Domain 1
Which of the following statements BEST describes organization impact analysis? Risk analysis and organization impact analysis are two different terms describing the same project effort. A organization impact analysis calculates the probability of disruption to the organization. A organization impact analysis is critical to development of a business continuity plan. A organization impact analysis establishes the effect of disruption on the organization.
A organization impact analysis establishes the effect of disruption on the organization.
Single loss expectancy (SLE) is calculated by using: Local annual frequency estimate and annualized rate of occurance Asset value, local annual frequency estimate (LAFE), and standard annual frequency estimate (SAFE) Asset value and annualized rate of occurrence (ARO) Asset value and exposure factor
Asset value and exposure factor
Well-written security program policies are BEST reviewed: When procedures need to be modified After major project implementations At least annually or at pre-determined organization changes When applications or operating systems are updated
At least annually or at pre-determined organization changes
Which of the following terms BEST describes the effort to determine the consequences of disruption that could result from a disaster? Business impact analysis. Project problem definition. Risk analysis. Risk assessment.
Business impact analysis.
Which of the following statements BEST describes the extent to which an organization should address business continuity or disaster recovery planning? Continuity planning is a significant organizational issue and should include all parts or functions of the company Continuity planning is a significant management issue and should include the primary functions specified by management Continuity planning is a significant technology issue and the recovery of technology should be its primary focus Continuity planning is required only where there is complexity in voice and data communications
Continuity planning is a significant organizational issue and should include all parts or functions of the company
Consideration for which type of risk assessment to perform includes all of the following: Budget, capabilites of resources and likelihood of exposure Culture of organization, budget, capabilites and resources Capabilities of resources, likelihood of exposure and budget Culture of the organization, likelihood of exposure and budget
Culture of organization, budget, capabilites and resources
Data access decision are best made by: User managers Senior management Data owners Application developer
Data owners
Availability makes information accessible by protecting from: Denial of services, fires, floods, hurricanes, and unauthorized transaction Fires, floods, hurricanes, unauthorized transactions and unreadable backup tapes Unauthorized transactions, fires, floods, hurricanes ad unreadable backup tapes Denial of services, fires, floods, and hurricanes and unreadable backup tapes
Denial of services, fires, floods, and hurricanes and unreadable backup tapes
Tactical security plans are BEST used to: Reduce downtime Establish high-level security policies Deploy new security technology Enable enterprise/entity-wide security management
Deploy new security technology
A security policy which will remain relevant and meaningful over time includes the following: Short in length, technical specifications and contains directive words such as shall, must or will Directive words such as shall, must, or will, defined policy development process and is short in length Defined policy development process, short in length and contains directive words such as shall, must or will Directive words such as shall, must, or will, technical specifications and is short in length
Directive words such as shall, must, or will, defined policy development process and is short in length
What is the minimum and customary practice of responsible protection of assets that affects a community or societal norm? Risk mitigation Asset protection Due diligence Due care
Due care
A business continuity plan is best updated and maintained: Annually or when requested by auditors. During the configuration and change management process. Only when new versions of software are deployed. Only when new hardware is deployed.
During the configuration and change management process.
Qualitative risk assessment is earmarked by which of the following? Ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process Detailed metrics used for calcuation of risk and ease of implementation Can be completed by personnel with a limited understanding of the risk assessment process and detailed metrics used for the calculation of risk Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics used for calculation of risk
Ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process
Setting clear security roles has the following benefits: Establishes personal accountability, establishes continuous improves and reduces turf battles Establishes personal accountability, reduces cross-training requirements and reduces departmental turf battles Enables continuous improvement, reduces cross-training requirements and reduces departmental turf battles Reduces departmental turf battles, reduces cross-training requirements and establishes personal accountability
Establishes personal accountability, establishes continuous improves and reduces turf battles
Which of the following methods in not acceptable for exercising the business continuity plan? Simulated exercise. Halting a production application or function. Table-top exercise. Call exercise.
Halting a production application or function.
Which of the following is the primary desired result of any well-planned business continuity exercise? Identifies plan strengths and weaknesses. Satisfies management requirements. Complies with auditor's requirements. Maintains shareholder confidence.
Identifies plan strengths and weaknesses.
Which of the following steps should be performed first in a business impact analysis (BIA)? Evaluate the criticality of business function Estimate the Recovery Time Objectives (RTO) Evaluate the impact of disruptive events Identify all business units within an organization.
Identify all business units within an organization.
Information systems auditors help the organization: Address information technology for financial statements Identify control gaps Mitigate compliance issues Establish an effective control environment
Identify control gaps
Security is likely to be most expensive when addressed in which phase? Implementation Design Testing Rapid prototyping
Implementation
During the risk analysis phase of the planning, which of the following actions could BEST manage threats or mitigate the effects of an event? Increasing reliance on key individuals. Developing recovery procedures. Modifying the exercise scenario. Implementing procedural controls.
Implementing procedural controls.
Collusion is best mitigated by: Least privilege Defining job sensitivity level Data classification Job rotation
Job rotation
A service's recovery point objective is zero. Which approach BEST ensures the requirement is met? RAID 6 with a hot site alternative. RAID 0 with a cold site alternative. RAID 6 with a reciprocal agreement. RAID 0 with a warm site alternative.
RAID 6 with a hot site alternative.
Effective security management: Installs patches in a timely manner Prioritizes security for new products Achieves security at the lowest cost Reduces risk to an acceptable level
Reduces risk to an acceptable level
Who is accountable for implementing information security? Security officer Data owners Everyone Senior management
Security officer
Security awareness training includes: Security roles and responsibilities for staff The high-level outcome of vulnerability assessments Specialized curriculum assignments, coursework and an accredited institution Legislated security compliance objectives
Security roles and responsibilities for staff
Which of the following is MOST important for successful business continuity? Extensive wide area network infrastructure. Strong technical support staff. Senior leadership support. An integrated incident response team.
Senior leadership support.
The ability of one person in the finance department to add vendors to the vendor database and subsequently pay the vendor violates which concepts? Separation of duties Data sensitivity level A well-formed transaction Least privilege
Separation of duties
Which phrase best defines a business continuity/disaster recovery plan? A set of preparations and procedures for responding to a disaster without management approval. An approved set of preparations and sufficient procedures for responding to a disaster. A set of plans for preventing a disaster. The adequate preparation and procedures for the continuation of all organization functions.
The adequate preparation and procedures for the continuation of all organization functions.
Business impact analysis is performed to BEST identify: The impacts of a risk on the organization. The impacts of a threat to the organization operations. The cost efficient way to eliminate threats. The exposure to loss to the organization.
The exposure to loss to the organization.
Within the realm of IT security, which of the following combinations best defines risk? Threat coupled with a breach of security Threat coupled with a vulnerability Threat coupled with a breach Vulnerability coupled with an attack
Threat coupled with a vulnerability
The element of risk are as follows: Threats, assets, and mitigating controls Business impact analysis and mitigating controls Natural disasters and manmade disasters Risk and business impact analysis
Threats, assets, and mitigating controls
When determining the value of an intangible asset which is the BEST approach? Review the depreciation of the intangible asset over the past three years Use the historical acquisition or development cost of the intangible asset Determine the physical storage costs and multiply by the expected life of the company With the assistance of a finance or accounting professional determine how much profit the asset has returned
With the assistance of a finance or accounting professional determine how much profit the asset has returned
The Facilitated Risk Analysis Process (FRAP) makes a base assumption that a narrow risk assessment is the least efficient way to determine risk in a system, business segment, application or process. makes a base assumption that a narrow risk assessment is the most efficient way to determine risk in a system, business segment, application or process. makes a base assumption that a broad risk assessment is the most efficient way to determine risk in a system, business segment, application or process. makes a base assumption that a broad risk assessment is the least efficient way to determine risk in a system, business segment, application or process.
makes a base assumption that a narrow risk assessment is the most efficient way to determine risk in a system, business segment, application or process.
The BEST reason to implement additional controls or safeguards is to: identify and eliminate the threat. identify the risk of the threat. deter or remove the risk. reduce the impact of the threat.
reduce the impact of the threat.
The term "disaster recovery" refers to the recovery of: manufacturing environment. organization operations. personnel environment. technology environment.
technology environment.
The (ISC)2 code of ethics resolves conflicts between canons by: there can never be conflicts between canons. working through adjudication. the order of the canons. vetting all canon conflicts through the board of directors.
the order of the canons.
An organization will conduct a risk assessment to evaluate threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure will have on another organization, available countermeasures, the residual risk threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure will have on the organization, available countermeasures, the residual risk threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, the total risk threats to its assets, vulnerabilities not present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organinization, the residual risk
threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure will have on the organization, available countermeasures, the residual risk
