CIST 1602 Module 4

14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________ a. True b. False

a. True

16. Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed? a. framework b. security model c. security standard d. both A & B are correct

d

31. Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones. a. Clark-Wilson b. Bell-LaPadula c. Common Criteria d. Biba

d

IEC 27001:2005? a. Use within an organization to formulate security requirements and objectives b. Implementation of business-enabling information security c. Use within an organization to ensure compliance with laws and regulations d. To enable organizations that adopt it to obtain certification

d

23. By multiplying the asset value by the exposure factor, you can calculate which of the following?

b. single loss expectancy

10. An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility. ____________ a. True b. False

False - technical

18. Which access control principle limits a user's access to the specific information required to perform the currently assigned task? a. need-to-know b. eyes only c. least privilege d. separation of duties

a

54. A process of assigning financial value or worth to each information asset.

a. asset valuation

2. Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. a. True b. False

False

4. Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data in the outside world. a. True b. False

False

5. Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. a. True b. False

False

11. ​The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy. a. True b. False

False - acceptance

7. A benchmark is derived by comparing measured actual performance against established standards for the measured category. ____________ ​ a. True b. False

False - baseline

6. In information security, a framework or security model customized to an organization, including implementation details is known as a floorplan. _____________

False - blueprint

13. In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). ____________

False - capabilities

6. ​The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. ____________ a. True b. False

False - defense

8. In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. ____________

False - framework

15. The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege. ____________

False - least

10. The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. ____________

False - methods

7. The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. ____________

False - separation

9. ​The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy. ___________ a. True b. False

False - transference

11. A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. ____________

True

14. The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. ____________

True

3. Lattice-based access control specifies the level of access each subject has to each object, if any. a. True b. False

True

16. Application of training and education is a common method of which risk control strategy?

b. defense

39. ____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels.

Covert

12. Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. ____________

False - diving

15. In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as ​the annualized risk of occurrence. ____________ a. True b. False

False - rate

9. A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. ____________

False - reference

1. A security blueprint is the outline of the more thorough security framework. a. True b. False

True

25. Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following? a. access control list b. capabilities table c. access matrix d. sensitivity level

a

26. In which form of access control is access to a specific set of information contingent on its subject matter? a. content-dependent access controls b. constrained user interfaces c. temporal isolation d. None of these

a

34. Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? a. COBIT b. COSO c. NIST d. ISO

a

56. An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.

a. organizational feasibility

58. The calculated value associated with the most likely loss from a single attack.

a. single loss expectancy

24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?

a. cost-benefit analysis

18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?

a. incident response plan

35. The NIST risk management approach includes all but which of the following elements? a. inform b. assess c. frame d. respond

a. inform

36. The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ____________________ .

a. mitigation

27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

a. qualitative assessment of many risk components

1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. a. True b. False

a. True

12. ​Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________ a. True b. False

a. True

13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the ​termination risk control strategy. a. True b. False

a. True

3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. a. True b. False

a. True

4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. a. True b. False

a. True

5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. a. True b. False

a. True

8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________ a. True b. False

a. True

21. Which of the following is NOT a category of access control? a. preventative b. mitigating c. deterrent d. compensating

b

22. Which control category discourages an incipient incident? a. preventative b. deterrent c. remitting d. compensating

b

28. Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"? a. Bell-LaPadula b. TCSEC c. ITSEC d. Common Criteria

b

29. Which piece of the Trusted Computing Base's security system manages access controls? a. trusted computing base b. reference monitor c. covert channel d. verification module

b

30. Under the Common Criteria, which term describes the user-generated specifications for security requirements? a. Target of Evaluation (ToE) b. Protection Profile (PP) c. Security Target (ST) d. Security Functional Requirements (SFRs)

b

53. A risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.

b. defense risk control strategy

57. A risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.

b. mitigation risk control strategy

37. The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.

b. transference

32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?

b. cost avoidance

31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?

b. documented control strategy

25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.

b. political feasibility

20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?

b. risk appetite

55. The quantity and nature of risk that organizations are willing to accept.

b. risk appetite

2. The defense risk control strategy may be accomplished by outsourcing to other organizations. a. True b. False

b. False

17. Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary? a. need-to-know b. eyes only c. least privilege d. separation of duties

c

19. Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle? a. Discretionary access controls b. Task-based access controls c. Security clearances d. Sensitivity levels

c

20. Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following? a. preventative b. deterrent c. corrective d. compensating

c

24. Which type of access controls can be role-based or task-based? a. constrained b. content-dependent c. nondiscretionary d. discretionary

c

27. A time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary

c

32. Which of the following is NOT a change control principle of the Clark-Wilson model? a. No changes by unauthorized subjects b. No unauthorized changes by authorized subjects c. No changes by authorized subjects without external validation d. The maintenance of internal and external consistency

c

59. The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.

c. cost avoidance

51. The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization.

c. cost-benefit analysis

19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following? a. Determined the level of risk posed to the information asset b. Performed a thorough cost-benefit analysis c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability

c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset

21. Which of the following is NOT a valid rule of thumb on risk control strategy selection? a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls. d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.

c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

30. Which of the following is not a step in the FAIR risk management framework?

c. assess control impact

26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?

c. evaluating alternative strategies

40. When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.

c. exploited

29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?

c. monitoring and measurement

38. To keep up with the competition organizations must design and create a ____________ environment in which business processes and procedures can function and evolve effectively.

c. secure

33. Which of the following is NOT an alternative to using CBA to justify risk controls?

c. selective risk avoidance

40. In the COSO framework, ___________ activities include those policies and procedures that support management directives.

control

23. Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information? a. confidential b. secret c. top secret d. for official use only

d

35. The COSO framework is built on five interrelated components. Which of the following is NOT one of them? a. Control environment b. Risk assessment c. Control activities d. InfoSec Governance

d

52. A risk control strategy that indicates the organization is willing to accept the current level of risk and that the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.

d. acceptance risk control strategy

60. A risk control strategy that eliminates all risk associated with an information asset by removing it from service.

d. termination risk control strategy

28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?

d. Delphi

39. The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.

d. appetite

22. Which of the following affects the cost of a control?

d. maintenance

17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?

d. mitigation

34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?

d. risk determination

IEC 27002 and how to set up a(n) ____________________.

information security management systems ISMS

38. The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.

need to know need-to-know

36. To design a security program, an organization can use a(n) ____________________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.

security model