CISSP All-in-One Exam Guide Part 1
A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new ALE would be $30,000. The firewall costs $65,000 per year to implement and maintain. 8. How much does the firewall save the company in loss expenses? A. $62,000 B. $3,000 C. $65,000 D. $30,000
A. $62,000 is the correct answer. The firewall reduced the annualized loss expectancy (ALE) from $92,000 to $30,000 for a savings of $62,000. The formula for ALE is single loss expectancy × annualized rate of occurrence = ALE. Subtracting the ALE value after the firewall is implemented from the value before it was implemented results in the potential loss savings this type of control provides.
A CISSP candidate signs an ethics statement prior to taking the CISSP examination. Which of the following would be a violation of the (ISC)2 Code of Ethics that could cause the candidate to lose his or her certification? A. E-mailing information or comments about the exam to other CISSP candidates B. Submitting comments on the questions of the exam to (ISC)2 C. Submitting comments to the board of directors regarding the test and content of the class D. Conducting a presentation about the CISSP certification and what the certification means
A. A CISSP candidate and a CISSP holder should never discuss with others what was on the exam. This degrades the usefulness of the exam to be used as a tool to test someone's true security knowledge. If this type of activity is uncovered, the person could be stripped of their CISSP certification because this would violate the terms of the NDA into which the candidate enters prior to taking the test. Violating an NDA is a violation of the ethics canon that requires CISSPs to act honorably, honestly, justly, responsibly, and legally.
Which of the following would you use to control the public distribution, reproduction, display, and adaptation of an original white paper written by your staff? A. Copyright B. Trademark C. Patent D. Trade secret
A. A copyright fits the situation precisely. A patent could be used to protect a novel invention described in the paper, but the question did not imply that this was the case. A trade secret cannot be publicly disseminated, so it does not apply. Finally, a trademark protects only a word, symbol, sound, shape, color, or combination of these.
Which of the following is not one of the three key areas for risk monitoring? A. Threat B. Effectiveness C. Change D. Compliance
A. Risk monitoring activities should be focused on three key areas: effectiveness, change, and compliance. Changes to the threat landscape should be incorporated directly into the first two, and indirectly into compliance monitoring.
Which of the following is not true about Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)? A. It is the only internationally recognized quantitative risk management framework. B. It was developed by Carnegie Mellon University. C. It is focused only on risk assessments. D. It is a team-oriented risk management methodology that employs workshops.
A. OCTAVE is not a quantitative methodology. The only such methodology for risk management we've discussed is FAIR.
Which factor is the most important item when it comes to ensuring security is successful in an organization? A. Senior management support B. Effective controls and implementation methods C. Updated and relevant security policies and procedures D. Security awareness by all employees
A. Without senior management's support, a security program will not receive the necessary attention, funds, resources, and enforcement capabilities.
Business is good and your company is expanding operations into Europe. Because your company will be dealing with personal information of European Union (EU) citizens, you know that it will be subject to the EU's General Data Protection Regulation (GDPR). You have a mature security program that is certified by the International Organization for Standardization (ISO), so you are confident you can meet any new requirements. Upon learning of your company's plans to expand into Europe, what should be one of the first things you do? A. Consult your legal team B. Appoint a Data Protection Officer (DPO) C. Label data belonging to EU persons D. Nothing, because your ISO certification should cover all new requirements
A. Your best bet when facing a new legal or regulatory environment or issue is to consult with your legal team. It is their job to tell you what you're required to do, and your job to get it done. Your will almost certainly need to appoint a Data Protection Officer (DPO), and you will probably need to label or otherwise categorize data belonging to EU persons, but you still need to check with your attorneys first.
A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventive controls in place. What is the single loss expectancy (SLE) for the facility suffering from a fire? A. $80,000 B. $480,000 C. $320,000 D. 60%
B. $480,000 is the correct answer. The formula for single loss expectancy (SLE) is asset value × exposure factor (EF) = SLE. In this situation the formula would work out as asset value ($800,000) × exposure factor (60%) = $480,000. This means that the company has a potential loss value of $480,000 pertaining to this one asset (facility) and this one threat type (fire).
Which is the most valuable technique when determining if a specific security control should be implemented? A. Risk analysis B. Cost/benefit analysis C. ALE results D. Identifying the vulnerabilities and threats causing the risk
B. Although the other answers may seem correct, B is the best answer here. This is because a risk analysis is performed to identify risks and come up with suggested countermeasures. The annualized loss expectancy (ALE) tells the organization how much it could lose if a specific threat became real. The ALE value will go into the cost/benefit analysis, but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure. All the data captured in answers A, C, and D is inserted into a cost/benefit analysis.
Faced with a lawsuit alleging patent infringement, your CEO stands up a working group to look at licensing and intellectual property (IP) issues across the company. The intent is to ensure that the company is doing everything within its power to enforce IP rights, both its own rights and others' rights. The CEO asks you to lead an effort to look internally and externally for any indication that your company is violating the IP rights of others or that your own IP is being used by unauthorized parties. Which term best describes what the CEO is practicing? A. Due care B. Due diligence C. Compliance D. Downstream liability
B. Due diligence is doing everything within one's power to prevent a bad thing from happening and is normally associated with an organization's leaders. Given the CEO's intent, this is the best answer. Compliance could be an answer but is not the best one since the scope of the effort appears to be very broad and there is no mention of specific laws or regulations with which the CEO wants to comply.
Which of the following is not one of the seven steps in the NIST Risk Management Framework (RMF)? A. Monitor security controls B. Establish the context C. Assess security controls D. Authorize information system
B. Establishing the context is a step in ISO/IEC 27005, not in the NIST RMF. While it is similar to the RMF's prepare step, there are differences between the two. All the other responses are clearly steps in the NIST RMF process.
ISO/IEC 27001 describes which of the following? A. The Risk Management Framework B. Information security management system C. Work product retention standards D. International Electrotechnical Commission standards
B. ISO/IEC 27001 provides best practice recommendations on information security management systems (ISMSs).
To better deal with computer crime, several legislative bodies have taken what steps in their strategy? A. Expanded several privacy laws B. Broadened the definition of property to include data C. Required corporations to have computer crime insurance D. Redefined transborder issues
B. Many times, what is corrupted, compromised, or taken from a computer is data, so current laws have been updated to include the protection of intangible assets, as in data. Over the years, data and information have become many organizations' most valuable asset, which must be protected by the laws.
For an enterprise security architecture to be successful in its development and implementation, which of the following items is not essential? A. Strategic alignment B. Security guidelines C. Business enablement D. Process enhancement
B. Security guidelines are optional recommendations on issues that are not covered by mandatory policies, standards, or procedures. A successful enterprise security architecture is aligned with the organization's strategy, enables its business, and enhances (rather than hinders) its business processes.
You want to make use of the OpenOffice productivity software suite mandatory across your organization. In what type of document would you codify this? A. Policy B. Standard C. Guideline D. Procedure
B. Standards describe mandatory activities, actions, or rules. A policy is intended to be strategic, so it would not be the right document. A procedure describes the manner in which something must be done, which is much broader than is needed to make using a particular software suite mandatory across your organization. Finally, guidelines are recommended but optional practices.
You are hired as the chief information security officer (CISO) for a medium-size research and development company. Its research file servers were recently breached, resulting in a significant loss of intellectual property. The company is about to start a critical research project and wants to ensure another breach doesn't happen. The company doesn't have risk management or information security programs, and you've been given a modest budget to hire a small team and get things started. You decide to adopt the NIST Risk Management Framework (RMF) and are in the process of categorizing your information systems. How would you determine the security category (SC) of your research file servers (RFS)? A. SCRFS = (probable frequency) × (probable future loss) B. SCRFS = {(confidentiality, high),(integrity, medium),(availability, low)} = high C. SCRFS = {(confidentiality, high),(integrity, medium),(availability, low)} = medium
B. The NIST RMF relies on the Federal Information Processing Standard Publication 199 (FIPS 199) categorization standard, which breaks down a system's criticality by security objective (confidentiality, integrity, availability) and then applies the highest security objective category (the "high water mark") to determine the overall category of the system.
A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventive controls in place. What is the annualized loss expectancy (ALE)? A. $480,000 B. $32,000 C. $48,000 D. .6
C. $48,000 is the correct answer. The annualized loss expectancy formula (SLE × ARO = ALE) is used to calculate the loss potential for one asset experiencing one threat in a 12-month period. The resulting ALE value helps to determine the amount that can reasonably be spent in the protection of that asset. In this situation, the company should not spend over $48,000 on protecting this asset from the threat of fire. ALE values help organizations rank the severity level of the risks they face so they know which ones to deal with first and how much to spend on each.
What is one of the first steps in developing a business continuity plan? A. Identify a backup solution. B. Perform a simulation test. C. Perform a business impact analysis. D. Develop a business resumption plan.
C. A business impact analysis includes identifying critical systems and functions of an organization and interviewing representatives from each department. Once management's support is solidified, a BIA needs to be performed to identify the threats the company faces and the potential costs of these threats.
Faced with a lawsuit alleging patent infringement, your CEO stands up a working group to look at licensing and intellectual property (IP) issues across the company. The intent is to ensure that the company is doing everything within its power to enforce IP rights, both its own rights and others' rights. The CEO asks you to lead an effort to look internally and externally for any indication that your company is violating the IP rights of others or that your own IP is being used by unauthorized parties. You discover that another organization is publishing some of your company's copyrighted blogs on its website as if they were its own. What is your best course of action? A. Do nothing; the blogs are not particularly valuable, and you have bigger problems B. Contact the webmasters directly and ask them to take the blogs down C. Have the legal team send a cease-and-desist order to the offending organization D. Report your
C. A company must protect resources that it claims to be intellectual property such as copyrighted material and must show that it exercised due care (reasonable acts of protection) in its efforts to protect those resources. If you ignore this apparent violation, it may be much more difficult to enforce your rights later when more valuable IP is involved. You should never attempt to do this on your own. That's why you have a legal team!
Which best describes a quantitative risk analysis? A. A scenario-based analysis to research different security threats B. A method used to apply severity levels to potential loss, probability of loss, and risks C. A method that assigns monetary values to components in the risk assessment D. A method that is based on gut feelings and opinions
C. A quantitative risk analysis assigns monetary values and percentages to the different components within the assessment. A qualitative analysis uses opinions of individuals and a rating system to gauge the severity level of different threats and the benefits of specific countermeasures.
Why should the team that will perform and review the risk analysis information be made up of people in different departments? A. To make sure the process is fair and that no one is left out. B. It shouldn't. It should be a small group brought in from outside the organization because otherwise the analysis is biased and unusable. C. Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as possible. D. Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.
C. An analysis is only as good as the data that goes into it. Data pertaining to risks the organization faces should be extracted from the people who understand best the business functions and environment of the organization. Each department understands its own threats and resources, and may have possible solutions to specific threats that affect its part of the organization.
Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, he needs to develop a security awareness program. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the activities of bank personnel to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault. Todd documents several fraud opportunities that the employees have at the financial institution so that management
C. Mandatory vacation is an administrative detective control that allows for an organization to investigate an employee's daily business activities to uncover any potential fraud that may be taking place. The employee should be forced to be away from the organization for a two-week period, and another person should be put into that role. The idea is that the person who was rotated into that position may be able to detect suspicious activities.
Which of the following is true about data breaches? A. They are exceptionally rare. B. They always involve personally identifiable information (PII). C. They may trigger legal or regulatory requirements. D. The United States has no laws pertaining to data breaches.
C. Organizations experiencing a data breach may be required by laws or regulations to take certain actions. For instance, many countries have disclosure requirements that require notification to affected parties and/or regulatory bodies within a specific timeframe.
Which of the following standards would be most useful to you in ensuring your information security management system follows industry best practices? A. NIST SP 800-53 B. Six Sigma C. ISO/IEC 27000 series D. COBIT
C. The ISO/IEC 27000 series is the only option that addresses best practices across the breadth of an ISMS. NIST SP 800-53 and COBIT both deal with controls, which are a critical but not the only component of an ISMS.
A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventive controls in place. What is the annualized rate of occurrence (ARO)? A. 1 B. 10 C. .1 D. .01
C. The annualized rate occurrence (ARO) is the frequency that a threat will most likely occur within a 12-month period. It is a value used in the ALE formula, which is SLE × ARO = ALE.
Faced with a lawsuit alleging patent infringement, your CEO stands up a working group to look at licensing and intellectual property (IP) issues across the company. The intent is to ensure that the company is doing everything within its power to enforce IP rights, both its own rights and others' rights. The CEO asks you to lead an effort to look internally and externally for any indication that your company is violating the IP rights of others or that your own IP is being used by unauthorized parties. You discover dozens of workstations running unlicensed productivity software in a virtual network that is isolated from the Internet. Why is this a problem? A. Users should not be able to install their own applications. B. It is not a problem as long as the virtual machines are not connected to the Internet. C. Software piracy can have significant financial and even criminal repercussions. D. There is no way to register
C. Whether or not the computers on which unlicensed software runs can reach the Internet is irrelevant. The fact is that your company is using a software product that it is not authorized to use, which is considered software piracy.
A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new ALE would be $30,000. The firewall costs $65,000 per year to implement and maintain. What is the value of the firewall to the company? A. $62,000 B. $3,000 C. -$62,000 D. -$3,000
D. -$3,000 is the correct answer. The firewall saves $62,000, but costs $65,000 per year. 62,000 - 65,000 = -3,000. The firewall actually costs the company more than the original expected loss, and thus the value to the company is a negative number. The formula for this calculation is (ALE before the control is implemented) - (ALE after the control is implemented) - (annual cost of control) = value of control.
What is COBIT and where does it fit into the development of information security systems and security programs? A. Lists of standards, procedures, and policies for security program development B. Current version of ISO 17799 C. A framework that was developed to deter organizational internal fraud D. Open standard for control objectives
D. COBIT is an open framework developed by ISACA and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs.
You want to ensure that your organization's finance department, and only the finance department, has access to the organization's bank statements. Which of the security properties would be most important? A. Confidentiality B. Integrity C. Availability D. Both A and C
D. Confidentiality is ensuring that unauthorized parties (i.e., anyone other than finance department employees) cannot access protected assets. Availability is ensuring that authorized entities (i.e., finance) maintain access to assets. In this case, both confidentiality and availability are important to satisfy the requirements as stated.
A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new ALE would be $30,000. The firewall costs $65,000 per year to implement and maintain. Which of the following describes the company's approach to risk management? A. Risk transference B. Risk avoidance C. Risk acceptance D. Risk mitigation
D. Risk mitigation involves employing controls in an attempt to reduce either the likelihood or damage associated with an incident, or both. The four ways of dealing with risk are accept, avoid, transfer, and mitigate (reduce). A firewall is a countermeasure installed to reduce the risk of a threat.
Which best describes the purpose of the ALE calculation? A. Quantifies the security level of the environment B. Estimates the loss possible for a countermeasure C. Quantifies the cost/benefit result D. Estimates the loss potential of a threat in a span of a year
D. The ALE calculation estimates the potential loss that can affect one asset from a specific threat within a one-year time span. This value is used to figure out the amount of money that should be earmarked to protect this asset from this threat.
You are hired as the chief information security officer (CISO) for a medium-size research and development company. Its research file servers were recently breached, resulting in a significant loss of intellectual property. The company is about to start a critical research project and wants to ensure another breach doesn't happen. The company doesn't have risk management or information security programs, and you've been given a modest budget to hire a small team and get things started. Which of the following risk management frameworks would probably not be well suited to your organization? A. ISO/IEC 27005 B. NIST Risk Management Framework (RMF) C. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) D. Factor Analysis of Information Risk (FAIR)
D. The Factor Analysis of Information Risk (FAIR) framework uses a quantitative approach to risk assessment. As we discussed in Chapter 2, this approach requires a lot more expertise and resources than quantitative ones. Since your organization is just getting started with risk management and information security and your resources are limited, this would not be a good fit.
Many privacy laws dictate which of the following rules? A. Individuals have a right to remove any data they do not want others to know. B. Agencies do not need to ensure that the data is accurate. C. Agencies need to allow all government agencies access to the data. D. Agencies cannot use collected data for a purpose different from what they collected it for.
D. The Federal Privacy Act of 1974 and the General Data Protection Regulation (GDPR) were created to protect personal data. These acts have many stipulations, including that the information can only be used for the reason for which it was collected.
Business is good and your company is expanding operations into Europe. Because your company will be dealing with personal information of European Union (EU) citizens, you know that it will be subject to the EU's General Data Protection Regulation (GDPR). You have a mature security program that is certified by the International Organization for Standardization (ISO), so you are confident you can meet any new requirements. Your Security Operations Center (SOC) chief notifies you of a data breach in which your organization's entire customer list may have been compromised. As the data controller, what are your notification requirements? A. No later than 72 hours after you contain the breach B. Within 30 days of the breach C. As soon as possible, but within 60 days of becoming aware of the breach D. No later than 72 hours after becoming aware of the breach
D. The GDPR has the strictest breach notification requirements of any data protection law in the world. Your organization is required to notify the supervisory authority of the EU member state involved within 72 hours of becoming aware of the breach. Examples of supervisory authorities are the Data Protection Commission in Ireland, the Hellenic Data Protection Authority in Greece, and the Agencia Española de Protección de Datos in Spain.
How do you calculate residual risk? A. Threats × risks × asset value B. (Threats × asset value × vulnerability) × risks C. SLE × frequency = ALE D. (Threats × vulnerability × asset value) × controls gap
D. The equation is more conceptual than practical. It is hard to assign a number to an individual vulnerability or threat. This equation enables you to look at the potential loss of a specific asset, as well as the controls gap (what the specific countermeasure cannot protect against). What remains is the residual risk, which is what is left over after a countermeasure is implemented.
Which of the following describes the Center for Internet Security (CIS) Controls framework? A. Consists of over 1,000 controls, divided into 20 families, that are mapped to the security category of an information system B. Balances resource utilization, risk levels, and realization of benefits by explicitly tying stakeholder needs to organizational goals to IT goals C. Developed to determine the maturity of an organization's processes D. Consists of 20 controls divided into three groups to help organizations incrementally improve their security posture
D. There are 20 CIS controls and 171 subcontrols organized so that any organization, regardless of size, can focus on the most critical controls and improve over time as resources become available. The other answers describe NIST SP 800-53 (A), COBIT 2019 (B), and Capability Maturity Model (C).
You are hired as the chief information security officer (CISO) for a medium-size research and development company. Its research file servers were recently breached, resulting in a significant loss of intellectual property. The company is about to start a critical research project and wants to ensure another breach doesn't happen. The company doesn't have risk management or information security programs, and you've been given a modest budget to hire a small team and get things started. When selecting the controls for the research file servers, which of the following security control frameworks would be best? A. NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations B. ISO/IEC 27002 code of practice for information security controls C. Center for Information Security (CIS) Controls D. COBIT 2019
A. Because you're using the NIST RMF, NIST SP 800-53 is the best answer because the two frameworks are tightly integrated. None of the other answers is necessarily wrong; they're just not as well suited as SP 800-53 for the given scenario.
Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, he needs to develop a security awareness program. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the activities of bank personnel to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault. If the financial institution wants to ensure that fraud cannot happen successfully unless collusion occurs, what s
A. Separation of duties is an administrative control that is put into place to ensure that one person cannot carry out a critical task by himself. If a person were able to carry out a critical task alone, this could put the organization at risk. Collusion is when two or more people come together to carry out fraud. So if a task was split between two people, they would have to carry out collusion (working together) to complete that one task and carry out fraud.
The information security industry is made up of various best practices, standards, models, and frameworks. Some were not developed first with security in mind, but can be integrated into an organizational security program to help in its effectiveness and efficiency. It is important to know of all of these different approaches so that an organization can choose the ones that best fit its business needs and culture. Which of the following best describes the approach(es) that should be put into place if an organization wants to integrate a way to improve its security processes over a period of time? i. ITIL should be integrated because it allows for the mapping of IT service process management, business drivers, and security improvement. ii. Six Sigma should be integrated because it allows for the defects of security processes to be identified and improved upon. iii. A Capability Maturity Model should be integrated beca
C. The best process improvement approaches provided in this list are Six Sigma and Capability Maturity Model. The following outlines the definitions for all items in this question: • TOGAF Model and methodology for the development of enterprise architectures, developed by The Open Group • ITIL Processes to allow for IT service management, developed by the United Kingdom's Office of Government Commerce • Six Sigma Business management strategy that can be used to carry out process improvement • Capability Maturity Model (CMM) Organizational development for process improvement
Which of the following practices is likeliest to mitigate risks when considering a candidate for hiring? A. Security awareness training B. Nondisclosure agreement (NDA) C. Background checks D. Organizational ethics
C. The best way to reduce risk is to conduct background checks before you offer employment to a candidate. This ensures you are hiring someone whose past has been examined for any obviously disqualifying (or problematic) issues. The next step would be to sign an employment agreement that would include an NDA, followed by onboarding, which would include security awareness training and indoctrination into the organizational code of ethics.
Which of the following has an incorrect definition mapping? i. Civil (code) law: Based on previous interpretations of laws ii. Common law: Rule-based law, not precedent-based iii. Customary law: Deals mainly with personal conduct and patterns of behavior iv. Religious law: Based on religious beliefs of the region A. i, iii B. i, ii, iii C. i, ii D. iv
C. The following has the proper definition mappings: i. Civil (code) law: Rule-based law, not precedent-based ii. Common law: Based on previous interpretations of laws iii. Customary law: Deals mainly with personal conduct and patterns of behavior iv. Religious law: Based on religious beliefs of the region
Which term denotes a potential cause of an unwanted incident, which may result in harm to a system or organization? A. Vulnerability B. Exploit C. Threat D. Attacker
C. The question provides the definition of a threat. The term attacker (option D) could be used to describe a threat agent that is, in turn, a threat, but use of this term is much more restrictive. The best answer is a threat.
Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, he needs to develop a security awareness program. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the activities of bank personnel to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault. Todd wants to be able to prevent fraud from taking place, but he knows that some people may get around the types o
D. Dual control is an administrative preventive control. It ensures that two people must carry out a task at the same time, as in two people having separate keys when opening the vault. It is not a detective control. Notice that the question asks what Todd is not doing. Remember that on the exam you need to choose the best answer. In many situations you will not like the question or the corresponding answers on the CISSP exam, so prepare yourself. The questions can be tricky, which is one reason why the exam itself is so difficult.
Why is a truly quantitative risk analysis not possible to achieve? A. It is possible, which is why it is used. B. It assigns severity levels. Thus, it is hard to translate into monetary values. C. It is dealing with purely quantitative elements. D. Quantitative measures must be applied to qualitative elements.
D. During a risk analysis, the team is trying to properly predict the future and all the risks that future may bring. It is somewhat of a subjective exercise and requires educated guessing. It is very hard to properly predict that a flood will take place once in ten years and cost a company up to $40,000 in damages, but this is what a quantitative analysis tries to accomplish.
When can executives be charged with negligence? A. If they follow the transborder laws B. If they do not properly report and prosecute attackers C. If they properly inform users that they may be monitored D. If they do not practice due care when protecting resources
D. Executives are held to a certain standard and are expected to act responsibly when running and protecting an organization. These standards and expectations equate to the due care concept under the law. Due care means to carry out activities that a reasonable person would be expected to carry out in the same situation. If an executive acts irresponsibly in any way, she can be seen as not practicing due care and be held negligent.
Business is good and your company is expanding operations into Europe. Because your company will be dealing with personal information of European Union (EU) citizens, you know that it will be subject to the EU's General Data Protection Regulation (GDPR). You have a mature security program that is certified by the International Organization for Standardization (ISO), so you are confident you can meet any new requirements. You have determined all the new GDPR requirements and estimate that you will need an additional $250,000 to meet them. How can you best justify this investment to your senior business leaders? A. It is the right thing to do. B. You are legally required to provide that money. C. You'll make way more profits than that in the new market. D. The cost of noncompliance could easily exceed the additional budget request.
D. Fines for noncompliance with the GDPR can range from up to €20 million (approximately $22.5 million) to 4 percent of a company's annual global revenue—whichever is greater. While it is true that this is the right thing to do, that answer is not as compelling to business leaders whose job is to create value for their shareholders.
Which publication provides a catalog of security controls for information systems? A. ISO/IEC 27001 B. ISO/IEC 27005 C. NIST SP 800-37 D. NIST SP 800-53
D. NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, catalogs over 1,000 security controls. ISO/IEC 27005 and NIST SP 800-37 both describe risk management frameworks, while ISO/IEC 27001 is focused on information security management systems (ISMSs).
What is a key benefit of using the Zachman Framework? A. Ensures that all systems, processes, and personnel are interoperable in a concerted effort to accomplish organizational missions B. Use of the iterative and cyclic Architecture Development Method (ADM) C. Focus on internal SLAs between the IT department and the "customers" it serves D. Allows different groups within the organization to look at it from different viewpoints
D. One of the key benefits of the Zachman Framework is that it allows organizations to integrate business and IT infrastructure requirements in a manner that is presentable to a variety of audiences by providing different viewpoints. This helps keep business and IT on the same sheet of music. The other answers describe the DoDAF (A), TOGAF (B), and ITIL (C).
When is it acceptable to not take action on an identified risk? A. Never. Good security addresses and reduces all risks. B. When political issues prevent this type of risk from being addressed. C. When the necessary countermeasure is complex. D. When the cost of the countermeasure outweighs the value of the asset and potential loss.
D. Organizations may decide to live with specific risks they are faced with if the cost of trying to protect themselves would be greater than the potential loss if the threat were to become real. Countermeasures are usually complex to a degree, and there are almost always political issues surrounding different risks, but these are not reasons to not implement a countermeasure.