages down yesterday and closed those accounts
C. What we say and do in public places is, by definition, visible to anyone who wants to watch or listen. Publishing a letter or a book, or writing on a publicly visible social media page, is also considered public speech. We have no reasonable expectation of privacy in social media—we have no basis on which to assume that by posting something on our private pages, others whom we've invited to those pages will not forward that information on to someone else.
A thunderstorm knocks out the commercial electric power to your company's datacenter, shutting down everything. This impacts which aspect of information security? A. Privacy B. Confidentiality C. Integrity D. Availability
D. If the equipment cannot run because there is no power, then no data stored in it can be displayed, printed, or shared with users—data is not available. Some transactions may have to be recovered and rerun once the power comes back up and everything is turned on again, but only if transactions were lost completely would there be a data integrity concern.
As an SSCP, you work at the headquarters of a retail sales company that has many stores around the country. Its training department has prepared different training materials and operations manuals for in-store sales, warehouse staff, and other team members to use in their jobs. Most of these describe procedures that people do as they work with one another or with customers. From an information security standpoint, which of the following statements are correct? A. Since these all describe people-to-people interactions and processes, they are not implemented by the IT department, and so they're not something that information security is concerned with. B. Most of their content is probably common practice in business and retail sales and so would not be trade secrets, company proprietary, or private to the company. C. Although these processes are not implemented in IT systems, the documents and videos themselves are hosted in company-provided IT systems, and so information security requirements apply. D. If the company has decided that the content of these training materials is proprietary or company confidential, then their confidentiality must be protected. They must also be protected from tampering or unauthorized changes and be available to staff in the stores to use when they need them, if the company is to do business successfully.
D. Options A and C are confusing information, and our systems or processes for using it, with the technologies with which we create, store, and use that information. Option B is a partial answer (it does not address anything other than confidentiality), and it might be true, but this is a decision that company leadership and management should make (with advice from the SSCP). Option D is the most complete and correct answer. Therefore, information security applies.
Business logic is: A. A set of tasks that must be performed to achieve an objective within cost and schedule constraints B. The set of rules and constraints that drive a business to design a process that gets business done correctly and effectively C. Software and data used to process transactions and maintain accounts or inventories correctly D. The design of processes to achieve an objective within the rules and constraints the business must operate within
D. The logic is the set of steps and decisions necessary to achieve the objective; some of those decisions may compare intermediate results with constraints and then branch to alternate steps in the logic to make corrections, for example. The rules and constraints by themselves are not the business logic. Processes (software or people procedures) are not the business logic, but they should accurately and effectively implement that logic.