CASP Chapter 3 Risk Mitigation, Strategies, and Controls
What factors should be part of determining an overall likelihood rating for a particular issue? (Choose all that apply.) A. Threat-source motivation B. Threat-source capability C. Asset value D. ALE
Answer: A, B. Threat-source motivation and capability are driving factors as to whether an attack is likely, and both impact the likelihood component.
A firm is unaware of an attack and the resulting losses caused. Which risk management technique is employed with respect to this threat? A. Acceptance. B. Risk transfer. C. Risk deferral. D. There isn't sufficient information to answer this question.
Answer: A. By default, the risk is accepted because this action occurs without any management action.
Which of the following refers to the element of security associated with the unauthorized deletion of data? A. Integrity B. Confidentiality C. Data retention policy D. Privacy policy
Answer: A. This is the definition of integrity.
Which of the following elements of security states that only authorized users are able to modify or delete data? A. Integrity B. Availability C. Confidentiality D. Authorization
Answer: A. Unauthorized alteration or deletion of data is an integrity violation.
Which of the following are the stages in the risk analysis process? (Choose all that apply.) A. Asset control B. Threat assessment C. Monitoring D. Budgeting
Answer: B C. The steps of the risk analysis process are inventory, threat assessment, evaluation, management, and monitoring.
There are multiple options for dealing with risk. Which of the following are appropriate risk management options? (Choose all that apply.) A. Evaluation B. Transfer C. Deferral D. Mitigation
Answer: B D. The four options for risk treatment are avoid, mitigate, transfer, and accept.
Which of the following processes can be involved in continuous monitoring? (Choose all that apply.) A. Network flow analysis B. Configuration management and control C. Security control monitoring D. Security budget
Answer: B, C. Configuration management and control as well as security control monitoring directly affect system security status and are part of a continuous monitoring solution.
What is the following formula used for? SCinformation type = {(confidentiality, impact), (integrity, impact), (availability, impact)} A. To calculate qualitative risk B. To calculate aggregate CIA score C. To calculate the system risk consequence D. To calculate SLE
Answer: B. SCinformation system = {(confidentiality, impact), (integrity, impact), (availability, impact)} is an expression of the calculation of an aggregate CIA score for the information system.
Minimum security control determination requires which step to be completed? A. Pen testing B. Compute aggregate CIA score C. Fuzz testing D. Vulnerability assessment
Answer: B. The minimum security controls must address the complete security requirements by level, which is present in the aggregate CIA scores.
Which level of impact is characterized by a significant level of loss to an enterprise? A. Catastrophic B. High C. Moderate D. Accepted risk
Answer: B. The typical three levels are high, moderate, and low. The fact that the loss is assessed as "significant" makes the value high.
You have been contracted to secure the confidential informants' database for the local police department. What would be an appropriate SC attribute formula? A. SCCIs = {(confidentiality, high), (integrity, high), (availability, high)} B. SCCIs = {(confidentiality, moderate), (integrity, moderate), (availability, moderate)} C. SCCIs = {(confidentiality, high), (integrity, high), (availability, moderate)} D. SCCIs = {(confidentiality, moderate), (integrity, low), (availability, high)}
Answer: C. Confidential informants' information is extremely sensitive. Simple disclosure or alteration of the records could result in injury or death.
As the system administrator, you are tasked with assessing the various risks to your network. Which of the following is not a category associated with risk assessment? A. Risk determination B. Likelihood determination C. Cost determination D. Risk analysis
Answer: C. Cost determination is a management step that is needed but is not part of the risk assessment.
MTTR stands for: A. Mean time to reboot B. Mean time to reimage C. Mean time to repair D. Mean time to reinitialize
Answer: C. MTTR is the abbreviation for "mean time to repair" (how quickly the system can be brought back online).
Which of the following federal regulations requires federal agencies to be able to monitor activity in a "meaningful and actionable way"? A. HIPAA B. Gramm-Leach-Bliley C. FISMA D. Sarbanes-Oxley
Answer: C. The Federal Information Systems Management Act (FISMA) requires federal agencies to monitor security-related activities.
An asset under attack has a potential loss amount of $135,000, and it is expected that successful attacks could occur every 18 months. What is the ALE? A. $135,000 B. $100,000 C. $90,000 D. $45,000
Answer: C. The SLE = $135,000, the ARO = 12/18 = .666, and the ALE = 135,000 * 0.666 = $90,000
As part of your job, you are to keep the system protected from new threats. What is an important step you would take to ensure this occurs? A. Apply new controls for the threat. B. Implement end-user awareness training. C. Apply all current patches in a timely manner. D. Perform a risk assessment.
Answer: D. A risk assessment is the best process for determining new threats and required countermeasures.
Which of the following levels of likelihood is defined by a threat source that's highly motivated and sufficiently capable, and the security controls used to prevent the vulnerability from being exercised are ineffective. A. Accepted B. Medium C. Normal D. High
Answer: D. Again, the typical levels are high, moderate, and low. The fact that the threat source is assessed as "highly motivated" and the controls are assessed as "ineffective" makes the value high.
Which of the following refers to the act of maintaining an ongoing awareness of information security effectiveness? A. Security policy B. Incident response C. Threat assessment D. Continuous monitoring
Answer: D. Maintaining an ongoing awareness of one's security posture is a key element in defining continuous monitoring.
A hacker gains unauthorized access to your system and deletes data. This is an example of what type of failure? A. Confidentiality B. Availability C. Authorization D. Integrity
Answer: D. The unauthorized deletion of data is an integrity failure.
Total cost of ownership (TCO) should include: A. Cost of hardware B. Cost of maintenance contracts C. Cost of personnel D. All of the above
Answer: D. When calculating total cost of ownership, you should always include all the expenses associated with an item, including the cost of hardware, the cost of any maintenance agreements, and the cost of the personnel to run/maintain the system.
