CS 307 Exam 2
Prohibits a high level subject from sending messages to a lower level object
* property (write property)
The identification of assets, including all the elements of an organization's system: people, procedures, data, software, hardware, and networking elements
Assessment
Section of the risk worksheet that lists each vulnerable asset
Asset
Section of the risk worksheet that shows the results for this asset from the weighted factor analysis worksheet
Asset Impact
This attribute describes the function of each asset
Asset Type
This is used to facilitate the tracking of assets. These are unique numbers assigned to assets and permanently affixed to assets during the acquisition process
Asset tag
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
Assigning a value to each information asset
A confidentiality model or "state machine reference model" that ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances
Bell-LaPadula (BLP) confidentiality model
An alternative to feasibility that is the process of seeking out and studying the practices used in other organizations that produce the results you desire in your organization
Benchmarking
The comparison of two related measurements
Benchmarking
The value to the organization of using controls to prevent losses associated with a specific vulnerability
Benefit
An access control model that is similar to BLP and is based on the premise that higher levels of integrity are more worthy of trust than lower levels
Biba integrity model
In InfoSec, a framework or security model customized to an organization, including implementation details
Blueprint
An international standard for computer security certification that is considered the successor to TCSEC and ITSEC
Common Criteria for Information Technology Security Evaluation ("CC")
This refers to the organizational unit that controls the asset
Controlling Entity
True or False: A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme
False
True or False: A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects.
False
True or False: An approach to combining risk identification, risk assessment, and risk appetite into a single strategy is known as risk protection
False
True or False: An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment
False
True or False: Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information
False
True or False: The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege.
False
True or False: The information technology management community of interest often takes on the leadership role in addressing risk
False
The COSO framework is built on five interrelated components. Which of the following is NOT one of them?
InfoSec Governance
Must lead the way with skill, professionalism, flexibility, and subject expertise as it works with the other communities of interest to balance the constant trade-offs between information's ease of use and security
InfoSec Management
Standards that are used for reference or comparison and often serve as the stepping-off point for emulation and adoption
InfoSec models
An international set of criteria for evaluating computer systems, very similar to TCSEC
Information Technology System Evaluation Criteria (ITSEC)
Assembles information about information assets and their impact on or value to the organization
Information asset classification worksheet
This attribute specifies where an asset can be found on the organization's network
Logical Location
Which of the following is an attribute of a network device is physically tied to the network interface?
MAC address
This attribute does not only apply to software elements. Nevertheless, some organizations may have license terms that indicate where software can be used. This may include systems leased at remote locations, often described as being "in the cloud"
Physical Location
Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair
Ranked vulnerability risk worksheet
Once an information asset is identified, categorized, and classified, what must also be assigned to it?
Relative value
Comparative judgements intended to ensure that the most valuable information assets are given the highest priority when managing risk
Relative values
What is a disadvantage of the one-on-one training method?
Resource intensive, to the point of being inefficient
The identification and assessment of levels of risk in an organization describes which of the following?
Risk analysis
What function includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
Risk assessment
Section of the risk worksheet where someone enters the figure calculated by multiplying the asset impact and its likelihood
Risk-rating Factor
The _________ program is designed to reduce the occurrence of accidental security breaches by members of the organization
SETA
Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?
Security Model and Framework (Both A&B)
A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access
Security clearance
Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle?
Security clearances
The InfoSec security principle that requires significant tasks to be split up so that more than one individual is required to complete them
Separation of duties
This is a number that uniquely identifies a specific device
Serial Number
Prohibits a subject of lower clearance from reading an object of higher clearance but allows a subject with higher clearance level to read an object at a lower level
Simple security property (read property)
Because licenses for software products are often tied to specific version numbers, geographic locations, or even specific users, this data may require specialized efforts to track
Software Licensing Data
This attribute includes information about software and firmware versions, and for hardware devices, the current field change order number
Software Version, Update Revision, or FCO Number
Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?
TCSEC
Combines the output from the information asset identification and prioritization with the threat identification and prioritization and identifies potential vulnerabilities in the "triples"; also incorporates extant and planned controls
TVA worksheet
Determining whether the organization already has or can acquire the technology necessary to implement and support them
Technical feasibility
Removing or discontinuing the information asset from the organization's operating environment
Termination
These play a key role in understanding how the organization needs to react to a successful attack, particularly in its plans for incident response, disaster recovery, and business continuity
attack scenarios
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
cost-benefit analysis
Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization
cost-benefit analysis (CBA)
______ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels.
covert
Unauthorized or unintended methods of communications hidden inside a computer system
covert channels
Assessing risks includes determining the ________ that vulnerable systems will be attacked by specific threats.
likelihood
The probability that a specific vulnerability within an organization will be the target of an attack
likelihood
Which of the following affects the cost of a control?
maintenance
Risk _______ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated
management
Which of the following is NOT a category of access control?
mitigating
The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ______
mitigation
Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
mitigation
The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation
mitigation risk control strategy
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
monitoring and measurement
The _________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.
need to know
Which access control principle limits a user's access to the specific information required to perform the currently assigned task?
need to know
Which type of access controls can be role-based or task-based?
nondiscretionary
An examination of how well a particular solution fits within the organization's culture and the extent to which users are expected to accept the solution
operational feasibility
An examination of how well a particular solution fits within the organization's strategic planning objectives and goals
organizational feasibility
Examines how well the proposed InfoSec alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization
organizational feasibility
Which of the following is an example of a technological obsolescence threat?
outdated servers
In some corporate models, the list of risk management components may be simplified into these three groups
people, processes and technology
GGG security is commonly used to describe which aspect of security?
physical
Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
planning
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
risk determination
The recognition, enumeration, and documentation of risks to an organization's information assets
risk identification
Within TCB, a conceptual piece of the system that manages access controls--in other words, it mediates all access to objects by subjects
reference monitor
As each information asset is identified, categorized, and classified, a ______ value must also be assigned to it.
relative
The risk to information assets that remains even after current controls have been applied
residual risk
An approach to combining risk identification, risk assessment, and risk appetite into a single strategy
risk analysis
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility
risk appetite
A formal document developed by the organization that specifies its overall willingness to accept risk to its information assets, based on a synthesis of individual risk tolerances
risk appetite statement
A determination of the extent to which an organization's information assets are exposed to risk
risk assessment
The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____
risk assessment estimate factors
The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level
risk management
Also known as risk tolerance
risk threshold
The assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization's overall risk appetite
risk tolerance
True or False: A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access.
True
True or False: A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable
True
What is an advantage of the user support group form of training?
Usually conducted in an informal social setting
Section of the risk worksheet that lists each uncontrolled vulnerability
Vulnerability
Section of the risk worksheet that states the likelihood of the realization of the vulnerability by a threat agent as indicated in the vulnerability analysis step
Vulnerability Likelihood
Assigns a ranked value or impact weight to each information asset
Weighted criteria analysis worksheet
The process of assigning financial value or worth to each information asset
asset valuation
Project __________ is a description of a project's features, capabilities, functions, and quality level, used as the basis of a project plan
scope
To keep up with the competition organizations must design and create a ______ environment in which business processes and procedures can function and evolve effectively
secure
A SETA program consists of three elements: security education, security training, and _________
security awareness
To design a security program, an organization can use a(n) ________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.
security model
What is the most cost-effective method for disseminating security information and news to employees?
security newsletter
Which person would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
security technician
At this stage of risk identification, managers identify the organization's information assets, classify and categorize them into useful groups, and prioritize them by overall importance
self examination
Risk identification begins with the process of what?
self examination
By multiplying the asset value by the exposure factor, you can calculate which of the following?
single loss expectancy
In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack. Also the product of the asset's value and the exposure factor
single loss expectancy (SLE)
A TCSEC-defined covert channel that communicates by modifying a stored object, such as in steganography
storage channels
An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking and personnel
technical feasibility
Advanced technical training can be selected or developed based on what?
technology product
The three methods for selecting or developing advanced technical training are by job category, by job function, and by _________
technology product
A time-release safe is an example of which type of access control?
temporal isolation
The risk control strategy that eliminates all risk associated with an information asset by removing it from service
termination risk control strategy
An evaluation of the threats to information assets, including a determination of their potential to endanger the organization
threat assessment
A TCSEC-defined covert channel that communicates by managing the relative timing of events
timing channels
The ________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.
transference
The risk control strategy that attempts to shift risk to other assets, other processes, and other organizations
transference risk control strategy
Under TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy
trusted computing base (TCB)
An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
uncertainty
What is defined as specific avenues that threat agents can exploit to attack an information asset?
vulnerabilities
What is the final step in the risk identification process?
Listing assets in order of importance
Access controls that are implemented by a central authority
Nondiscretionary controls
Which piece of the Trusted Computing Base's security system manages access controls?
reference monitor
At the end of the risk identification process, an organization should have these two things
1. A prioritized list of assets and their vulnerabilities 2. A prioritized list of threats facing the organization
Four phases of Microsoft's security risk management process
1. Accessing risk 2. Conducting decision support 3. Implementing controls 4. Measuring program effectiveness
What are the three common approaches to implement the defense risk control strategy?
1. Application of Policy 2. Application of Training and Education 3. Implementation of Technology
What are the five basic strategies to control the risks that arise from vulnerabilities?
1. Defense 2. Transference 3. Mitigation 4. Acceptance 5. Termination
What are the three communities of interest in reducing risk?
1. General management 2. IT management 3. InfoSec management
What are the three communities of interest directly linked to managing the risks of information assets?
1. InfoSec 2. IT 3. Management and Users
What are the five levels of consequences?
1. Insignificant 2. Minor 3. Moderate 4. Major 5. Catastrophic
Five stages of the ISO 27005 risk management methodology
1. Risk assessment 2. Risk treatment 3. Risk acceptance 4. Risk communication 5. Risk monitoring and review
How many general categories of threats to InfoSec are there?
12
What are the five qualitative likelihood assessment levels?
A. Almost Certain B. Likely C. Possible D. Unlikely E. Rare
Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control
Acceptance
Maintained by means of a collection of policies, programs to carry out those policies and technologies that enforce policies
Access control
Regulate the admission of users into trusted areas of the organization
Access controls
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?
COBIT
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
Calculating the severity of risks to which assets are exposed in their current setting
In a lattice based access control, the row of attributes associated with a particular subject (such as a user)
Capabilities table
Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
Cost of prevention
Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk
Defense
In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
Delphi
Access controls that are implemented at the discretion or option of the data user
Discretionary access controls (DACs)
An alternative to feasibility that occurs when an organization adopts a certain minimum level of security
Due care and Due diligence
An information attack that involves searching through a target organization's trash and recycling bins for sensitive information
Dumpster diving
True or False: The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy.
False
True or False: The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy.
False
True or False: The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.
False
True or False: Threats from insiders are more likely in a small organization than in a large one
False
True or False: The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures.
False
Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises
Field Change Order (FCO)
In InfoSec, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including InfoSec policies, security education, and training programs, and technological controls. Also known as a security model
Framework
Must structure the IT and InfoSec functions in ways that will result in the successful defense of the organization's information assets, including data, hardware, software, procedures and people
General Management
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
IP address
Must serve the IT needs of the broader organization and at the same time exploit the special skills and insights of the InfoSec community
IT management
What is a key component of a risk management strategy?
Identification, Classification and Prioritization of the organization's information assets
What is an advantage of the formal class method of training?
Interaction with trainer is possible
This attribute may be useful for network devices and servers at some organizations, but it rarely applies to software
Internet Protocol (IP) Address
What is true about a company's InfoSec awareness Web site?
It should be tested with multiple browsers
Requires identifying which information assets are valuable to the organization, categorizing and classifying those assets, and understanding how they are currently being protected
Knowing Yourself
Identifying, examining, and understanding the threats facing the organization's information assets
Knowing the Enemy
A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects
Lattice based access control
The data access principle that ensures no necessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary
Least privilege
Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
Legal management must develop corporate-wide standards
A required, structured data classification scheme that rates each collection of information as well as each user. These ratings are often referred to as sensitivity or classification levels
Mandatory access control (MAC)
This attribute can be useful for analyzing threat outbreaks when specific manufacturers announce specific vulnerabilities
Manufacturer Name
This number that identifies exactly what the asset is, can be very useful in the later analysis of vulnerabilities because some threats apply only to specific models of certain devices and/or software components
Manufacturer's Model or Part Number
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
Manufacturer's model or part number
The network operating system uses this number to identify specific network devices. The client's network software uses it to recognize traffic that it needs to process
Media Access Control (MAC) Address
Reducing the impact to information assets should an attacker successfully exploit a vulnerability
Mitigation
A nonprofit organization designed to support research and development groups that have recieved federal funding
Mitre
The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks
Need-to-know
Which of the following is NOT a change control principle of the Clark-Wilson model?
No changes by authorized subjects without external validation
Refers to user acceptance and support, management acceptance and support and the system's compatibility with the requirements of the organization's stakeholders
Operational Feasibility
An InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detention controls
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE Method)
Which variable is the most influential in determining how to structure an information security program?
Organizational culture
Considers what can and cannot occur based on the consensus and relationships among the communities of interest
Political feasibility
What is true about the security staffing, budget, and needs of a medium-sized organization?
They have larger information security needs than a small organization
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
Threats-vulnerabilities-assets worksheet
Shifting risks to other areas or to outside entities
Transference
True or False: Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA).
True
True or False: Each organization has to determine its own project management methodology for IT and information security projects
True
True or False: Planners need to estimate the effort required to complete each task, subtask, or action step
True
True or False: The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know.
True
True or False: Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
True
An older DoD system certification and accreditation standard that defines the criteria for assessing the access controls in a computer system. Also known as the rainbow series due to the color coding of the individual documents that made up the criteria
Trusted Computer System Evaluation Criteria (TCSEC)
Which of the following is NOT a valid rule of thumb on risk control strategy selection?
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation
acceptance risk control strategy
Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?
access control list
In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy
annualized loss expectancy (ALE)
In a cost benefit analysis, the expected frequency of an attack, expressed on a per-year basis
annualized rate of occurrence (ARO)
The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ____
appetite
Which of the following is not a step in the FAIR risk management framework?
assess control impact
An organization carries out a risk _________ function to evaluate risks present in IT initiatives and/or systems.
assessment
An alternative to feasibility that is derived by comparing measured actual performance against established standards for the measured category
baseline
The purpose of SETA is to enhance security in all but which of the following ways?
by adding barriers
Classification categories must be mutually exclusive and which of the following?
comprehensive
The information security _________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program.
consultant
Controls that remedy a circumstance or mitigate damage done during an incident are categorized as what?
corrective
The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident
cost avoidance
A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it
data classification scheme
Application of training and education is a common method of which risk control strategy?
defense
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Also known as avoidance strategy
defense risk control strategy
Which control category discourages an incipient incident?
deterrent
What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
documented control strategy
What is the criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards?
economic feasibility
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
evaluating alternative strategies
As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ________ worksheet
factor analysis
Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information?
for official use only
What is the biggest problem in using a quantitative approach to risk determination?
guesstimation
Self examination in risk identification is used for...
identifying weaknesses and the threats they present
Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
incident response plan
The NIST risk management approach includes all but which of the following elements?
inform
Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary?
least privilege
An examination of how well a particular solution fits within the organization's political environment
political feasibility
Which of the following determines acceptable practices based on consensus and relationships among the communities of interest?
political feasibility
Which of the following attributes does NOT apply to software information assets?
product dimensions
_________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work
projectitis
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures
qualitative assessment
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
qualitative assessment of many risk components
What is the final summarized document of Risk Assessment?
ranked vulnerability risk worksheet
What is the SETA program designed to do?
reduce the incidence of accidental security breaches
An extreme level of risk tolerance whereby the organization is unwilling to allow any successful attacks or suffer any loss to an information asset
zero tolerance risk exposure
