Chapter 3 exam quest
Which of the following is the formula for residual risk? A. (Threat × Vulnerability × Asset value) × Controls gap = Residual risk B. (Threat × Vulnerability × Asset value) = Residual risk C. (Threat / Vulnerability × Asset value) × Control = Residual risk D. (Risk × Vulnerability × Asset value) × Controls gap = Residual risk
A. (Threat × Vulnerability × Asset value) × Controls gap = Residual risk The formula for residual risk is (Threat × Vulnerability × Asset value) × Controls gap = Residual risk.
It is important that a CISSP candidate understand the differences between the various legal systems used around the world. One early system was Corpus Juris Civilis, which featured a comprehensive system of written rules of law. For which legal system was Corpus Juris Civilis the basis? A. Civil law B. Religious law C. Common law D. Customary law
A. Civil law Much of Europe is based on civil (code) law, also known as Napoleonic law. The Romans used Corpus Juris Civilis, which featured a comprehensive system of written rules of law and serves as the basis of the civil law used today. Answers B, C, and D are incorrect as the major difference between civil law and common law is that civil law uses legislation as the main source of laws.
Which of the following does a business impact analysis do? A. Determine the maximum outage time before the company is permanently damaged B. Detail how training and awareness will be performed and how the plan will be updated C. Establish the need for a BCP D. Select recovery strategies
A. Determine the maximum outage time before the company is permanently damaged A BIA is a process used to help business units understand the impact of a disruptive event. Part of that process is determining the maximum outage time before the company is permanently harmed. The other answers are part of the BCP process but are not specifically part of the BIA portion, so answers B, C, and D are incorrect.
When the cost of a countermeasure outweighs the value of the asset, which of the following is the best approach? A. Take no action B. Transfer the risk C. Mitigate the risk D. Increase the cost of exposure
A. Take no action When the cost of a countermeasure outweighs the value of the asset, the best approach is to take no action because the asset would cost more to protect than it is worth. Answers B, C, and D are incorrect because there would be a loss of value in transferring the risk. In such cases, there would be no reason to mitigate the risk because the cost would be prohibitive—and that violates good security practices.
Which of the following methods of handling risk involves using a third party to absorb a portion of the risk? A. Risk reduction B. Risk transference C. Risk acceptance D. Risk rejection
B. Risk transference The purchase of insurance to transfer a portion or all of the potential cost of a loss to a third party is known as risk transference. All other answers are incorrect: Risk reduction involves implementing a countermeasure, risk acceptance deals with risk by accepting the potential cost, and risk rejection pretends the risk doesn't exist.
Which of the following formulas represents total risk? A. Risk × Vulnerability × Asset value = Total risk B. Threat × Vulnerability × Asset value = Total risk C. Risk × Value / Countermeasure = Total risk D. Threat - Vulnerability / Asset value = Total risk
B. Threat × Vulnerability × Asset value = Total risk Risk is expressed numerically as follows: Threat × Vulnerability × Asset value = Total risk The other answers do not properly present the formula for total risk.
Which organizational role is tasked with assigning sensitivity labels? A. Management B. Auditor C. User D. Owner
D. Owner Data classification should be performed by the owner. When a data item or object is identified, the owner is responsible for assigning a security label. If the military data-classification system is used, that label might be top secret, secret, sensitive, or unclassified. It is not the responsibility of the auditor, management, or the user to assign a label to the data.
Planning for business continuity and disaster recovery is likely to be a very large, complex, and multidisciplinary project that brings together key associates within an organization. Which of the following best describes the role of senior management? A. To plan for money for the disaster recovery project manager, technology experts, process experts, or other financial requirements from various departments within the organization B. To be willing to make creating the disaster recovery plan a priority, commit and allow staff time for it, and set hard dates for completion C. To manage people from different disciplines to keep them all on the same page D. To be experts and understand specific processes that require special skill sets
B. To be willing to make creating the disaster recovery plan a priority, commit and allow staff time for it, and set hard dates for completion The best answer is B. If senior management does not get behind the DRP and fully support it, the DRP will likely fail. Answer A is not the best answer because it describes the roles of a budget manager or budget department. Answer C is not the best answer because it describes the roles of a project manager. Answer D is not the best answer as it describes the roles of a subject matter expert.
Which of the following is a flaw, a loophole, an oversight, or an error that makes an organization susceptible to attack or damage? A. Risk B. Vulnerability C. Threat D. Exploit
B. Vulnerability VA vulnerability is a flaw, a loophole, an oversight, or an error that makes an organization susceptible to attack or damage. All other answers are incorrect: A risk can be defined as the potential harm that can arise from some present process or from some future event; an event is an action of a threat agent that can result in harm to an asset or a service; and an exploit takes advantage of a bug, glitch, or vulnerability.
You have been asked to calculate the annualized loss expectancy (ALE) for the following variables: Single loss expectancy = $25 Exposure factor = 0.90 Annualized rate of occurrence = 0.40 Residual risk = $30 Which of the following is the resulting ALE? A. $9.00 B. $22.50 C. $10.00 D. $14.27
C. $10.00 $25 × 0.40 = $10, or Single loss expectancy (SLE) × Annualized rate of occurrence (ARO) = Annualized loss expectancy (ALE).
Which of the following is one of the most important steps to take before developing a business continuity plan? A. Perform a BIA B. Perform quantitative and qualitative risk assessment C. Get senior management buy-in D. Determine membership of the BCP team
C. Get senior management buy-in Before the BCP/DRP process can begin, you must get senior management buy-in. Answers A, B, and D are important, but activities like developing the team occur after management buy-in, and the risk assessment process is performed during the BIA.
Which ISO document is used as a standard for information security management? A. ISO 27001 B. ISO 27002 C. ISO 27004 D. ISO 27799
C. ISO 27004 ISO 27004 is the standard for security management. ISO 27001 is focused on requirements. ISO 27002 was developed for BS 7799, and ISO 27799 is focused on health.
Which of the following is the length of time for copyright in the United States and the European Union? A. Life plus 20 years B. Life plus 30 years C. Life plus 70 years D. Life plus 100 years
C. Life plus 70 years Life plus 70 years is the length of a copyright in the United States and the European Union. Keep in mind that copyright terms can vary depending on the country and time they were granted.
Which of the following is the most general of the security documents? A. Procedures B. Standards C. Policies D. Baselines
C. Policies Policies are high-level documents. A procedure is a detailed, in-depth, step-by-step document that lays out exactly what is to be done and is tied to specific technologies and devices. Standards are tactical documents. Baselines are minimum levels of security that a system, network, or device must adhere to.
TCO does not include which of the following? A. Software updates B. Subscription costs C. Maintenance costs D. Cost of not implementing a control
D. Cost of not implementing a control TCO includes all costs, including software, update, and maintenance costs. The only thing that is not included is the cost of not implementing the control.
Which of the following is the proper order? A. Determine ALE, residual risk, SLE, and ARO B. Determine ALE, ARO, SLE, and residual risk C. Determine ARO, SLE, ALE, and residual risk D. Determine SLE, ARO, ALE, and residual risk
D. Determine SLE, ARO, ALE, and residual risk The quantitative assessment process involves the following steps: Estimate potential losses (SLE), conduct a threat analysis (ARO), determine annual loss expectancy (ALE), and determine the residual risk after a countermeasure has been applied.
Which of the following groups is responsible for the development of new standards and protocols such as RFC 1087? A. IESG B. ISOC C. IAB D. IETF
D. IETF The development of new standards and protocols for the Internet is carried out by working groups chartered by the IETF. Answers A, B, and C are incorrect.
Which standard discussed contains the following statement? "Systems Owners Have Security Responsibilities Outside Their Own Organization." A. Ethics and the Internet B. RFC 1087 C. (ISC)2 Code of Ethics D. NIST 800-14
D. NIST 800-14 NIST 800-14 states that responsibilities exceed the network you are in charge of. Answers A and C both point to RFC 1087, Ethics and the Internet. This statement is also not in the (ISC)2 Code of Ethics.
When developing a business continuity plan, what should be the number-one priority? A. Minimize outage time B. Mitigate damage C. Document every conceivable threat D. Protect human safety
D. Protect human safety The protection of human safety is always the number-one priority of a security professional. Answers A, B, and C are incorrect. Minimizing outages is important but not number one. Preventing damage is also important, but protection of human safety is more important
Which term best describes a symbol, word, name, sound, or thing that uniquely identifies a product or service? A. Trade secret B. Copyright C. Patent D. Trademark
D. Trademark A trademark is a symbol, word, name, sound, or thing that identifies the origin of a product or service in a particular trade. Answers A, B, and C are incorrect as they do not properly describe a trademark.