CIS3361 Information security Management CH7
prudent
Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any ____ organization would do in similar circumstances.
incident
Organizations typically use three types of performance measures, including those that assess the impact of a(n) ____________________ or other security event on the organization or its mission.
True
Performance measurement is an ongoing, continuous improvement operation.
Mitigation Risk Treatment Strategy
The risk treatment strategy that attempts to reduce the impact of the loss caused by an incident, disaster, or attack through the effective contingency planning and preparation.
False
The risk treatment strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk treatment strategy. __________
Transference Risk Treatment Strategy
The risk treatment strategy that attempts to shift risk to other assets, other processes, or other organizations.
Termination Risk Treatment Strategy
The risk treatment strategy that eliminates all risk associated with an information asset by removing it from service
True
The risk treatment strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk treatment strategy. ____________
Acceptance Risk Treatment Strategy
The risk treatment strategy that indicates the organization is willing to accept the current level of residual risk. As a result, the organization makes a conscious decision to do nothing else to protect an information asset from risk and to accept the outcome from any resulting exploitation.
False
The risk treatment strategy that indicates the organization is willing to accept the current level of risk and do nothing further to protect an information asset is known as the termination risk treatment strategy. ____________
controls
The second step in the NIST SP 800-37 model for security certification and accreditation is to select the appropriate minimum security ____________________ for the system.
an understanding of risk treatment strategies
Treating risk begins with which of the following?
True
Unlike many other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
True
Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
baseline
A ____ is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared.".
moving target
A problem with benchmarking is that recommended practices are a(n) ____________________; that is, knowing what happened a few years ago does not necessarily tell you what to do next.
asset valuation
A process of assigning financial value or worth to each information asset.
False
A progression is a measurement of current performance against which future performance will be compared. __________
defense risk treatment strategy
A risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.
mitigation risk treatment strategy
A risk treatment strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.
termination risk treatment strategy
A risk treatment strategy that eliminates all risk associated with an information asset by removing it from service.
acceptance risk treatment strategy
A risk treatment strategy that indicates the organization is willing to accept the current level of risk, is making a conscious decision to do nothing to protect an information asset from risk, and accepts the outcome from any resulting exploitation.
True
A(n) baseline is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared."
characterize the system
According to NIST SP 800-37, the first step in the security controls selection process is to ____.
True
Accreditation is the authorization of an IT system to process, store, or transmit information.
When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.
All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT:
Cost-benefit Analysis (CBA)
Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization
cost-benefit analysis (CBA)
Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization, is known as __________.
True
Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization, is known as cost-benefit analysis (CBA). __________
Operational Feasibility
An examination of how well a particular solution fits within the organization's culture and the extent to which users are expected to accept the solution. Also known as Behavioral Feasibility
Political Feasibility
An examination of how well a particular solution fits within the organization's political environment - for example, the working relationship within the organization's communities of interest or between the organizations and its external environment
Organizational Feasibility
An examination of how well a particular solution fits within the organization's strategic planning objectives and goals
organizational feasibility
An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.
False
An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel, is known as operational feasibility. __________
Technical Feasibility
An examination of how well a particular solution is supportable given the organizations current technological infrastructure and resources, which include hardware, software, networking, and personnel
False
Another problem with benchmarking is that no two organizations are similar.
defense
Application of training and education among other approach elements is a common method of which risk treatment strategy?
manage
Because "organizations ____________________ what they measure," it is important to ensure that individual metrics are prioritized in the same manner as the performance they measure.
competitive disadvantage
Because even the implementation of new technologies does not necessarily guarantee an organization can gain or maintain a competitive lead, the concept of __________ has emerged as organizations strive not to fall behind technologically.
which, how
Benchmarking can help to determine ____ controls should be considered, but it cannot determine ____ those controls should be implemented in your organization.
False
Best security practices (BSPs) balance the need for information access with the need for adequate protection while simultaneously demonstrating social responsibility.
access
Best security practices balance the need for information ____________________ with the need for adequate protection while simultaneously demonstrating fiscal responsibility.
single loss expectancy
By multiplying the asset value by the exposure factor, you can calculate which of the following?
outcome
Collecting project metrics may be even more challenging. Unless the organization is satisfied with a simple tally of who spent how many hours doing which tasks, it needs some mechanism to link the ____ of each project, in terms of loss control or risk reduction, to the resources consumed.
intent
Designing the performance measures collection process requires thoughtful consideration of the ____ of the metric along with a thorough knowledge of how production services are delivered.
True
Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudentorganization would do in similar circumstances. __________
stakeholders
During Phase 1 of the NIST performance measures development process, the organization identifies relevant ____ and their interests in information security measurement.
goals and objectives
During Phase 2 of the NIST performance measures development process, the organization will identify and document the information security performance ____ that would guide security control implementation for the information security program of a specific information system.
value to competitors
Each of the following is a commonly used quantitative approach for asset valuation EXCEPT:
forecasting costs
Each of the following is a recommendation from the FDIC when creating a successful SLA EXCEPT:
cost of IT operations (keeping systems operational during the period of treatment strategy development)
Each of the following is an item that affects the cost of a particular risk treatment strategy EXCEPT:
True
Implementing controls at an acceptable standard—and maintaining them—demonstrates that an organization has performed due diligence.
Single Loss Expectancy (SLE)
In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack (impact). The SLE is the product of the asset's value and the exposure factor.
False
In a cost-benefit analysis, the expected frequency of an attack expressed on a per-year basis is known as the annualized risk of likelihood. __________
Annualized Rate of Occurrence (ARO)
In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis
Annualized Loss Expectancy (ALE)
In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy
recommended
In information security, two categories of benchmarks are used: standards of due care and due diligence and ____ practices.
meaning
In most cases, simply listing the measurements collected does not adequately convey their ____.
Both of these
In reporting InfoSec performance measures, the CISO must also consider ____.
certification
In security management, ____ is "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.
accreditation
In security management, ____________________ is the authorization of an IT system to process, store, or transmit information.
False
In some organizations, the terms metrics and best practices are interchangeable.
gap
In the NIST performance measures implementation process, the comparison of observed measurements with target values is known as a ____ analysis.
Delphi
In which technique does a group rate or rank a set of information, compile the results, and repeat until everyone is satisfied with the result?
True
Industries that are regulated by governmental agencies are required to meet government guidelines in their security practices.
performance measurement
Information security ____ is the process of designing, implementing, and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program.
due diligence
It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of ____________________.
due diligence
Maintaining an acceptable level of secure controls over time indicates that an organization has met the standard of ____.
False
NIST recommends the documentation of each performance measure in a customized format to ensure repeatability of measures development, tailoring, collection, and reporting activities.
repeatability
NIST recommends the documentation of performance measures in a format to ensure ____ of measures development, tailoring, collection, and reporting activities.
governance
NIST's Risk Management Framework follows a three-tiered approach, with most organizations working from the top down, focusing first on aspects that affect the entire organization, such as __________.
monitoring and measurement
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine its effectiveness and to estimate the remaining risk?
False
Once developed, information security performance measures must be implemented and integrated into ongoing information security management operations. For the most part, it is sufficient to collect these measures once.
quantify
One of the critical tasks in the measurement process is to assess and ____________________ what will be measured.
True
One of the most popular of the many references that support the development of process improvement and performance measures is The Capability Maturity Model Integrated (CMMI) designed specifically to integrate an organization's process improvement activities across disciplines.
none of these
One of the most popular reference for developing process improvement and performance measures is the ____ model from the Software Engineering Institute at Carnegie Mellon University.
True
One of the priorities in building an information security measures program is determining whether these measures will be macro-focus or micro-focus.
False
One of the three goals of System Certification and Accreditation as defined by NIST is to: define essential maximum security controls for federal IT systems.
Baseline data provides little value to evaluating progress in improving security
Problems with benchmarking include all but which of the following?
More consistent, comparable, and repeatable certifications of InfoSec programs
Security Certification & Accreditation offers several benefits. Which of the following is NOT one of them?
best business practices
Security efforts that seek to provide a superior level of performance in the protection of information are called ____.
disaster recovery plan
Strategies to reestablish operations at the primary site after an adverse event threatens continuity of business operations are covered by which of the following plans in the mitigation control approach?
True
The ISO 27005 Standard for InfoSec Risk Management has a five-stage management methodology that includes risk treatment and risk communication.
risk determination
The ISO 27005 Standard for Information Security Risk Management includes all but which of the following stages?
evaluating alternative strategies
The Microsoft Risk Management Approach includes four phases; which of the following is NOT one of them?
inform
The NIST risk management approach includes all but which of the following elements?
Increasing efficiency for InfoSec performance
The benefits of using information security performance measures include all but which of the following?
single loss expectancy
The calculated value associated with the most likely loss from a single attack.
True
The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
False
The defense risk treatment strategy may be accomplished by outsourcing to other organizations.
Cost Avoidance
The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident
cost avoidance
The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________.
cost avoidance
The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident.
False
The first phase in the NIST performance measures methodology is to collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets.
cost-benefit analysis
The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization.
zero
The goal of InfoSec is not to bring residual risk to __________; rather, it is to bring residual risk in line with an organization's risk appetite.
corrective
The last phase in the NIST performance measures implementation process is to apply ____________________ actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls.
True
The risk treatment strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk treatment strategy. __________
determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
Asset Valuation
The process of assigning financial value or worth to each information asset
asset valuation
The process of assigning financial value or worth to each information asset is known as __________.
all of these
The purpose of NIST SP 800-53 (R3) as part of the NIST System C&A Project is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for ____.
risk appetite
The quantity and nature of risk that organizations are willing to accept.
Defense Risk Treatment Strategy
The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards in an effort to change the likelihood of successful attack on an information asset. Also known as the Avoidance Strategy.
False
The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk treatment strategy, also known as the avoidance strategy. __________
qualitative assessment of many risk components
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
cost-benefit analysis
What is the result of subtracting the postcontrol annualized loss expectancy and the annualized cost of the safeguard from the precontrol annualized loss expectancy?
residual risk
When vulnerabilities have been controlled to the degree possible, what is the remaining risk that has not been completely removed, shifted, or planned for?
OCTAVE
Which alternative risk management methodology is a process promoted by the Computer Emergency Response Team (CERT) Coordination Center (www.cert.org) that has three variations for different organizational needs, including one known as ALLEGRO?
ISO 31000
Which international standard provides a structured methodology for evaluating threats to economic performance in an organization and was developed using the Australian/New Zealand standard AS/NZS 4360:2004 as a foundation?
maintenance
Which of the following affects the cost of a control?
political feasibility
Which of the following determines acceptable practices based on consensus and relationships among the communities of interest?
operational feasibility
Which of the following determines how well a proposed treatment will address user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders?
organizational feasibility
Which of the following determines how well the proposed InfoSec treatment alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization?
technical feasibility
Which of the following determines whether the organization already has or can acquire the technology necessary to implement and support the proposed treatment?
Practical InfoSec budgets and resources for the program
Which of the following is NOT a factor critical to the success of an information security performance program?
...
Which of the following is NOT a goal of the NIST System Certification and Accreditation Project:
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls.
Which of the following is NOT a valid rule of thumb on risk treatment strategy selection?
selective risk avoidance
Which of the following is NOT an alternative to using CBA to justify risk controls?
Use the methodology most similar to what is currently in use.
Which of the following is NOT one of the methods noted for selecting the best risk management model?
assess control impact
Which of the following is not a step in the FAIR risk management framework?
Prepare for data collection
Which of the following is the first phase in the NIST process for performance measures implementation?
transference
Which of the following risk treatment strategies describes an organization's attempt to shift risk to other assets, other processes, or other organizations?
mitigation
Which of the following risk treatment strategies describes an organization's efforts to reduce damage caused by a realized incident or disaster?
metrics; measures
While the terms may be interchangeable in some organizations, typically the term ____ is used for more granular, detailed measurement, while the term ____ is used for aggregate, higher-level results.
Certification
____________________ is defined as "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements."
