Fundamental Information Security chap 5

A best practice proposed for a small to medium-sized business will be similar to one used to help design control strategies for a large multinational company.

False

A data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict the number of people who can access it.

False

A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them.

False

A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternate location. _________________________

False

According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to be successful in an engagement.

False

Baselining is the comparison of past security activities and events against the organization's current performance.

False

Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization, which is known as a threat prioritization. _________________________

False

Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets.

False

In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack; the SLE is the product of the asset's value and the annualized loss expectancy.

False

In information security, benchmarking is the comparison of past security activities and events against the organization's current performance. _________________________

False

Knowing yourself means identifying, examining, and understanding the threats facing the organization.

False

Loss event frequency is the combination of an asset's value and the percentage of it that might be lost in an attack. _________________________

False

One advantage to benchmarking is that best practices change very little over time.

False

Operational feasibility is an assessment of whether the organization can acquire the technology necessary to implement and support the proposed control.

False

Pervasive risk is the amount of risk that remains to an information asset even after the organization has applied its desired level of controls. _________________________

False

Process-based measures are comparisons based on observed numerical data, such as numbers of successful attacks. _________________________

False

Process-based measures are performance measures that are focused on numbers and are less strategic than metric-based measures.

False

Residual risk is the risk that has not been removed, shifted, or planned for after vulnerabilities have been completely resolved.

False

Risk acceptance defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. _________________________

False

Risk control is the enumeration and documentation of risks to an organization's information assets. _________________________

False

Risk mitigation is the process of assigning a risk rating or score to each information asset. _________________________

False

TVA safeguard risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset less the effect of asset value-reducing safeguards. _________________________

False

The computed value of the ALE compares the costs and benefits of a particular control alternative to determine whether the control is worth its cost. _________________________

False

The defense control strategy is the risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards, but it is not the preferred approach to controlling risk.

False

Within a data classification scheme, "comprehensive" means that an information asset should fit in only one category.

False

Within data classification schemes, it is important that all categories used be classified and mutually exclusive. _________________________

False

Within organizations, the most important feasibility is technical feasibility, which defines what can and cannot occur based on the consensus and relationships between the communities of interest. _________________________

False

You cannot use qualitative measures to rank information asset values.

False

Benchmarking is the process of comparing other organizations' activities against the practices used in one's own organization to produce results it would like to duplicate. _________________________

True

Best business practices are often called recommended practices.

True

Establishing a competitive business model, method, or technique enables an organization to provide a product or service that is superior and creates a(n) competitive advantage. _________________________

True

Exposure factor is the expected percentage of loss that would occur from a particular attack. _________________________

True

If the acceptance strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and may portray an apathetic approach to security in general.

True

In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization.

True

Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack. _________________________

True

One way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed. _________________________

True

Operational feasibility is also known as behavioral feasibility. _________________________

True

Organizations should communicate with system users throughout the development of the security program, letting them know that changes are coming, and reduce resistance to these expected changes through communication, education, and involvement.

True

Risk control is the application of controls that reduce the risks to an organization's information assets to an acceptable level.

True

Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices. _________________________

True

Some information security experts argue that it is virtually impossible to determine the true value of information and information-bearing assets.

True

Sometimes a risk assessment report is prepared for a specific IT project at the request of the project manager, either because it is required by organizational policy or because it is good project management practice. _________________________

True

The mitigation control strategy attempts to reduce the impact of a successful attack through planning and preparation. _________________________

True

The most common example of a mitigation procedure is a contingency plan. _________________________

True

The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment.

True

The upper management of an organization must structure the IT and information security functions to defend the organization's information assets.

True

The value of information to the organization's competition should influence the asset's valuation.

True

To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited.

True

When determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts.

True

When it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the value incurred from the cost of protecting the information.

True

You should adopt naming standards that do not convey information to potential system attackers.

True

​The threats-vulnerabilities-assets (TVA) worksheet is a document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings.

True

__________ is simply how often you expect a specific type of attack to occur. a. ARO b. CBA c. SLE d. ALE

a. ARO

The formal decision-making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) __________. a. CBA b. SLE c. ALE d. ARO

a. CBA

A(n) _________ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment. a. FCO b. HTTP c. IP d. CTO

a. FCO

_________ addresses are sometimes called electronic serial numbers or hardware addresses. a. MAC b. IP c. HTTP d. DHCP

a. MAC

The __________ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. a. acceptance b. mitigation c. transference d. defense

a. acceptance

Risk _________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. a. appetite b. avoidance c. acceptance d. benefit

a. appetite

__________ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the flood waters recede. a. IR b. DR c. BR d. BC

b. DR

The __________ plan specifies the actions an organization can and should take while an adverse event is in progress. An adverse event could result in loss of an information asset or assets, but it does not currently threaten the viability of the entire organization. a. BC b. IR c. BR d. DR

b. IR

__________ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders. a. Organizational b. Operational c. Technical d. Political

b. Operational

__________ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures. a. A metric-centric model b. Qualitative assessment c. A value-specific constant d. Quantitative assessment

b. Qualitative assessment

Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems. a. management b. control c. identification d. security

b. control

Some people search trash and recycling bins—a practice known as _________—to retrieve information that could embarrass a company or compromise information security. a. corporate espionage b. dumpster diving c. shoulder surfing d. pretexting

b. dumpster diving

The first phase of risk management is _________. a. risk evaluation b. risk identification c. risk control d. design

b. risk identification

_________ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty. a. Loss frequency b. Loss magnitude c. Risk d. Loss

c. Risk

The _________ control strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. a. transference b. termination c. defense d. acceptance

c. defense

A _________ assigns a status level to employees to designate the maximum level of classified data they may access. a. risk management scheme b. data classification scheme c. security clearance scheme d. data recovery scheme

c. security clearance scheme

The __________ control strategy attempts to shift risk to other assets, other processes, or other organizations. a. acceptance b. mitigation c. transference d. defense

c. transference

Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered "National Security Information," __________ data is the lowest-level classification. a. sensitive b. confidential c. unclassified d. public

c. unclassified

Management of classified data includes its storage and _________. a. distribution b. portability c. destruction d. All of the above

d. All of the above

When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as __________. a. baselining b. benchmarking c. best practices d. standards of due care

d. standards of due care

In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores. a. risk management program b. data classification scheme c. threat assessment d. weighted factor analysis

d. weighted factor analysis