CISSP | Test Questions | Domain 3 | Information Security Governance & Risk Management
Loss of system or data integrity reduces which of the following? a. Assurance b. Authorization c. Authentication d. Nonrepudiation
a. Loss of system or data integrity reduces the assurance of an IT system because assurance provides the highest level of confidence in a system. The other three choices cannot provide such assurance.
Risk mitigation does not strive to do which of the following? a. Control identification b. Control prioritization c. Control evaluation d. Control implementation
a. Risk mitigation strives to prioritize, evaluate, and implement the appropriate riskreducing controls recommended from the risk assessment process. Control identification is performed in the risk assessment process, which comes before risk mitigation.
Which of the following characteristics of information security are critical for electronic transactions? a. Trust and accountability b. Trust and usefulness c. Usefulness and possession d. Accountability and possession
a. Trust and accountability are critical and needed in electronic transactions to make the customer comfortable with transactions, whereas usefulness and possession are needed to address theft, deception, and fraud.
During the risk assessment process of a system, what is the level of risk to the system derived by? a. Multiplying the threat likelihood rating with the impact level b. Subtracting the threat likelihood rating from the impact level c. Adding the threat likelihood rating to the impact level d. Dividing the threat likelihood rating by the impact level
a. When the ratings for threat likelihood (i.e., high, moderate, or low) and impact levels (i.e., high, moderate, or low) have been determined through appropriate analysis, the level of risk to the system and the organization can be derived by multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact level.
Information security baselines for information assets vary depending on which of the following? a. Availability and reliability b. Sensitivity and criticality c. Integrity and accountability d. Assurance and nonrepudiation
b. Information security baselines vary depending on the sensitivity and criticality of the information asset, which is part of the confidentiality goal. The other three choices are not related to the confidentiality goal.
Which of the following should be performed first? a. Threat-source analysis b. Vulnerability analysis c. Threat analysis d. Risk analysis
b. Threat analysis cannot be performed until after vulnerability analysis has been conducted because vulnerabilities lead to threats which, in turn, lead to risks. Threat-source analysis is a part of threat analysis. Therefore, vulnerability analysis should be performed first.
Which of the following is not an example of system protections? a. Least privilege b. Process separation c. Authorization d. Object reuse
c. Authorization is a part of preventive technical security controls, whereas system protections are an example of supporting technical security controls. Some examples of system protections include least privilege, process separation, and object reuse.
Which of the following are required to enforce system-specific policies? 1. Logical access controls 2. Physical security measures 3. Management controls 4. Technical controls a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
d. Both technology-based and nontechnology-based controls are required to enforce systemspecific policies. This covers all the four items listed in the question.
Risk management activities are performed for periodic system re-authorization in which of the following system development life cycle (SDLC) phases? a. Initiation b. Development/acquisition c. Implementation d. Operation/maintenance
d. In the operation/maintenance phase of the SDLC, risk management activities are performed for periodic system re-authorization or re-accreditation.
The effectiveness of security controls depends on which of the following? 1. System management 2. Legal issues 3. Quality assurance 4. Management controls a. 1 only b. 3 only c. 4 only d. 1, 2, 3, and 4
d. The effectiveness of security controls depends on such factors as system management, legal issues, quality assurance, internal controls, and management controls. Information security needs to work with traditional security disciplines, including physical and personnel security.
Which of the following defines security boundaries for an information system? 1. Information 2. Personnel 3. Equipment 4. Funds a. 1 only b. 1 and 2 c. 1 and 3 d. 1, 2, 3, and 4
d. The process of uniquely assigning information resources (e.g., information, personnel, equipment, funds, and IT infrastructure) to an information system defines the security boundary for that system.
The relative priority given to confidentiality, integrity, and availability goals varies according to which of the following? 1. Type of information system 2. Cost of information system 3. Data within the information system 4. Business context of use a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 3 and 4
d. The relative priority and significance given to confidentiality, integrity, and availability goals vary according to the data within the information system and the business context in which they are used. Cost and the type of information systems used are important but not that relevant to these goals.
Trustworthy information systems are defined as: 1. Operating within defined levels of risk 2. Handling environmental disruptions 3. Handling human errors 4. Handling purposeful attacks a. 1 only b. 3 only c. 4 only d. 1, 2, 3, and 4
d. Trustworthy information systems are those systems capable of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks expected to occur in the specified environments of operation.
For information systems security, a penetration is defined as which of the following combinations? a. Attack plus breach b. Attack plus threat c. Threat plus breach d. Threat plus countermeasure
a. A penetration is the successful act of bypassing the security mechanisms of a computer system. An attack is an attempt to violate data security. A breach is the successful circumvention or disablement of a security control, with or without detection, which if carried to completion could result in penetration of the system. A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction or modification of data, or denial-of-service. A countermeasure is any action, control, device, procedure, technique, or other measure that reduces the vulnerability of a threat to a system.
Which of the following controls is typically and primarily applied at the point of transmission or reception of information? a. Nonrepudiation services b. Access controls c. Authorization controls d. Authentication controls
a. All these controls are examples of preventive technical security controls. Nonrepudiation control ensures that senders cannot deny sending information and that receivers cannot deny receiving it. As a result, nonrepudiation control is typically applied at the point of transmission or reception of information. Access controls, authorization controls, and authentication controls support nonrepudiation services.
The concept of least privilege is primarily based on which of the following? a. Risk assessment b. Information flow enforcement c. Access enforcement d. Account management
a. An organization employs the concept of least privilege primarily for specific duties and information systems, including specific ports, protocols, and services in accordance with risk assessments as necessary to adequately mitigate risk to the organization's operations, assets, and individuals. The other three choices are specific components of access controls.
Which of the following is the key factor in the development of the security assessment and authorization policy? a. Risk management b. Continuous monitoring c. Testing the system d. Evaluating the system
a. An organization's risk management strategy is the key factor in the development of the security assessment and authorization policy. The other three choices are part of the purpose of assessing the security controls in an information system.
For risk mitigation strategies, which of the following is not a proper action to take when there is a likelihood that a vulnerability can be exploited? a. Implement assurance techniques b. Apply layered protections c. Apply administrative controls d. Implement architectural design
a. Assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. Assurance techniques include trustworthiness and predictable execution, which may not be effective or timely. The other three choices reflect proper actions to take when there is likelihood that a vulnerability can be exploited.
For information risk assessment, which of the following can improve the ability to realistically assess threats? a. Intrusion detection tools b. Natural threat sources c. Human threat sources d. Environmental threat sources
a. Common threat sources collect data on security threats, which include natural threats, human threat sources, and environmental threat sources. In addition, intrusion detection tools collect data on security events, thereby improving the ability to realistically assess threats to information.
Which of the following is not an example of preventive management security controls? a. Conducting periodic review of security controls b. Assigning security responsibilities c. Developing system security plans d. Conducting security awareness and training
a. Conducting periodic review of security controls to ensure that the controls are effective is an example of detection management security controls. The other three choices are examples of preventive management security controls.
From a corporate viewpoint, information integrity is most needed in which of the following? a. Financial reporting b. Inventory information c. Trade secrets d. Intellectual property
a. Corporate financial reporting requires integrity of information so that it is protected against unauthorized modification. The scope of financial reporting includes presenting balance sheet, income statement, cash flows, and the annual report with footnotes and disclosures. Confidentiality is required to protect personnel (employees) data such as medical records, trade secrets, or intellectual property rights (e.g., copyrights) and business data such as shipping, billing, and inventory information.
For risk mitigation, which of the following technical security controls are pervasive and interrelated with other controls? a. Supporting controls b. Prevention controls c. Detection controls d. Recovery controls
a. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls). Supporting controls are, by their nature, pervasive and interrelated with many other controls such as prevention, detection, and recovery controls. Supporting controls must be in place to implement other controls, and they include identification, cryptographic key management, security administration, and system protection. Preventive controls focus on preventing security breaches from occurring in the first place. Detection and recovery controls focus on detecting and recovering from a security breach.
What should the information security manager do when the residual risk has not been reduced to an acceptable level? a. Repeat the risk management cycle. b. Develop new policies and procedures. c. Implement new security technologies. d. Establish a specific schedule for assessing risk.
a. If the residual risk has not been reduced to an acceptable level, the information security manager must repeat the risk management cycle to identify a way of lowering the residual risk to an acceptable level. The other three choices are not strong enough actions to reduce the residual risk to an acceptable level.
Information security must follow which of the following? a. Top-down process b. Bottom-up process c. Top-down and bottom-up d. Bottom-up first, top-down next
a. Information security must be a top-down process requiring a comprehensive security strategy explicitly linked to the organization's business processes and strategy. Getting direction, support, and buy-in from top management sets the right stage or right tone for the entire organization.
Which of the following is the major purpose of self-assessment of information security for improving the security? a. Establish future targets b. Understand the current status c. Find out the industry average d. Analyze the current target
a. Information security self-assessment results can be used to establish targets for future development, based on where the organization wants to reach (major purpose) and how to improve security. The other three choices (minor purposes) can help in establishing future targets.
Which of the following are the fundamental reasons why organizations implement a risk management process for their IT systems? 1. Need for minimizing negative impact on an organization 2. Need for sound basis in decision making 3. Need for inventing a new risk management methodology for each SDLC phase 4. Need for noniterative process used in risk management a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 3 and 4
a. Minimizing a negative impact on an organization and need a for sound basis in decision making are the fundamental reasons why organizations implement a risk management process for their IT systems. The risk management methodology is the same regardless of the system development life cycle (SDLC) phase and it is an iterative process that can be performed during each major phase of the SDLC.
Which of the following are essential to improving IT security performance through metrics? 1. Quantifying performance gaps 2. Providing insights into root causes 3. Submitting reports to internal management 4. Collecting meaningful data for analysis a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
a. Performance metrics are essential to performance improvement because they quantify performance gaps and provide insights into root causes of inadequate performance. Submitting reports to internal management and collecting meaningful data for analysis support quantifying performance gaps and providing insights into root causes.
Which of the following combinations of conditions can put the IT assets at the most risk of loss? a. System interconnectivity and poor security management b. System interconnectivity and poor controls over data sensitivity c. System interconnectivity and lack of system backups d. System interconnectivity and inadequate physical security
a. Poor security management does not proactively and systematically assess risks, monitor the effectiveness of security controls, and respond to identified problems. This situation can become much weaker with interconnected systems where the risk is the greatest. The other three choices are the result of poor security management.
All the following are access agreements for employees prior to granting access to a computer system except: a. Rules of engagement b. Rules of behavior c. Non-disclosure agreement d. Acceptable use agreement
a. Rules of engagement applies to outside individuals (e.g., vendors, contractors, and consultants) when conducting penetration testing of a computer system. Employees do not have rules of engagement, and they are bound by the access agreements. Examples of access agreements include rules of behavior, non-disclosure agreements (i.e., conflict-of-interest statements), and acceptable use agreement (or policy).
Setting performance targets for which of the following information security metrics is relatively easier than the others? a. Implementation metrics b. Effectiveness metrics c. Efficiency metrics d. Impact metrics
a. Setting performance targets for effectiveness, efficiency, and impact metrics is much more complex than the implementation metrics because these aspects of security operations do not assume a specific level of performance. Managers need to apply both qualitative and subjective reasoning to set effectiveness, efficiency, and impact performance targets. Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts). Effectiveness/efficiency metrics measure the results of security services delivery (i.e., monitors the results of security controls implementation). Impact metrics measure the results of business or mission impact of security activities and events (i.e., provides the most direct insight into the value of security to the firm).
System or network administrators will be interested in which of the following IT security metrics? a. Implementation b. Effectiveness c. Efficiency d. Impact
a. The four measurable aspects of IT security metrics speak to different stakeholders. System or network administrators want to know what went wrong during IT security implementation activities. Information security and program managers are interested in effectiveness and efficiency during IT security activities. The agency head or chief executive officer (CEO) is interested in the business and mission impact of IT security activities. As the primary stakeholders, the chief information officer (CIO) and information systems security officer are interested in the results of IT security metrics. As the secondary stakeholders, the chief financial officer (CFO), Inspector General (IG), or Chief Audit Executive (CAE) of Internal Audit are interested in the development and funding of IT security metrics.
Which of the following is not the major purpose of information system security plans? a. Describe major application systems. b. Define the security requirements. c. Describe the security controls. d. Delineate the roles and responsibilities.
a. The information security plan should reflect inputs from various managers with responsibilities concerning the system. Major applications are described when defining security boundaries of a system, meaning boundaries are established within and around application systems. The major purposes of the information system security plan are to (i) provide an overview of the security requirements of the system, (ii) describe the security controls in place or planned for meeting those requirements, (iii) delineate the roles and responsibilities, and (iv) define the expected behavior of all individuals who access the system.
Which of the following is not a key activity that facilitates the integration of information security governance components? a. Operational planning b. Organizational structure c. Roles and responsibilities d. Enterprise architecture
a. The key activities that facilitate integration of information security governance components include strategic planning, organizational structure (design and development), roles and responsibilities, enterprise architecture, and security objectives. Operational planning is derived from strategic planning.
Which of the following is the primary purpose of plan of action and milestones document? a. To reduce or eliminate known vulnerabilities b. To use findings from security control assessments c. To apply findings from security impact analyses d. To implement findings from continuous monitoring activities
a. The primary purpose of a plan of action and milestones (POA&M) document is to correct deficiencies and to reduce or eliminate known vulnerabilities. The POA&M document updates are based on findings from security control assessment, security impact analyses, and continuous monitoring activities.
Which of the following should not be contained in the Rules of Behavior document? a. Copy of the security policy b. Controls for working at home c. Controls for dial-in access d. Use of copyrighted work
a. The rules of behavior should not be a complete copy of the security policy or procedures guide, but rather cover controls at a high level. Examples of controls contained in rules of behavior include controls for working at home and controls for dial-in access, use of copyrighted work, password usage, connections to the Internet, searching databases, and divulging information. The security policy may contain an acceptable use policy.
Which of the following has been determined to be a reasonable level of risk? a. Minimum risk b. Acceptable risk c. Residual risk d. Total risk
b. Acceptable risk is the level of residual risk that has been determined to be a reasonable level of potential loss or disruption for a specific computer system. Minimum risk is incorrect because it is the reduction in the total risk that results from the impact of in-place safeguards or controls. Residual risk is incorrect because it results from the occurrence of an adverse event after adjusting for the impact of all safeguards in-place. Total risk is incorrect because it is the potential for the occurrence of an adverse event if no mitigating action is taken (i.e., the potential for any applicable threat to exploit system vulnerability).
Effective information security governance requires which of the following? 1. Corporate executive management endorsement 2. IT executive management endorsement 3. Board member endorsement 4. IT security officer endorsement a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 3 and 4
b. Corporate executive management must be conducive to effective information security governance. When corporate senior management follows the policies, it sends a positive signal to the rest of the organization. All the board members should endorse the information security governance policies. Note that the corporate executive management and the board members approve and endorse the security policies while the IT executive management and the IT security officer implements such policies.
Which of the following is referred to when data is transferred from high network users to low network users? a. Data downgrade b. Data regrade c. Data upgrade d. Data release
b. Data regrade is the term used when data is transferred from high network users to low network users and from low network users to high network users. Data downgrade is the change of a classification label to a lower label without the changing the contents of the data. Data upgrade is the change of a classification label to a higher label without the changing the contents of the data. Data release is the process of returning all unused disk space to the system when a dataset is closed at the end of processing.
Which of the following provides a 360-degree inspection of the system during the vulnerability identification of a system in the risk assessment process? a. Automated vulnerability scanning tools b. Security requirement checklist c. Security advisories d. Security test and evaluation
b. Developing a security requirements checklist, based on the security requirements specified for the system during the conceptual, design, and implementation phases of the system development life cycle (SDLC), can be used to provide a 360-degree inspection of the system. Automated vulnerability scanning tools and security test and evaluation augment the basic vulnerability reviews. Security advisories are typically provided by the vendor and give the organization up-to-date information on system vulnerabilities and remediation strategies
Which of the following is not an example of detective controls in information systems? a. Audit trails b. Encryption c. Intrusion detection d. Checksums
b. Encryption is an example of preventive controls, which inhibit attempts to violate security policy. Detective controls warn of violations or attempted violation of security policies and include audit trails, intrusion detection methods, and checksums.
For new information systems, which of the following can be interpreted as having budgetary authority and responsibility for developing and deploying the information systems? a. Security control b. Management control c. Operational control d. Technical control
b. For new information systems, management control can be interpreted as having budgetary or programmatic authority and responsibility for developing and deploying the information systems. For current systems in the inventory, management control can be interpreted as having budgetary or operational authority for the day-to-day operation and maintenance of the information systems.
Which of the following is not an example of supporting technical security controls used in mitigating risk? a. Identification b. Authentication c. Cryptographic key management d. Security administration
b. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls). This means supporting controls must be in place to implement other controls. Authentication is an example of preventive technical controls. The other three choices (i.e., identification, cryptographic key management, and security administration) are examples of supporting technical security controls.
Which of the following IT metrics types measure the results of security services delivery? 1. Implementation metrics 2. Effectiveness metrics 3. Efficiency metrics 4. Impact metrics a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 3 and 4
b. Implementation metrics measures the implementation of security policy. Effectiveness and efficiency metrics measures the results of security services delivery. Impact metrics measures the business or mission impact of security events.
Which of the following pairs of security objectives, rules, principles, and laws are in conflict with each other? a. All-or-nothing access principle and the security perimeter rule b. Least privilege principle and employee empowerment c. File protection rules and access granularity principle d. Trans-border data flows and data privacy laws
b. Least privilege is a security principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage resulting from an accident, error, or unauthorized use. This is in great conflict with employee empowerment in which employees are given freedom to do a wide variety of tasks in a given time period. Much discretion is left to each employee to achieve the stated goals. The all-or-nothing access principle means access is either to all objects or none at all. The security perimeter rule uses increasingly strong defenses as one approach the core information or resources sought. Both strengthen the security practices. File protection rules are designed to inhibit unauthorized access, modification, and deletion of a file. The access granularity principle states that protection at the data file level is considered coarse granularity, whereas protection at the data field level is considered to be of a finer granularity. Both strengthen the security practices. The objectives of trans-border data flows and data privacy laws are to protect personal data from unauthorized disclosure, modification, and destruction. Trans-border data flow is the transfer of data across national borders. Privacy refers to the social balance between an individual's right to keep information confidential and the societal benefit derived from sharing information. Both strengthen the security practices.
From a security accountability viewpoint, which of the following pose a security risk? a. Executives and contractors b. Full-time employees and contingent workers c. Executives and full-time employees d. Vendors and consultants
b. Most executives have an employment contract listing security policies, practices, procedures, and penalties for noncompliance of such policies and practices. Contractors, vendors, and consultants are bound by formal rules of engagement. Full-time employees operate under an employment-at-will arrangement; employees have no formal contract and can leave the company or the employer can terminate employment at any time. Contingent workers are parttime and short-time workers (temporary) and have no formal contract. In the absence of a formal contract or rules of engagement, it is difficult for the company to enforce or punish the full-time employees and contingent workers if they violate security policies and practices. Therefore, full-time employees and contingent workers are not truly accountable for the security in the absence of a formal contract (i.e., not legally bound and not enforceable), thus posing a security risk to the company.
Benefits of central computer security programs include which of the following? 1. Sharing information 2. Installing technical controls 3. Controlling virus infections 4. Administering day-to-day computer security a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 2 and 4
b. Organizations can develop expertise centrally and then share it, reducing the need to contract out repeatedly for similar services. The central computer security program can help facilitate information sharing. Similarly, controlling virus infections from central location is efficient and economical. Options 2 and 4 are examples of benefits of a system-level computer security program.
Which of the following is the first step in the risk management process? a. Selecting security controls b. Accomplishing security categorization c. Satisfying minimum security requirements d. Defining security control baselines
b. Security categorization of data/information and information systems is the first step in the risk assessment process. Subsequent to the security categorization process, an organization must select an appropriate set of security controls for their information systems that satisfy the minimum-security requirements. The selected set of security controls (i.e., limited, serious, or catastrophic) must be one of three security control baselines (i.e., low, moderate, or high) that are associated with the designated impact levels of the information systems.
What does risk analysis in the contingency planning process not include? a. Prioritization of applications b. Development of test procedures c. Assessment of threat impact on the organization d. Development of recovery scenarios
b. Test procedures are detailed instructions that usually are not considered during a risk analysis exercise. Risk analysis is the initial phase of the contingency planning process, whereas testing comes after developing and documenting the plan. Application prioritization, assessment of impact on the organization (exposures and implications), and recovery scenarios are part of the risk analysis exercise. Risk analysis is a prerequisite to a complete and meaningful disaster recovery-planning program. It is the assessment of threats to resources and the determination of the amount of protection necessary to adequately safeguard them.
The information system security plan is an important deliverable in which of the following processes? a. Configuration management b. System development life cycle c. Network monitoring d. Continuous assessment
b. The information system security plan is an important deliverable in the system development life cycle (SDLC) process. Those responsible for implementing and managing information systems must participate in addressing security controls to be applied to their systems. The other three choices are examples of ongoing information security program monitoring activities.
Which of the following factors affects the trustworthiness of an information system? 1. Security functionality 2. Security categorization 3. Security certification 4. Security assurance a. 1 and 2 b. 1 and 4 c. 3 and 4 d. 1, 2, 3, and 4
b. Two factors affecting the trustworthiness of an information system include security functionality (i.e., security features employed within the system) and security assurance (i.e., the grounds for confidence that the security functionality is effective in its application). Security categorization and security certification are not relevant here because security categorization classifies systems according to security levels, and security certification deals with approving a new system prior to its operation.
For risk mitigation strategies, which of the following is not a proper and effective action to take when a determined attacker's potential or actual cost is too great? a. Apply security design principles. b. Decrease an attacker's motivation. c. Implement security architectural design. d. Establish nontechnical security controls.
b. Usually, protection mechanisms to deter a normal and casual attacker are applied to decrease an attacker's motivation by increasing the attacker's cost when the attacker's cost is less than the potential gain for the attacker. However, these protection mechanisms may not prevent a determined attacker because the attacker's potential gain could be more than the cost or the attacker is seeking for a strategic and competitive advantage with the attack. The other three choices are proper and effective actions to take when the potential or actual cost for an attacker is too great, whether the attacker is a normal, casual, or determined, because they are stronger protection mechanisms. Both technical and nontechnical security controls can be used to limit the extent of the attack.
Which of the following is not a recommended approach for identifying system vulnerabilities? a. Using vulnerability sources b. Using threat sources c. Conducting system security testing d. Using security requirements checklist
b. Vulnerabilities (flaws and weaknesses) are exploited by the potential threat sources such as employees, hackers, computer criminals, and terrorists. Threat source is a method targeted at the intentional exploitation of a vulnerability or a situation that may accidentally exploit a vulnerability. Recommended approaches for identifying system vulnerabilities include the use of vulnerability sources, the performance of system security testing, and the development of a securityrequirements checklist.
The level of protection for an IT system is determined by an evaluation of which of the following elements? 1. Availability 2. Integrity 3. Sensitivity 4. Criticality a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
c. All IT systems and applications require some level of protection to ensure confidentiality, integrity, and availability, which is determined by an evaluation of the sensitivity and criticality of the information processed, the relation of the system to the organization mission, and the economic value of the system components. Sensitivity and criticality are a part of the confidentiality goal.
Which of the following ongoing security monitoring activities are more valuable in determining the effectiveness of security policies and procedures implementation? a. Plans of action and milestones b. Configuration management c. Incident statistics d. Network monitoring
c. All four choices are examples of ongoing security monitoring activities. Incident and event statistics are more valuable in determining the effectiveness of security policies and procedures implementation. These statistics provide security managers with further insight into the status of security programs under their control and responsibility.
Which of the following is a prerequisite for developing an information system security plan? 1. Security categorization of a system 2. Analysis of impacts 3. Grouping of general support systems 4. Labeling of major application systems a. 1 and 4 b. 2 and 3 c. 1 and 2 d. 3 and 4
c. Before the information system security plan can be developed, the information system and the data/information resident within that system must be categorized based on impact analysis (i.e., low, medium, or high impact). Then a determination can be made as to which systems in the inventory can be logically grouped into general support systems or major application systems.
Disciplinary actions are part of which of the following components of an information security program policy? a. Purpose b. Scope c. Compliance d. Responsibilities
c. Components of an information security program policy include purpose, scope, responsibilities, and compliance. The compliance component defines penalties and disciplinary actions.
As part of security control assessment, which of the following must be in place prior to the start of penetration testing work by outsiders? a. Rules of behavior b. Rules of negotiation c. Rules of engagement d. Rules of employment
c. Detailed rules of engagement must be agreed upon by all parties before the commencement of any penetration testing scenario by outsiders. These rules of engagement contain tools, techniques, and procedures that are anticipated to be used by threat-sources in carrying out attacks. Rules of behavior and rules of employment apply to internal employees. Rules of negotiation apply to both insiders and outsiders as a matter of work ethics.
Which of the following is not an example of protected communications controls that are part of technical preventive controls? a. Cryptographic technologies b. Data encryption methods c. Discretionary access controls d. Escrowed encryption algorithms
c. Discretionary access controls (DAC) define access control security policy. The other choices are examples of protected communications controls, which ensure the integrity, availability, and confidentiality of sensitive information while it is in transit. Cryptographic technologies include data encryption standard (DES), Triple DES (3DES), and secure hash standard. Data encryption methods include virtual private networks (VPNs) and Internet Protocol security (IPsec). Escrowed encryption algorithms include Clipper.
In general, which of the following is not a cost-effective or practical procedure required of vendors, consultants, and contractors who are hired for a short period of time to assist with computer hardware and software related work? a. Service-level agreement b. Rules of engagement c. Background checks d. Conflict-of-interest clauses
c. Due to higher turnover among vendors, consultants, and contractors and due to short timeframe work (e.g., a month or two), it is not cost effective or practical to conduct background checks because they are applicable to regular full-time employees. Vendors, consultants, and contractors must meet all the requirements mentioned in the other three choices. Background checks include contacting previous employers, verifying education with schools, and contacting friends and neighbors. However, for consultants and other non-employees, security clearance cheeks (e.g., police, court, and criminal records) are made when they handle sensitive information at work.
Residual risk results from which of the following steps taken in the approach to control implementation, which is done as part of the risk mitigation strategy? a. Conduct cost-benefit analysis b. Select controls c. Implement the selected controls d. Develop a control implementation plan
c. Implementing the selected controls is the first step in the control implementation approach. The other three choices precede the implementation of the selected controls. The risk remaining after the implementation of new or enhanced security controls is the residual risk.
What is the least effective technique for continually educating users in information systems security? a. Presenting security awareness video programs b. Posting policies on the intranet websites c. Presenting one-size-fits-all security briefings d. Declaring security awareness days
c. It is good to avoid a one-size-fits-all type of security briefing. It is important to relate security concerns to the specific risks faced by users in individual business units or groups and to ensure that security is an everyday consideration. Lax security can cost money and time. Security awareness is inexpensive and less time-consuming compared to installing security countermeasures.
Which of the following are major benefits of security awareness, training, and education programs accruing to an organization? a. Reducing fraud b. Reducing unauthorized actions c. Improving employee behavior d. Reducing errors and omissions
c. Making computer system users aware of their security responsibilities and teaching them correct practices help users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures and knowing how to use them, users cannot be truly accountable for their actions. The other three choices are examples of major purposes of security awareness.
Which of the following should form the basis for management authorization to process information in a system or to operate an information system? a. A plan of actions b. Milestones c. System security plan d. Assessment report
c. Management authorization to process information in a system or to operate a system should be based on the assessment of management, operational, and technical controls. Because the system security plan establishes and documents the security controls, it should form the basis for the authorization, supplemented by the assessment report and the plan of actions and milestones.
Which of the following statements is true about data classification and application categorization for sensitivity? a. Data classification and application categorization is the same. b. There are clear-cut views on data classification and application categorization. c. Data classification and application categorization must be organization-specific. d. It is easy to use simple data classification and application categorization schemes.
c. No two organizations are the same, and it is especially true in cross-industries. For example, what works for a governmental organization may not work for a commercial organization. An example of data classification is critically sensitive, highly sensitive, sensitive, and nonsensitive.
Which of the following approves the system security plan prior to the security certification and accreditation process? a. Information system owner b. Program manager c. Information system security officer d. Business owner
c. Prior to the security certification and accreditation process, the information system security officer (the authorizing official, independent from the system owner) typically approves the security plan. In addition, some systems may contain sensitive information after the storage media is removed. If there is a doubt whether sensitive information remains on a system, the information system security officer should be consulted before disposing of the system because the officer deals with technical aspects of a system. The information system owner is also referred to as the program manager and business owner.
Which of the following must be done first to protect computer systems? a. Battling information abusers b. Fighting hackers c. Reducing vulnerabilities d. Catching crackers
c. Reducing vulnerabilities decreases potential exposures and risks. The other three choices follow the vulnerabilities.
Which of the following represents the best definition and equation for a comprehensive and generic risk model? a. Breach x Threat x Vulnerability b. Attack + Threat + Impact c. Threat x Vulnerability x Impact d. Attack + Vulnerability + Impact
c. Risk is the potential for an unwanted outcome resulting from internal or external factors, as determined from the likelihood of occurrence and the associated consequences. In other words, risk is the product of interactions among threats, vulnerabilities, and impacts. Threats deal with events and actions with potential to harm, vulnerabilities are weaknesses, and impacts are consequences. The other three choices are incorrect because they do not have the required components in the correct equation for the risk.
The aim of risk analysis is to strike a(n): a. Technical balance between the impact of risks and the cost of protective measures b. Operational balance between the impact of risks and the cost of protective measures c. Economic balance between the impact of risks and the cost of protective measures d. Legal balance between the impact of risks and the cost of protective measures
c. The aim of a risk analysis is to help systems management strike an economic balance between the impact of risks and the cost of protective measures. It lists risks first and protective measures second.
The effectiveness of recommended security controls is primarily related to which of the following? a. System safety b. System reliability c. System complexity d. System regulations
c. The effectiveness of recommended security controls is primarily related to system complexity and compatibility. The level and type of security controls should fit with the system complexity, meaning more controls are needed for complex systems and fewer controls are needed for simple systems. At the same time, security controls should match the system compatibility, meaning application-oriented controls are needed for application systems, and operating system-oriented controls are needed for operating systems. Other factors that should be considered include legislation and regulations, the organization's policy, system impact, system safety, and system reliability.
Results-based training does not focus on which of the following? a. Roles and responsibilities b. Understanding levels c. Job titles d. Backgrounds
c. The results-based training focuses on job functions or roles and responsibilities, not job titles, and recognizes that individuals have unique backgrounds, and therefore, different levels of understanding.
An IT security training program is a part of which of the following control categories? a. Application controls b. General controls c. Administrative controls d. Technical controls
c. The security-training program is a part of administrative controls, which in turn, can be a part of management controls. Application controls relate to a specific application system, whereas general controls relate to a computer center. Technical controls can be useful in both application and general areas.
In developing a data security program for an organization, who should be responsible for defining security levels and access profiles for each data element stored in the computer system? a. Database administrator b. Systems programmer c. Data owner d. Applications programmer
c. Usually, the data owner defines security levels such as confidential or highly confidential and access profiles defining who can do what, such as add, change, or delete the data elements. It is the data owner who paid or sponsored the system for his department. The database administrator is incorrect because he is concerned with creating and controlling the logical and physical database. The systems programmer is incorrect because he is responsible for installing new releases of systems software and monitoring the performance of systems software products. The applications programmer is incorrect because he is responsible for developing, testing, and maintaining computer-based application programs in the selected programming languages.
What is the last step when an insider violates a security policy? a. Verbal warning b. Dismissal c. Legal action d. Written warning
c. When an insider violates security policy, the first step is a verbal warning, followed by a written warning, dismissal, and the final step of legal action.
When engaging information system services from an external service provider, which of the following is needed to mitigate security risk? a. Chain-of-custody b. Chain-of-command c. Chain-of-documents d. Chain-of-trust
d. A chain-of-trust requires that an internal organization establish and retain a level of confidence that each external service provider consider adequate security protection for the services rendered to the internal organization. Chain-of-custody refers to preserving evidence, and it may include chain-of-documents. Chainof- command is a management principle, which follows job hierarchy in giving orders to subordinate employees by a supervising employee.
For gathering information in the risk assessment process, proactive technical methods include which of the following? a. Questionnaires b. Onsite interviews c. Document review d. Network mapping tool
d. A network mapping tool, which is an automated information scanning tool, can identify the services that run on a large group of hosts and provide a quick way of building individual profiles of the target IT system(s). The other three choices are not examples of technical methods, whether proactive.
Periodic assessment of the system security plan requires a review of changes occurring in which of the following areas? 1. System status 2. System scope 3. System architecture 4. System interconnections a. 1 and 2 b. 3 and 4 c. 1, 2, and 3 d. 1, 2, 3, and 4
d. After the information system security plan is accredited, it is important to periodically assess the plan and review any change in system status, system scope, system architecture, and system interconnections.
A periodic assessment of the system security plan requires a review of changes occurring in which of the following areas? 1. System functionality 2. System design 3. Information system owner 4. System authorizing official a. 1 and 2 b. 3 and 4 c. 1, 2, and 3 d. 1, 2, 3, and 4
d. After the information system security plan is accredited, it is important to periodically assess the plan; review any change in system functionality, system design, information system owner, and system authorizing official.
The benefits of good information security include which of the following? 1. Reduces risks 2. Improves reputation 3. Increases confidence 4. Enhances trust from others a. 1 and 2 b. 2 and 3 c. 1, 2, and 3 d. 1, 2, 3, and 4
d. All four items are benefits of good information security. It can even improve efficiency by avoiding wasted time and effort in recovering from a computer security incident.
For information systems security, an exposure is defined as which of the following combinations? a. Attack plus breach b. Threat plus vulnerability c. Threat plus attack d. Attack plus vulnerability
d. An exposure is an instance of vulnerability in which losses may result from the occurrence of one or more attacks (i.e., attack plus vulnerability). An attack is an attempt to violate data security. Vulnerability is a weakness in security policy, procedure, personnel, management, administration, hardware, software, or facilities affecting security that may allow harm to an information system. The presence of vulnerability does not in itself cause harm. It is a condition that may allow the information system to be harmed by an attack. A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction or modification of data or denial-of-service. A breach is the successful circumvention or disablement of a security control, with or without detection, which if carried to completion, could result in a penetration of the system. Note that vulnerability comes first and breach comes next.
A failure of common security controls can increase which of the following? a. System-specific risks b. Site-specific risks c. Subsystem-specific risks d. Organization-wide risks
d. Common security controls are identified during a collaborative organization-wide process involving many parties. Because of the potential dependence on common security controls by many of an organization's information systems, a failure of such common controls may result in a significant increase in organization-wide risks (i.e., risk that arises from operating the system that depends on these security controls).
Common security controls can be applied to which of the following? 1. All of an organization's information systems 2. A group of systems at a specific site 3. Common systems at multiple sites 4. Common subsystems at multiple sites a. 1 only b. 2 only c. 1 and 2 d. 1, 2, 3, and 4
d. Common security controls can apply to (i) all of an organization's information systems, (ii) a group of information systems at a specific site, or (iii) common information systems, subsystems, or applications, including hardware, software, and firmware, deployed at multiple operational sites.
Compensating security controls for an information system should be used by an organization only under which of the following conditions? 1. Selecting compensating controls from the security control catalog 2. Providing justification for the use of compensating controls 3. Performing a formal risk assessment 4. Accepting the risk associated with the use of compensating controls a. 1 only b. 3 only c. 1 and 3 d. 1, 2, 3, and 4
d. Compensating security controls for an information system should be used by an organization only under the following conditions: (i) the organization selects the compensating controls from the security control catalog, (ii) the organization provides a complete and convincing rationale and justification for how the compensating controls provide an equivalent security capability or level of protection for the information system, and (iii) the organization assesses and formally accepts the risk associated with using the compensating controls in the information system.
Which of the following actions should be implemented when a security function is unable to execute automated self-tests for verification? 1. Compensating controls 2. System-specific controls 3. Common controls 4. Accept the risk a. 1 only b. 2 and 3 c. 1, 2, and 3 d. 1, 2, 3, and 4
d. For those security functions that are unable to execute automated self-tests, organizations should either implement compensating controls (i.e., management, technical, and operational controls), system-specific controls, common controls, or a combination of these controls. Otherwise, organization's management explicitly accepts the risk of not performing the verification process.
From a risk mitigation viewpoint, which of the following is not an example of system protection controls that are part of supporting technical security controls? a. Modularity b. Layering c. Need-to-know d. Access controls
d. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls). Supporting controls must be in place in order to implement other controls. Access controls are a part of preventive technical security controls, whereas system protections are an example of supporting technical security controls. Some examples of system protections include modularity, layering, need-to-know, and trust minimization (i.e., minimization of what needs to be trusted).
Which of the following actions are required to manage residual risk when new or enhanced security controls are implemented? 1. Eliminate some of the system's vulnerabilities. 2. Reduce the number of possible threat-source/vulnerability pairs. 3. Add a targeted security control. 4. Reduce the magnitude of the adverse impact. a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 1, 2, 3, and 4
d. Implementation of new or enhanced security controls can mitigate risk by (i) eliminating some of the system's vulnerabilities (flaws and weaknesses) thereby reducing the number of possible threat-source/vulnerability pairs, (ii) adding a targeted control to reduce the capacity and motivation of a threat-source, and (iii) reducing the magnitude of the adverse impact by limiting the extent of a vulnerability.
From a risk management viewpoint, system migration is conducted in which of the following system development life cycle (SDLC) phases? a. Development/acquisition b. Implementation c. Operation/maintenance d. Disposal
d. In the disposal phase of the SDLC process, system migration is conducted in a secure and systematic manner.
Which of the following are essential to reach a higher rate of success in protecting information? 1. Proven security tools and techniques 2. Encouraging professional certification 3. Training employees in security policies 4. Role-based security responsibilities a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 3 and 4
d. Organizations that continually train their workforce in organizational security policy and role-based security responsibilities have a higher rate of success in protecting information. Proven security tools and techniques and encouraging professional certification indirectly support training employees in security policies and role-based security responsibilities.
Which of the following is an example of detective (detection) personnel security controls? a. Separation of duties b. Least privilege c. User computer access registration d. Rotation of duties
d. Rotation of duties is an example of detective (detection) personnel security controls, which are part of management security controls. The other three choices are examples of preventive personnel security controls.
Which one of the following items can be a part of other items? a. Management controls b. Operational controls c. Technical controls d. Preventive controls
d. System security controls selected are grouped into one of the three categories of management, operational, or technical controls. Each one of these controls can be preventive in nature.
Which of the following is not a basic objective of computer-based information systems security? a. Protection of system assets from loss, damage, and misuse b. Accuracy of data and reliability of application processes c. Availability of information and application processes d. Control of data analysis
d. The control of information protection, accuracy, availability, and dissemination, not the control of data analysis, is one of the basic objectives of computer-based information systems security. Data analysis determines whether security objectives were achieved.
Which of the following is not a true statement about data collection efforts during IT security metrics development process? a. Data collection process must be as nonintrusive as possible. b. Collected data must have maximum usefulness. c. Collected data must be valid. d. More resources are needed to collect more data.
d. The data collection effort during the IT security metrics development process must be as nonintrusive as possible and of maximum usefulness to ensure that available resources are primarily used to correct problems, not simply to collect data for the sake of collecting. The collection of valid data is more important than collecting more data.
From a security viewpoint, which of the following is the most important document prepared by an external information system service provider? a. Service provider security role b. End user security role c. Memorandum of agreement d. Service-level agreement
d. The external information system services documentation must include the service provider security role, end user security role, signed contract, memorandum of agreement before the signed contract, and service-level agreement (most important). The service-level agreement (SLA) defines the expectations of performance for each required security control, describes measurable outcomes, and identifies remedies and response requirements for any identified instance of noncompliance.
Which of the following characterizes information domains? 1. Partitioning information 2. Access control needs 3. Levels of protection required 4. Classifying information a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
d. The partitioning of information according to access control needs and levels of protection required yields categories of information. These categories are often called information domains. Classifying information as secret, top-secret, and sensitive is also called information domains where information is compartmentalized.
Which of the following risk mitigation options prioritizes, implements, and maintains security controls? a. Risk assumption b. Risk avoidance c. Risk limitation d. Risk planning
d. The purpose of a risk planning option is to manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains security controls. The purpose of the risk assumption option is to accept the potential risk and continue operating the IT system. The goal of risk avoidance is to eliminate the risk cause and/or consequence. (For example, forgo certain functions of the system or shut down the system when risks are identified.) The goal of risk limitation is to authorize system operation for a limited time during which additional risk mitigation controls are being put into place.
The results of information-security program assessment reviews can be used to do which of the following? 1. To support the certification and accreditation process 2. To support the continuing monitoring requirement 3. To prepare for audits 4. To improve the system's security posture a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
d. The results of information-security program assessment reviews can provide a much more reliable measure of security effectiveness. These results may be used to (i) fulfill the organization's internal reporting requirements, (ii) support the certification and accreditation process for the system, (iii) support the continuing monitoring requirements, (iv) prepare for audits, and (v) identify resource needs to improve the system's security posture.
What is the last thing to do upon friendly termination of an employee? a. Conduct an exit interview. b. Disable computer access immediately. c. Take possession of keys and cards. d. Send the employee to a career counselor.
d. The safest and first thing to do is to (i) disable computer access immediately, which should be a standard procedure, (ii) conduct an exit interview, and (iii) take possession of access keys and cards. The employee can be sent to a career counselor afterward (last thing).
Which of the following is the ultimate purpose of information security performance metrics? a. To pinpoint problems b. To scope resources for remediation c. To track ownership of data d. To improve information security
d. The ultimate purpose of information security performance metrics is to support the organizational requirements and to assist in internal efforts to improve information security. Intermediate benefits of performance measurement, leading to the ultimate purpose, include assisting with pinpointing problems, scoping the resources for remediation, tracking the status of remediation, and quantifying successes. Measurement also creates accountability for results by tracking ownership of data and its related activities.
When a contractor representing an organization uses an internal system to connect with an external organization's system for data exchange, the contractor should comply with which of the following agreed-upon trust relationships? 1. Conflict of interest statements 2. Rules of behavior 3. Remote session rules 4. Rules of operation a. 1 only b. 3 only c. 2 and 4 d. 1, 2, 3, and 4
d. To comply with established trust relationships, employees and contractors have the same responsibility (principal and agent relationship) because the contractor is working on behalf of the internal organization. Hence, all the terms and conditions that apply to employees equally apply to contractors. These conditions include rules of behavior, remote session rules, rules of operation, and signed conflict of interest statements.
To estimate the losses likely to occur when a threat is realized or a vulnerability is exploited, which of the following loss categories allow management the best means to estimate their potential losses? a. Single occurrence loss, actual loss b. Expected loss, catastrophic loss c. Catastrophic loss, actual loss d. Expected loss, single occurrence loss
d. Two loss categories are usually identified, including (i) losses caused by threats with reasonably predictable occurrence rates, referred to as expected losses expressed as dollars per year and are computed as the product of occurrence rate, loss potential, and vulnerability factor, and (ii) losses caused by threats with a very low rate of occurrence (low-probability) that is difficult to estimate but the threat would cause a very high loss if it were to occur (highconsequence risk), referred to as a single occurrence loss and is expressed as the product of loss potential, vulnerability factor, and asset value. A catastrophic loss is referred to as a loss greater than its equity. An actual loss is the amount of assets or lives lost. Both catastrophic loss and actual loss do not enter into risk assessment because they are not estimable.
Which of the following is the best way to ensure an acceptable level of trustworthiness of an information system? a. Component-by-component b. Subsystem-by-subsystem c. Function-by-function d. System-by-system
d. Typically, components, subsystems, and functions are highly interrelated, making separation by trustworthiness problematic with unpredictable results. Hence, system-by-system trustworthiness is best because it is wholesome and inclusive of system components, subsystems, and functions.
