Information Security Governance and Risk Management

Traditional Questions, Answers, and Explanations

For information systems security, a penetration is defined as which of the following combinations?
Attack plus breach
Attack plus threat
Threat plus breach
Threat plus countermeasure
A. A penetration is a successful act of bypassing the security mechanisms of a computer system. An attack is an attempt to violate data security. A breach is the successful circumvention or disablement of a security control, with or without detection, which if carried to completion could result in penetration of the system. A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction or modification of data or denial-of-service. A countermeasure is any action, control, device, procedure, technique, or another measure that reduces the vulnerability of a threat to a system.
Which of the following is not a basic objective of computer-based information systems security?
Protection of system assets from loss, damage, and misuse
The accuracy of data and reliability of application processes
Availability of information and application processes
Control of data analysis
d. The control of information protection, accuracy, availability, and dissemination, not the control of data analysis, is one of the basic objectives of computer-based information systems security. Data analysis determines whether security objectives were achieved.
Which of the following is the primary purpose of plan of action and milestones document?
To reduce or eliminate known vulnerabilities
To use findings from security control assessments
To apply findings from security impact analyses
To implement findings from continuous monitoring activities
a. The primary purpose of a plan of action and milestones (POA&M) document is to correct deficiencies and to reduce or eliminate known vulnerabilities. The POA&M document updates are based on findings from security control assessment, security impact analyses, and continuous monitoring activities.
For information systems security, an exposure is defined as which of the following combinations?
Attack plus breach
Threat plus vulnerability
Threat plus attack
Attack plus vulnerability
d. An exposure is an instance of vulnerability in which losses may result from the occurrence of one or more attacks (i.e., attack plus vulnerability). An attack is an attempt to violate data security. The vulnerability is a weakness in security policy, procedure, personnel, management, administration, hardware, software, or facilities affecting security that may allow harm to an information system. The presence of vulnerability does not in itself cause harm. It is a condition that may allow the information system to be harmed by an attack. A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction or modification of data or denial-of-service. A breach is the successful circumvention or disablement of a security control, with or without detection, which if carried to completion, could result in a penetration of the system. Note that vulnerability comes first and breach comes next.
The benefits of good information security include which of the following?
Reduces risks
Improves reputation
Increases confidence
Enhances trust from others
1 and 2
2 and 3
1, 2, and 3
1, 2, 3, and 4
d. All four items are benefits of good information security. It can even improve efficiency by avoiding wasted time and effort in recovering from a computer security incident.
For risk mitigation, which of the following technical security controls are pervasive and interrelated with other controls?
Supporting controls
Prevention controls
Detection controls
Recovery controls
a. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls). Supporting controls are, by their nature, pervasive and interrelated with many other controls such as prevention, detection, and recovery controls. Supporting controls must be in place to implement other controls, and they include identification, cryptographic key management, security administration, and system protection.

Preventive controls focus on preventing security breaches from occurring in the first place. Detection and recovery controls focus on detecting and recovering from a security breach.

Information security must follow which of the following?
Top-down process
Bottom-up process
Top-down and bottom-up
Bottom-up first, top-down next
a. Information security must be a top-down process requiring a comprehensive security strategy explicitly linked to the organization’s business processes and strategy. Getting direction, support, and buy-in from top management sets the right stage or right tone for the entire organization.
Information security baselines for information assets vary depending on which of the following?
Availability and reliability
Sensitivity and criticality
Integrity and accountability
Assurance and nonrepudiation
b. Information security baselines vary depending on the sensitivity and criticality of the information asset, which is part of the confidentiality goal. The other three choices are not related to the confidentiality goal.
Which of the following characteristics of information security are critical for electronic transactions?
Trust and accountability
Trust and usefulness
Usefulness and possession
Accountability and possession
a. Trust and accountability are critical and needed in electronic transactions to make the customer comfortable with transactions, whereas usefulness and possession are needed to address theft, deception, and fraud.
From a corporate viewpoint, information integrity is most needed in which of the following?
Financial reporting
Inventory information
Trade secrets
Intellectual property
a. Corporate financial reporting requires integrity of information so that it is protected against unauthorized modification. The scope of financial reporting includes presenting balance sheet, income statement, cash flows, and the annual report with footnotes and disclosures.

Confidentiality is required to protect personnel (employees) data such as medical records, trade secrets, or intellectual property rights (e.g., copyrights) and business data such as shipping, billing, and inventory information.

The relative priority given to confidentiality, integrity, and availability goals varies according to which of the following?
Type of information system
Cost of information system
Data within the information system
Business context of use
1 and 2
2 and 3
1 and 4
3 and 4
d. The relative priority and significance given to confidentiality, integrity, and availability goals vary according to the data within the information system and the business context in which they are used. Cost and the type of information systems used are important but not that relevant to these goals.
Effective information security governance requires which of the following?
Corporate executive management endorsement
IT executive management endorsement
Board member endorsement
IT security officer endorsement
1 and 2
1 and 3
2 and 4
3 and 4
b. Corporate executive management must be conducive to effective information security governance. When corporate senior management follows the policies, it sends a positive signal to the rest of the organization. All the board members should endorse the information security governance policies. Note that the corporate executive management and the board members approve and endorse the security policies while the IT executive management and the IT security officer implements such policies.
Which of the following is the major purpose of self-assessment of information security for improving the security?
Establish future targets
Understand the current status
Find out the industry average
Analyze the current target
a. Information security self-assessment results can be used to establish targets for future development, based on where the organization wants to reach (major purpose) and how to improve security. The other three choices (minor purposes) can help in establishing future targets.
What does risk analysis in the contingency planning process not include?
Prioritization of applications
Development of test procedures
Assessment of threat impact on the organization
Development of recovery scenarios
b. Test procedures are detailed instructions that usually are not considered during a risk analysis exercise. Risk analysis is the initial phase of the contingency planning process, whereas testing comes after developing and documenting the plan. Application prioritization, assessment of impact on the organization (exposures and implications), and recovery scenarios are part of the risk analysis exercise. Risk analysis is a prerequisite to a complete and meaningful disaster recovery–planning program. It is the assessment of threats to resources and the determination of the amount of protection necessary to adequately safeguard them.
Which of the following is not a key activity that facilitates the integration of information security governance components?
Operational planning
Organizational structure
Roles and responsibilities
Enterprise architecture
a. The key activities that facilitate integration of information security governance components include strategic planning, organizational structure (design and development), roles and responsibilities, enterprise architecture, and security objectives. Operational planning is derived from strategic planning.
Which of the following is not an example of protected communications controls that are part of technical preventive controls?
Cryptographic technologies
Data encryption methods
Discretionary access controls
Escrowed encryption algorithms
c. Discretionary access controls (DAC) define access control security policy. The other choices are examples of protected communications controls, which ensure the integrity, availability, and confidentiality of sensitive information while it is in transit.

Cryptographic technologies include data encryption standard (DES), Triple DES (3DES), and secure hash standard. Data encryption methods include virtual private networks (VPNs) and Internet Protocol security (IPsec). Escrowed encryption algorithms include Clipper.

For risk mitigation strategies, which of the following is not a proper and effective action to take when a determined attacker’s potential or actual cost is too great?
Apply security design principles.
Decrease an attacker’s motivation.
Implement security architectural design.
Establish nontechnical security controls.
b. Usually, protection mechanisms to deter a normal and casual attacker are applied to decrease an attacker’s motivation by increasing the attacker’s cost when the attacker’s cost is less than the potential gain for the attacker. However, these protection mechanisms may not prevent a determined attacker because the attacker’s potential gain could be more than the cost or the attacker is seeking for a strategic and competitive advantage with the attack.

The other three choices are proper and effective actions to take when the potential or actual cost for an attacker is too great, whether the attacker is a normal, casual, or determined, because they are stronger protection mechanisms. Both technical and nontechnical security controls can be used to limit the extent of the attack.

Which of the following actions are required to manage residual risk when new or enhanced security controls are implemented?
Eliminate some of the system’s vulnerabilities.
Reduce the number of possible threat-source/vulnerability pairs.
Add a targeted security control.
Reduce the magnitude of the adverse impact.
1 and 2
1 and 3
2 and 4
1, 2, 3, and 4
d. Implementation of new or enhanced security controls can mitigate risk by (i) eliminating some of the system’s vulnerabilities (flaws and weaknesses) thereby reducing the number of possible threat-source/vulnerability pairs, (ii) adding a targeted control to reduce the capacity and motivation of a threat-source, and (iii) reducing the magnitude of the adverse impact by limiting the extent of a vulnerability.
Which of the following ongoing security monitoring activities are more valuable in determining the effectiveness of security policies and procedures implementation?
Plans of action and milestones
Configuration management
Incident statistics
Network monitoring
c. All four choices are examples of ongoing security monitoring activities. Incident and event statistics are more valuable in determining the effectiveness of security policies and procedures implementation. These statistics provide security managers with further insight into the status of security programs under their control and responsibility.
Which of the following pairs of security objectives, rules, principles, and laws are in conflict with each other?
All-or-nothing access principle and the security perimeter rule
Least privilege principle and employee empowerment
File protection rules and access granularity principle
Trans-border data flows and data privacy laws
b. Least privilege is a security principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage resulting from an accident, error, or unauthorized use. This is in great conflict with employee empowerment in which employees are given freedom to do a wide variety of tasks in a given time period. Much discretion is left to each employee to achieve the stated goals.

The all-or-nothing access principle means access is either to all objects or none at all. The security perimeter rule uses increasingly strong defenses as one approach the core information or resources sought. Both strengthen the security practices.

File protection rules are designed to inhibit unauthorized access, modification, and deletion of a file. The access granularity principle states that protection at the data file level is considered coarse granularity, whereas protection at the data field level is considered to be of a finer granularity. Both strengthen the security practices.

The objectives of trans-border data flows and data privacy laws are to protect personal data from unauthorized disclosure, modification, and destruction. Trans-border data flow is the transfer of data across national borders. Privacy refers to the social balance between an individual’s right to keep information confidential and the societal benefit derived from sharing information. Both strengthen the security practices.

Which of the following is not the major purpose of information system security plans?
Describe major application systems.
Define the security requirements.
Describe the security controls.
Delineate the roles and responsibilities.
a. The information security plan should reflect inputs from various managers with responsibilities concerning the system. Major applications are described when defining security boundaries of a system, meaning boundaries are established within and around application systems.

The major purposes of the information system security plan are to (i) provide an overview of the security requirements of the system, (ii) describe the security controls in place or planned for meeting those requirements, (iii) delineate the roles and responsibilities, and (iv) define the expected behavior of all individuals who access the system.

The information system security plan is an important deliverable in which of the following processes?
Configuration management
System development life cycle
Network monitoring
Continuous assessment
b. The information system security plan is an important deliverable in the system development life cycle (SDLC) process. Those responsible for implementing and managing information systems must participate in addressing security controls to be applied to their systems. The other three choices are examples of ongoing information security program monitoring activities.
Which of the following approves the system security plan prior to the security certification and accreditation process?
Information system owner
Program manager
Information system security officer
Business owner
c. Prior to the security certification and accreditation process, the information system security officer (the authorizing official, independent from the system owner) typically approves the security plan. In addition, some systems may contain sensitive information after the storage media is removed. If there is a doubt whether sensitive information remains on a system, the information system security officer should be consulted before disposing of the system because the officer deals with technical aspects of a system. The information system owner is also referred to as the program manager and business owner.
Which of the following is the key factor in the development of the security assessment and authorization policy?
Risk management
Continuous monitoring
Testing the system
Evaluating the system
a. An organization’s risk management strategy is the key factor in the development of the security assessment and authorization policy. The other three choices are part of the purpose of assessing the security controls in an information system.
Which of the following is a prerequisite for developing an information system security plan?
Security categorization of a system
Analysis of impacts
Grouping of general support systems
Labeling of major application systems
1 and 4
2 and 3
1 and 2
3 and 4
c. Before the information system security plan can be developed, the information system and the data/information resident within that system must be categorized based on impact analysis (i.e., low, medium, or high impact). Then a determination can be made as to which systems in the inventory can be logically grouped into general support systems or major application systems.
Which of the following defines security boundaries for an information system?
Information
Personnel
Equipment
Funds
1 only
1 and 2
1 and 3
1, 2, 3, and 4
d. The process of uniquely assigning information resources (e.g., information, personnel, equipment, funds, and IT infrastructure) to an information system defines the security boundary for that system.
For new information systems, which of the following can be interpreted as having budgetary authority and responsibility for developing and deploying the information systems?
Security control
Management control
Operational control
Technical control
b. For new information systems, management control can be interpreted as having budgetary or programmatic authority and responsibility for developing and deploying the information systems. For current systems in the inventory, management control can be interpreted as having budgetary or operational authority for the day-to-day operation and maintenance of the information systems.
Which of the following actions should be implemented when a security function is unable to execute automated self-tests for verification?
Compensating controls
System-specific controls
Common controls
Accept the risk
1 only
2 and 3
1, 2, and 3
1, 2, 3, and 4
d. For those security functions that are unable to execute automated self-tests, organizations should either implement compensating controls (i.e., management, technical, and operational controls), system-specific controls, common controls, or a combination of these controls. Otherwise, organization’s management explicitly accepts the risk of not performing the verification process.
Compensating security controls for an information system should be used by an organization only under which of the following conditions?
Selecting compensating controls from the security control catalog
Providing justification for the use of compensating controls
Performing a formal risk assessment
Accepting the risk associated with the use of compensating controls
1 only
3 only
1 and 3
1, 2, 3, and 4
d. Compensating security controls for an information system should be used by an organization only under the following conditions: (i) the organization selects the compensating controls from the security control catalog, (ii) the organization provides a complete and convincing rationale and justification for how the compensating controls provide an equivalent security capability or level of protection for the information system, and (iii) the organization assesses and formally accepts the risk associated with using the compensating controls in the information system.
Common security controls can be applied to which of the following?
All of an organization’s information systems
A group of systems at a specific site
Common systems at multiple sites
Common subsystems at multiple sites
1 only
2 only
1 and 2
1, 2, 3, and 4
d. Common security controls can apply to (i) all of an organization’s information systems, (ii) a group of information systems at a specific site, or (iii) common information systems, subsystems, or applications, including hardware, software, and firmware, deployed at multiple operational sites.
Which of the following should form the basis for management authorization to process information in a system or to operate an information system?
A plan of actions
Milestones
System security plan
Assessment report
c. Management authorization to process information in a system or to operate a system should be based on the assessment of management, operational, and technical controls. Because the system security plan establishes and documents the security controls, it should form the basis for the authorization, supplemented by the assessment report and the plan of actions and milestones.
Periodic assessment of the system security plan requires a review of changes occurring in which of the following areas?
System status
System scope
System architecture
System interconnections
1 and 2
3 and 4
1, 2, and 3
1, 2, 3, and 4
d. After the information system security plan is accredited, it is important to periodically assess the plan and review any change in system status, system scope, system architecture, and system interconnections.
The effectiveness of security controls depends on which of the following?
System management
Legal issues
Quality assurance
Management controls
1 only
3 only
4 only
1, 2, 3, and 4
d. The effectiveness of security controls depends on such factors as system management, legal issues, quality assurance, internal controls, and management controls. Information security needs to work with traditional security disciplines, including physical and personnel security.
For information risk assessment, which of the following can improve the ability to realistically assess threats?
Intrusion detection tools
Natural threat sources
Human threat sources
Environmental threat sources
a. Common threat sources collect data on security threats, which include natural threats, human threat sources, and environmental threat sources. In addition, intrusion detection tools collect data on security events, thereby improving the ability to realistically assess threats to information.
Which of the following provides a 360-degree inspection of the system during the vulnerability identification of a system in the risk assessment process?
Automated vulnerability scanning tools
Security requirement checklist
Security advisories
Security test and evaluation
b. Developing a security requirements checklist, based on the security requirements specified for the system during the conceptual, design, and implementation phases of the system development life cycle (SDLC), can be used to provide a 360-degree inspection of the system.

Automated vulnerability scanning tools and security test and evaluation augment the basic vulnerability reviews. Security advisories are typically provided by the vendor and give the organization up-to-date information on system vulnerabilities and remediation strategies

During the risk assessment process of a system, what is the level of risk to the system derived by?
Multiplying the threat likelihood rating with the impact level
Subtracting the threat likelihood rating from the impact level
Adding the threat likelihood rating to the impact level
Dividing the threat likelihood rating by the impact level
a. When the ratings for threat likelihood (i.e., high, moderate, or low) and impact levels (i.e., high, moderate, or low) have been determined through appropriate analysis, the level of risk to the system and the organization can be derived by multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact level.
The effectiveness of recommended security controls is primarily related to which of the following?
System safety
System reliability
System complexity
System regulations
c. The effectiveness of recommended security controls is primarily related to system complexity and compatibility. The level and type of security controls should fit with the system complexity, meaning more controls are needed for complex systems and fewer controls are needed for simple systems. At the same time, security controls should match the system compatibility, meaning application-oriented controls are needed for application systems, and operating system–oriented controls are needed for operating systems. Other factors that should be considered include legislation and regulations, the organization’s policy, system impact, system safety, and system reliability.
Risk mitigation does not strive to do which of the following?
Control identification
Control prioritization
Control evaluation
Control implementation
a. Risk mitigation strives to prioritize, evaluate, and implement the appropriate risk-reducing controls recommended from the risk assessment process. Control identification is performed in the risk assessment process, which comes before risk mitigation.
Which one of the following items can be a part of other items?
Management controls
Operational controls
Technical controls
Preventive controls
d. System security controls selected are grouped into one of the three categories of management, operational, or technical controls. Each one of these controls can be preventive in nature.
Risk management activities are performed for periodic system re-authorization in which of the following system development life cycle (SDLC) phases?
Initiation
Development/acquisition
Implementation
Operation/maintenance
d. In the operation/maintenance phase of the SDLC, risk management activities are performed for periodic system re-authorization or re-accreditation.
Which of the following are the fundamental reasons why organizations implement a risk management process for their IT systems?
Need for minimizing negative impact on an organization
Need for sound basis in decision making
Need for inventing a new risk management methodology for each SDLC phase
Need for noniterative process used in risk management
1 and 2
1 and 3
2 and 4
3 and 4
a. Minimizing a negative impact on an organization and need a for sound basis in decision making are the fundamental reasons why organizations implement a risk management process for their IT systems. The risk management methodology is the same regardless of the system development life cycle (SDLC) phase and it is an iterative process that can be performed during each major phase of the SDLC.
From a risk management viewpoint, system migration is conducted in which of the following system development life cycle (SDLC) phases?
Development/acquisition
Implementation
Operation/maintenance
Disposal
d. In the disposal phase of the SDLC process, system migration is conducted in a secure and systematic manner.
For gathering information in the risk assessment process, proactive technical methods include which of the following?
Questionnaires
Onsite interviews
Document review
Network mapping tool
d. A network mapping tool, which is an automated information scanning tool, can identify the services that run on a large group of hosts and provide a quick way of building individual profiles of the target IT system(s). The other three choices are not examples of technical methods, whether proactive.
Which of the following is not a recommended approach for identifying system vulnerabilities?
Using vulnerability sources
Using threat sources
Conducting system security testing
Using security requirements checklist
b. Vulnerabilities (flaws and weaknesses) are exploited by the potential threat sources such as employees, hackers, computer criminals, and terrorists. Threat source is a method targeted at the intentional exploitation of a vulnerability or a situation that may accidentally exploit a vulnerability.

Recommended approaches for identifying system vulnerabilities include the use of vulnerability sources, the performance of system security testing, and the development of a security-requirements checklist.

From a risk mitigation viewpoint, which of the following is not an example of system protection controls that are part of supporting technical security controls?
Modularity
Layering
Need-to-know
Access controls
d. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls). Supporting controls must be in place in order to implement other controls. Access controls are a part of preventive technical security controls, whereas system protections are an example of supporting technical security controls.

Some examples of system protections include modularity, layering, need-to-know, and trust minimization (i.e., minimization of what needs to be trusted).

Which of the following controls is typically and primarily applied at the point of transmission or reception of information?
Nonrepudiation services
Access controls
Authorization controls
Authentication controls
a. All these controls are examples of preventive technical security controls. Nonrepudiation control ensures that senders cannot deny sending information and that receivers cannot deny receiving it. As a result, nonrepudiation control is typically applied at the point of transmission or reception of information. Access controls, authorization controls, and authentication controls support nonrepudiation services.
Setting performance targets for which of the following information security metrics is relatively easier than the others?
Implementation metrics
Effectiveness metrics
Efficiency metrics
Impact metrics
a. Setting performance targets for effectiveness, efficiency, and impact metrics is much more complex than the implementation metrics because these aspects of security operations do not assume a specific level of performance. Managers need to apply both qualitative and subjective reasoning to set effectiveness, efficiency, and impact performance targets.

Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts). Effectiveness/efficiency metrics measure the results of security services delivery (i.e., monitors the results of security controls implementation).

Impact metrics measure the results of business or mission impact of security activities and events (i.e., provides the most direct insight into the value of security to the firm).

Which of the following is not an example of detective controls in information systems?
Audit trails
Encryption
Intrusion detection
Checksums
b. Encryption is an example of preventive controls, which inhibit attempts to violate security policy. Detective controls warn of violations or attempted violation of security policies and include audit trails, intrusion detection methods, and checksums.
Loss of system or data integrity reduces which of the following?
Assurance
Authorization
Authentication
Nonrepudiation
a. Loss of system or data integrity reduces the assurance of an IT system because assurance provides the highest level of confidence in a system. The other three choices cannot provide such assurance.
Which of the following should be performed first?
Threat-source analysis
Vulnerability analysis
Threat analysis
Risk analysis
b. Threat analysis cannot be performed until after vulnerability analysis has been conducted because vulnerabilities lead to threats which, in turn, lead to risks. Threat-source analysis is a part of threat analysis. Therefore, vulnerability analysis should be performed first.
Which of the following risk mitigation options prioritizes, implements, and maintains security controls?
Risk assumption
Risk avoidance
Risk limitation
Risk planning
d. The purpose of a risk planning option is to manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains security controls. The purpose of the risk assumption option is to accept the potential risk and continue operating the IT system. The goal of risk avoidance is to eliminate the risk cause and/or consequence. (For example, forgo certain functions of the system or shut down the system when risks are identified.) The goal of risk limitation is to authorize system operation for a limited time during which additional risk mitigation controls are being put into place.
All the following are access agreements for employees prior to granting access to a computer system except:
Rules of engagement
Rules of behavior
Non-disclosure agreement
Acceptable use agreement
a. Rules of engagement applies to outside individuals (e.g., vendors, contractors, and consultants) when conducting penetration testing of a computer system. Employees do not have rules of engagement, and they are bound by the access agreements. Examples of access agreements include rules of behavior, non-disclosure agreements (i.e., conflict-of-interest statements), and acceptable use agreement (or policy).
In general, which of the following is not a cost-effective or practical procedure required of vendors, consultants, and contractors who are hired for a short period of time to assist with computer hardware and software related work?
Service-level agreement
Rules of engagement
Background checks
Conflict-of-interest clauses
c. Due to higher turnover among vendors, consultants, and contractors and due to short timeframe work (e.g., a month or two), it is not cost effective or practical to conduct background checks because they are applicable to regular full-time employees. Vendors, consultants, and contractors must meet all the requirements mentioned in the other three choices. Background checks include contacting previous employers, verifying education with schools, and contacting friends and neighbors. However, for consultants and other non-employees, security clearance cheeks (e.g., police, court, and criminal records) are made when they handle sensitive information at work.
For risk mitigation strategies, which of the following is not a proper action to take when there is a likelihood that a vulnerability can be exploited?
Implement assurance techniques
Apply layered protections
Apply administrative controls
Implement architectural design
a. Assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. Assurance techniques include trustworthiness and predictable execution, which may not be effective or timely.

The other three choices reflect proper actions to take when there is likelihood that a vulnerability can be exploited.

Residual risk results from which of the following steps taken in the approach to control implementation, which is done as part of the risk mitigation strategy?
Conduct cost-benefit analysis
Select controls
Implement the selected controls
Develop a control implementation plan
c. Implementing the selected controls is the first step in the control implementation approach. The other three choices precede the implementation of the selected controls. The risk remaining after the implementation of new or enhanced security controls is the residual risk.
As part of security control assessment, which of the following must be in place prior to the start of penetration testing work by outsiders?
Rules of behavior
Rules of negotiation
Rules of engagement
Rules of employment
c. Detailed rules of engagement must be agreed upon by all parties before the commencement of any penetration testing scenario by outsiders. These rules of engagement contain tools, techniques, and procedures that are anticipated to be used by threat-sources in carrying out attacks.

Rules of behavior and rules of employment apply to internal employees. Rules of negotiation apply to both insiders and outsiders as a matter of work ethics.

Which of the following is not an example of supporting technical security controls used in mitigating risk?
Identification
Authentication
Cryptographic key management
Security administration
b. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls). This means supporting controls must be in place to implement other controls. Authentication is an example of preventive technical controls.

The other three choices (i.e., identification, cryptographic key management, and security administration) are examples of supporting technical security controls.

Which of the following is not an example of system protections?
Least privilege
Process separation
Authorization
Object reuse
c. Authorization is a part of preventive technical security controls, whereas system protections are an example of supporting technical security controls. Some examples of system protections include least privilege, process separation, and object reuse.
Which of the following is the best way to ensure an acceptable level of trustworthiness of an information system?
Component-by-component
Subsystem-by-subsystem
Function-by-function
System-by-system
d. Typically, components, subsystems, and functions are highly interrelated, making separation by trustworthiness problematic with unpredictable results. Hence, system-by-system trustworthiness is best because it is wholesome and inclusive of system components, subsystems, and functions.
Which of the following is an example of detective (detection) personnel security controls?
Separation of duties
Least privilege
User computer access registration
Rotation of duties
d. Rotation of duties is an example of detective (detection) personnel security controls, which are part of management security controls. The other three choices are examples of preventive personnel security controls.
Which of the following is not an example of preventive management security controls?
Conducting periodic review of security controls
Assigning security responsibilities
Developing system security plans
Conducting security awareness and training
a. Conducting periodic review of security controls to ensure that the controls are effective is an example of detection management security controls. The other three choices are examples of preventive management security controls.
Which of the following characterizes information domains?
Partitioning information
Access control needs
Levels of protection required
Classifying information
1 and 2
2 and 3
3 and 4
1, 2, 3, and 4
d. The partitioning of information according to access control needs and levels of protection required yields categories of information. These categories are often called information domains. Classifying information as secret, top-secret, and sensitive is also called information domains where information is compartmentalized.
A failure of common security controls can increase which of the following?
System-specific risks
Site-specific risks
Subsystem-specific risks
Organization-wide risks
d. Common security controls are identified during a collaborative organization-wide process involving many parties. Because of the potential dependence on common security controls by many of an organization’s information systems, a failure of such common controls may result in a significant increase in organization-wide risks (i.e., risk that arises from operating the system that depends on these security controls).
Which of the following is the first step in the risk management process?
Selecting security controls
Accomplishing security categorization
Satisfying minimum security requirements
Defining security control baselines
b. Security categorization of data/information and information systems is the first step in the risk assessment process. Subsequent to the security categorization process, an organization must select an appropriate set of security controls for their information systems that satisfy the minimum-security requirements. The selected set of security controls (i.e., limited, serious, or catastrophic) must be one of three security control baselines (i.e., low, moderate, or high) that are associated with the designated impact levels of the information systems.
A periodic assessment of the system security plan requires a review of changes occurring in which of the following areas?
System functionality
System design
Information system owner
System authorizing official
1 and 2
3 and 4
1, 2, and 3
1, 2, 3, and 4
d. After the information system security plan is accredited, it is important to periodically assess the plan; review any change in system functionality, system design, information system owner, and system authorizing official.
Disciplinary actions are part of which of the following components of an information security program policy?
Purpose
Scope
Compliance
Responsibilities
c. Components of an information security program policy include purpose, scope, responsibilities, and compliance. The compliance component defines penalties and disciplinary actions.
Which of the following are required to enforce system-specific policies?
Logical access controls
Physical security measures
Management controls
Technical controls
1 and 2
2 and 3
3 and 4
1, 2, 3, and 4
d. Both technology-based and nontechnology-based controls are required to enforce system-specific policies. This covers all the four items listed in the question.
Benefits of central computer security programs include which of the following?
Sharing information
Installing technical controls
Controlling virus infections
Administering day-to-day computer security
1 and 2
1 and 3
2 and 3
2 and 4
b. Organizations can develop expertise centrally and then share it, reducing the need to contract out repeatedly for similar services. The central computer security program can help facilitate information sharing. Similarly, controlling virus infections from central location is efficient and economical. Options 2 and 4 are examples of benefits of a system-level computer security program.
Which of the following are essential to improving IT security performance through metrics?
Quantifying performance gaps
Providing insights into root causes
Submitting reports to internal management
Collecting meaningful data for analysis
1 and 2
2 and 3
3 and 4
1, 2, 3, and 4
a. Performance metrics are essential to performance improvement because they quantify performance gaps and provide insights into root causes of inadequate performance. Submitting reports to internal management and collecting meaningful data for analysis support quantifying performance gaps and providing insights into root causes.
The concept of least privilege is primarily based on which of the following?
Risk assessment
Information flow enforcement
Access enforcement
Account management
a. An organization employs the concept of least privilege primarily for specific duties and information systems, including specific ports, protocols, and services in accordance with risk assessments as necessary to adequately mitigate risk to the organization’s operations, assets, and individuals. The other three choices are specific components of access controls.
Results-based training does not focus on which of the following?
Roles and responsibilities
Understanding levels
Job titles
Backgrounds
c. The results-based training focuses on job functions or roles and responsibilities, not job titles, and recognizes that individuals have unique backgrounds, and therefore, different levels of understanding.
Which of the following are essential to reach a higher rate of success in protecting information?
Proven security tools and techniques
Encouraging professional certification
Training employees in security policies
Role-based security responsibilities
1 and 2
2 and 3
1 and 4
3 and 4
d. Organizations that continually train their workforce in organizational security policy and role-based security responsibilities have a higher rate of success in protecting information.

Proven security tools and techniques and encouraging professional certification indirectly support training employees in security policies and role-based security responsibilities.

Which of the following is the ultimate purpose of information security performance metrics?
To pinpoint problems
To scope resources for remediation
To track ownership of data
To improve information security
d. The ultimate purpose of information security performance metrics is to support the organizational requirements and to assist in internal efforts to improve information security.

Intermediate benefits of performance measurement, leading to the ultimate purpose, include assisting with pinpointing problems, scoping the resources for remediation, tracking the status of remediation, and quantifying successes. Measurement also creates accountability for results by tracking ownership of data and its related activities.

What should the information security manager do when the residual risk has not been reduced to an acceptable level?
Repeat the risk management cycle.
Develop new policies and procedures.
Implement new security technologies.
Establish a specific schedule for assessing risk.
a. If the residual risk has not been reduced to an acceptable level, the information security manager must repeat the risk management cycle to identify a way of lowering the residual risk to an acceptable level. The other three choices are not strong enough actions to reduce the residual risk to an acceptable level.
The level of protection for an IT system is determined by an evaluation of which of the following elements?
Availability
Integrity
Sensitivity
Criticality
1 and 2
2 and 3
3 and 4
1, 2, 3, and 4
c. All IT systems and applications require some level of protection to ensure confidentiality, integrity, and availability, which is determined by an evaluation of the sensitivity and criticality of the information processed, the relation of the system to the organization mission, and the economic value of the system components. Sensitivity and criticality are a part of the confidentiality goal.
Which of the following IT metrics types measure the results of security services delivery?
Implementation metrics
Effectiveness metrics
Efficiency metrics
Impact metrics
1 and 2
2 and 3
1 and 4
3 and 4
b. Implementation metrics measures the implementation of security policy. Effectiveness and efficiency metrics measures the results of security services delivery. Impact metrics measures the business or mission impact of security events.
Which of the following factors affects the trustworthiness of an information system?
Security functionality
Security categorization
Security certification
Security assurance
1 and 2
1 and 4
3 and 4
1, 2, 3, and 4
b. Two factors affecting the trustworthiness of an information system include security functionality (i.e., security features employed within the system) and security assurance (i.e., the grounds for confidence that the security functionality is effective in its application).

Security categorization and security certification are not relevant here because security categorization classifies systems according to security levels, and security certification deals with approving a new system prior to its operation.

When engaging information system services from an external service provider, which of the following is needed to mitigate security risk?
Chain-of-custody
Chain-of-command
Chain-of-documents
Chain-of-trust
d. A chain-of-trust requires that an internal organization establish and retain a level of confidence that each external service provider consider adequate security protection for the services rendered to the internal organization.

Chain-of-custody refers to preserving evidence, and it may include chain-of-documents. Chain-of-command is a management principle, which follows job hierarchy in giving orders to subordinate employees by a supervising employee.

From a security viewpoint, which of the following is the most important document prepared by an external information system service provider?
Service provider security role
End user security role
Memorandum of agreement
Service-level agreement
d. The external information system services documentation must include the service provider security role, end user security role, signed contract, memorandum of agreement before the signed contract, and service-level agreement (most important). The service-level agreement (SLA) defines the expectations of performance for each required security control, describes measurable outcomes, and identifies remedies and response requirements for any identified instance of noncompliance.
The results of information-security program assessment reviews can be used to do which of the following?
To support the certification and accreditation process
To support the continuing monitoring requirement
To prepare for audits
To improve the system’s security posture
1 and 2
2 and 3
3 and 4
1, 2, 3, and 4
d. The results of information-security program assessment reviews can provide a much more reliable measure of security effectiveness. These results may be used to (i) fulfill the organization’s internal reporting requirements, (ii) support the certification and accreditation process for the system, (iii) support the continuing monitoring requirements, (iv) prepare for audits, and (v) identify resource needs to improve the system’s security posture.
Which of the following should not be contained in the Rules of Behavior document?
Copy of the security policy
Controls for working at home
Controls for dial-in access
Use of copyrighted work
a. The rules of behavior should not be a complete copy of the security policy or procedures guide, but rather cover controls at a high level. Examples of controls contained in rules of behavior include controls for working at home and controls for dial-in access, use of copyrighted work, password usage, connections to the Internet, searching databases, and divulging information. The security policy may contain an acceptable use policy.
Which of the following represents the best definition and equation for a comprehensive and generic risk model?
Breach x Threat x Vulnerability
Attack + Threat + Impact
Threat x Vulnerability x Impact
Attack + Vulnerability + Impact
c. Risk is the potential for an unwanted outcome resulting from internal or external factors, as determined from the likelihood of occurrence and the associated consequences. In other words, risk is the product of interactions among threats, vulnerabilities, and impacts. Threats deal with events and actions with potential to harm, vulnerabilities are weaknesses, and impacts are consequences.

The other three choices are incorrect because they do not have the required components in the correct equation for the risk.

Which of the following has been determined to be a reasonable level of risk?
Minimum risk
Acceptable risk
Residual risk
Total risk
b. Acceptable risk is the level of residual risk that has been determined to be a reasonable level of potential loss or disruption for a specific computer system.

Minimum risk is incorrect because it is the reduction in the total risk that results from the impact of in-place safeguards or controls. Residual risk is incorrect because it results from the occurrence of an adverse event after adjusting for the impact of all safeguards in-place. Total risk is incorrect because it is the potential for the occurrence of an adverse event if no mitigating action is taken (i.e., the potential for any applicable threat to exploit system vulnerability).

When a contractor representing an organization uses an internal system to connect with an external organization’s system for data exchange, the contractor should comply with which of the following agreed-upon trust relationships?
Conflict of interest statements
Rules of behavior
Remote session rules
Rules of operation
1 only
3 only
2 and 4
1, 2, 3, and 4
d. To comply with established trust relationships, employees and contractors have the same responsibility (principal and agent relationship) because the contractor is working on behalf of the internal organization. Hence, all the terms and conditions that apply to employees equally apply to contractors. These conditions include rules of behavior, remote session rules, rules of operation, and signed conflict of interest statements.
The aim of risk analysis is to strike a(n):
Technical balance between the impact of risks and the cost of protective measures
Operational balance between the impact of risks and the cost of protective measures
Economic balance between the impact of risks and the cost of protective measures
Legal balance between the impact of risks and the cost of protective measures
c. The aim of a risk analysis is to help systems management strike an economic balance between the impact of risks and the cost of protective measures. It lists risks first and protective measures second.
To estimate the losses likely to occur when a threat is realized or a vulnerability is exploited, which of the following loss categories allow management the best means to estimate their potential losses?
Single occurrence loss, actual loss
Expected loss, catastrophic loss
Catastrophic loss, actual loss
Expected loss, single occurrence loss
d. Two loss categories are usually identified, including (i) losses caused by threats with reasonably predictable occurrence rates, referred to as expected losses expressed as dollars per year and are computed as the product of occurrence rate, loss potential, and vulnerability factor, and (ii) losses caused by threats with a very low rate of occurrence (low-probability) that is difficult to estimate but the threat would cause a very high loss if it were to occur (high-consequence risk), referred to as a single occurrence loss and is expressed as the product of loss potential, vulnerability factor, and asset value. A catastrophic loss is referred to as a loss greater than its equity. An actual loss is the amount of assets or lives lost. Both catastrophic loss and actual loss do not enter into risk assessment because they are not estimable.
From a security accountability viewpoint, which of the following pose a security risk?
Executives and contractors
Full-time employees and contingent workers
Executives and full-time employees
Vendors and consultants
b. Most executives have an employment contract listing security policies, practices, procedures, and penalties for noncompliance of such policies and practices. Contractors, vendors, and consultants are bound by formal rules of engagement. Full-time employees operate under an employment-at-will arrangement; employees have no formal contract and can leave the company or the employer can terminate employment at any time. Contingent workers are part-time and short-time workers (temporary) and have no formal contract. In the absence of a formal contract or rules of engagement, it is difficult for the company to enforce or punish the full-time employees and contingent workers if they violate security policies and practices. Therefore, full-time employees and contingent workers are not truly accountable for the security in the absence of a formal contract (i.e., not legally bound and not enforceable), thus posing a security risk to the company.
What is the last thing to do upon friendly termination of an employee?
Conduct an exit interview.
Disable computer access immediately.
Take possession of keys and cards.
Send the employee to a career counselor.
d. The safest and first thing to do is to (i) disable computer access immediately, which should be a standard procedure, (ii) conduct an exit interview, and (iii) take possession of access keys and cards. The employee can be sent to a career counselor afterward (last thing).
Which of the following statements is true about data classification and application categorization for sensitivity?
Data classification and application categorization is the same.
There are clear-cut views on data classification and application categorization.
Data classification and application categorization must be organization-specific.
It is easy to use simple data classification and application categorization schemes.
c. No two organizations are the same, and it is especially true in cross-industries. For example, what works for a governmental organization may not work for a commercial organization. An example of data classification is critically sensitive, highly sensitive, sensitive, and nonsensitive.
What is the least effective technique for continually educating users in information systems security?
Presenting security awareness video programs
Posting policies on the intranet websites
Presenting one-size-fits-all security briefings
Declaring security awareness days
c. It is good to avoid a one-size-fits-all type of security briefing. It is important to relate security concerns to the specific risks faced by users in individual business units or groups and to ensure that security is an everyday consideration. Lax security can cost money and time. Security awareness is inexpensive and less time-consuming compared to installing security countermeasures.
Trustworthy information systems are defined as:
Operating within defined levels of risk
Handling environmental disruptions
Handling human errors
Handling purposeful attacks
1 only
3 only
4 only
1, 2, 3, and 4
d. Trustworthy information systems are those systems capable of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks expected to occur in the specified environments of operation.
Which of the following combinations of conditions can put the IT assets at the most risk of loss?
System interconnectivity and poor security management
System interconnectivity and poor controls over data sensitivity
System interconnectivity and lack of system backups
System interconnectivity and inadequate physical security
a. Poor security management does not proactively and systematically assess risks, monitor the effectiveness of security controls, and respond to identified problems. This situation can become much weaker with interconnected systems where the risk is the greatest. The other three choices are the result of poor security management.
An IT security training program is a part of which of the following control categories?
Application controls
General controls
Administrative controls
Technical controls
c. The security-training program is a part of administrative controls, which in turn, can be a part of management controls. Application controls relate to a specific application system, whereas general controls relate to a computer center. Technical controls can be useful in both application and general areas.
What is the last step when an insider violates a security policy?
Verbal warning
Dismissal
Legal action
Written warning
c. When an insider violates security policy, the first step is a verbal warning, followed by a written warning, dismissal, and the final step of legal action.
Which of the following is referred to when data is transferred from high network users to low network users?
Data downgrade
Data regrade
Data upgrade
Data release
b. Data regrade is the term used when data is transferred from high network users to low network users and from low network users to high network users.

Data downgrade is the change of a classification label to a lower label without the changing the contents of the data. Data upgrade is the change of a classification label to a higher label without the changing the contents of the data. Data release is the process of returning all unused disk space to the system when a dataset is closed at the end of processing.

Which of the following must be done first to protect computer systems?
Battling information abusers
Fighting hackers
Reducing vulnerabilities
Catching crackers
c. Reducing vulnerabilities decreases potential exposures and risks. The other three choices follow the vulnerabilities.
Which of the following are major benefits of security awareness, training, and education programs accruing to an organization?
Reducing fraud
Reducing unauthorized actions
Improving employee behavior
Reducing errors and omissions
c. Making computer system users aware of their security responsibilities and teaching them correct practices help users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures and knowing how to use them, users cannot be truly accountable for their actions. The other three choices are examples of major purposes of security awareness.
In developing a data security program for an organization, who should be responsible for defining security levels and access profiles for each data element stored in the computer system?
Database administrator
Systems programmer
Data owner
Applications programmer
c. Usually, the data owner defines security levels such as confidential or highly confidential and access profiles defining who can do what, such as add, change, or delete the data elements. It is the data owner who paid or sponsored the system for his department.

The database administrator is incorrect because he is concerned with creating and controlling the logical and physical database. The systems programmer is incorrect because he is responsible for installing new releases of systems software and monitoring the performance of systems software products. The applications programmer is incorrect because he is responsible for developing, testing, and maintaining computer-based application programs in the selected programming languages.

Which of the following is not a true statement about data collection efforts during IT security metrics development process?
Data collection process must be as nonintrusive as possible.
Collected data must have maximum usefulness.
Collected data must be valid.
More resources are needed to collect more data.
d. The data collection effort during the IT security metrics development process must be as nonintrusive as possible and of maximum usefulness to ensure that available resources are primarily used to correct problems, not simply to collect data for the sake of collecting. The collection of valid data is more important than collecting more data.
System or network administrators will be interested in which of the following IT security metrics?
Implementation
Effectiveness
Efficiency
Impact
a. The four measurable aspects of IT security metrics speak to different stakeholders. System or network administrators want to know what went wrong during IT security implementation activities. Information security and program managers are interested in effectiveness and efficiency during IT security activities. The agency head or chief executive officer (CEO) is interested in the business and mission impact of IT security activities. As the primary stakeholders, the chief information officer (CIO) and information systems security officer are interested in the results of IT security metrics. As the secondary stakeholders, the chief financial officer (CFO), Inspector General (IG), or Chief Audit Executive (CAE) of Internal Audit are interested in the development and funding of IT security metrics.
The prudent man concept is related to which of the following?
Due care and due permissions
Due care and due rights
Due care and due diligence
Due care and due privileges
c. The prudent man concept is related to due care and due diligence. Due care is maintaining reasonable care, whereas due diligence requires organizations to be vigilant and diligent. Good housekeeping in a data center is an example of due diligence. The prudent man concept states that reasonable people always act reasonably under the same conditions. Because people are infallible, courts and law require that people use reasonable care all the time.

Courts will find computer owners responsible for their insecure systems. Courts will not find liability every time a computer is hijacked. Rather, courts expect organizations to become reasonably prudent computer owners taking due care (reasonable care) to ensure adequate security. Due care means having the right policies and procedures, access controls, firewalls, and other reasonable security measures in place. Computer owners need not take super care, great care, or extraordinary care.

What is the purpose of a system security plan?
Document the security requirements of a system.
Describe the controls in place or planned.
Delineate roles and responsibilities.
Document the security protection of a system.
1 only
1 and 2
4 only
1, 2, 3, and 4
d. The purpose of a system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates roles and responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system.
What does management authorization of a system to process information provide?
Important quality control
Assessment of management controls
Assessment of operational controls
Assessment of technical controls
2 only
3 only
4 only
1, 2, 3, and 4
d. Management authorization of a system to process information provides an important quality control. By authorizing processing in a system, the manager accepts its associated risk. Management authorization should be based on an assessment of management, operational, and technical controls.
Which of the following should be performed prior to proceeding with the security certification and accreditation process for a system?
System security plan be developed
System security plan be analyzed
System security plan be updated
System security plan be accepted
a. Procedures should be in place outlining who reviews the security plan, keeps the plan current, and follows up on planned security controls. In addition, procedures should require that system security plans be developed and reviewed prior to proceeding with the security certification and accreditation process for the system.
Which of the following individuals establishes the rules for appropriate use and protection of a system’s data and information?
Chief information officer
Information system security officer
Information system owner
Information owner
d. The information owner is responsible for establishing the rules for appropriate uses and protection of a system’s data and information. He establishes controls in terms of generation, collection, processing, dissemination, and disposal. The chief information officer (CIO) is incorrect because the CIO is responsible for developing and maintaining an organization-wide information security program. The information system security officer is incorrect because he is responsible for ensuring that the appropriate operational security posture is maintained for an information system. The information system owner (also known as program manager or business owner) is incorrect because he is responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.
Which of the following states that every user should be notified prior to receiving authorization for access to a system and understand the consequences of noncompliance?
Rules-of-behavior
Rules-of-access
Rules-of-use
Rules-of-information
a. The rules-of-behavior is a security control clearly delineating the responsibilities and expected behavior of all individuals with access to the system. The rules should state the consequences of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for access to the system. Electronic signatures are acceptable for use in acknowledging the rules of behavior.
The baseline security controls can be tailored using the results from:
Assessment of risk
Specific threat information
Cost-benefit analyses
Availability of compensating controls
1 only
1 and 2
1, 2, and 3
1, 2, 3, and 4
d. The baseline security controls can be tailored based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, the availability of compensating controls, or special circumstances.
For system security scoping guidance, which of the following addresses the breadth and depth of security control implementation?
Technology-related considerations
Physical infrastructure-related considerations
Scalability-related considerations
Public access–related considerations
c. Scoping guidance provides an organization with specific terms and conditions on the applicability and implementation of individual security controls.

Scalability-related consideration addresses the breadth and depth of security control implementation. Technology-related considerations deal with specific technologies such as wireless, cryptography, and public key infrastructure. Physical infrastructure-related considerations include locks and guards, and environmental controls for temperature, humidity, lighting, fire, and power. Public access-related considerations address whether identification and authentication, and personnel security controls, are applicable to public access.

The major reason for using compensating security controls for an information system is in lieu of which of the following?
Prescribed controls
Management controls
Operational controls
Technical controls
a. Compensating security controls are the management, operational, or technical controls used by an organization, which are implemented in lieu of prescribed controls in the low, moderate, or high security control baselines. All these controls provide equivalent or comparable protection for an information system.
Which of the following is not a part of operational controls as they relate to system security controls?
Access controls
Contingency planning controls
Incident response controls
Physical security controls
a. Access control, along with identification and authentication and audit and accountability, is a part of technical control. Contingency planning controls are incorrect because they are a part of operational controls. Incident response controls are incorrect because they are a part of operational controls. Physical security controls are incorrect because they are a part of operational controls.
The process of selecting the appropriate security controls and applying the system security scoping guidance is to achieve which of the following?
Reasonable security
Adequate security
Normal security
Advanced security
b. Adequate security is defined as security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. The process of selecting the appropriate security controls and applying the scoping guidelines to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization. Note that the adequate security is more than the reasonable security and the normal security and less than the advanced security.
Which of the following is not an example of a common security control?
Access control
Management control
Operational control
Hybrid control
a. Security controls not designated as common controls are considered system-specific controls and are the responsibility of the information system owner. For example, access control is a part of technical control and is a system-specific control. Many of the management and operational controls needed to protect an information system may be excellent candidates for common security control status. Common security controls reduce security costs when they are centrally managed in terms of development, implementation, and assessment. Hybrid controls contain both common and system-specific controls.
Which of the following determines the adequacy of security in a software product?
How is a product tested?
How is a product evaluated?
How is a product applied related to other systems?
How is a product developed related to other systems?
1 only
2 only
3 and 4
1, 2, 3, and 4
c. The way in which a software product is developed, integrated, and applied to other system components affects the adequacy of its security.

Even when a product successfully completes a formal security evaluation, it may contain vulnerabilities (e.g., buffer overflow problems). Using a tested and evaluated software product does not necessarily ensure a secure and adequate operational environment.

Which of the following items is not a replacement for the other three items?
Enabling system logs
Conducting formal audits
Reviewing system logs manually
Reviewing system logs automatically
b. Although conducted periodically, formal audits are useful, but are not a replacement for day-to-day management of the security status of a system. Enabling system logs and reviewing their contents manually or through automated report summaries can sometimes be the best means of uncovering unauthorized behavior of people and systems and detecting security problems. The critical point here is that day-to-day management is more timely and effective than periodic audits, which could be too late.
Minimal functionality in an application system relates to which of the following security principles?
Security is relative to each organization.
Security is inversely related to complexity.
Security should be layered and have diverse defenses.
Security should be based on minimal privileges.
b. Security is inversely related to complexity; the more complex a system, the more difficult it is to secure. This is the focus of the safeguard titled “minimal functionality.” Security should be relative to each organization and must take into account an organization’s specific needs, budget, and culture. Security is not absolute. This is the focus of the safeguard titled “risk analysis and management.” Defending an information system requires safeguards to be applied not only at points of entry, but also throughout. This is the focus of the safeguard titled “layered and diverse defenses.” The principle of least (minimum) privilege states that programs should operate only with the privileges needed to accomplish their functions. This is the focus of the safeguard titled “least privilege.”
Residual risk is calculated as which of the following?
Known risks minus unknown risks
Actual risks minus probable risks
Probable risks minus possible risks
Potential risks minus covered risks
d. Potential risks include all possible and probable risks. Countermeasures cover some, but not all risks. Therefore, the residual risk is potential risks minus covered risks.
Which of the following is the correct equation in risk management?
Risk management = Risk research + Risk analysis + Risk evaluation
Risk management = Risk analysis + Risk avoidance + Risk evaluation
Risk management = Risk assessment + Risk mitigation + Risk evaluation
Risk management = Risk transfer + Risk acceptance + Risk evaluation
c. Risk management includes risk assessment, risk mitigation, and risk evaluation. Risk assessment is also called risk analysis. Risk mitigation includes risk transfer (risk assignment), risk reduction, risk avoidance, risk sharing, risk limitation, and risk acceptance. Risk research is a part of risk analysis. Risk evaluation focuses on ongoing risk assessment.
What can be done with the residual risk?
It can be either assigned or accepted.
It can be either identified or evaluated.
It can be either reduced or calculated.
It can be either exposed or assessed.
a. Residual risk is the remaining risk after countermeasures (controls) cover the risk population. The residual risk is either assigned to a third party (e.g., insurance company) or accepted by management as part of doing business. It may not be cost-effective to further reduce residual risk.
Which of the following is not part of risk analysis?
Assets
Threats
Vulnerabilities
Countermeasures
d. Actual implementation of countermeasures and safeguards takes place after performing risk analysis. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that could mitigate this impact. Assets, threats, and vulnerabilities are part of the risk analysis exercise.
Unacceptable risk is which of the following?
Attacker’s cost < gain
Loss anticipated > threshold
Attacker’s cost > gain
Loss anticipated < threshold
1 and 2
2 and 3
1 and 4
3 and 4
a. Unacceptable risk is a situation where an attacker’s cost is less than gain and where loss anticipated by an organization is greater than its threshold level. The organization’s goals should be to increase an attacker’s cost and to reduce an organization’s loss.
Security safeguards and controls cannot do which of the following?
Risk reduction
Risk avoidance
Risk transfer
Risk analysis
d. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Risk analysis is a management exercise performed before deciding on specific safeguards and controls. The other three choices are a part of risk mitigation, which results from applying the selected safeguards and controls. Risk avoidance includes risk reduction and risk transfer is assigning risk to a third party.
Selection and implementation of security controls refer to which of the following?
Risk analysis
Risk mitigation
Risk assessment
Risk management
b. Risk mitigation involves the selection and implementation of security controls to reduce risks to an acceptable level. Risk analysis is the same as risk assessment. Risk management includes both risk analysis and risk mitigation.
Which of the following is closely linked to risk acceptance?
Risk detection
Risk prevention
Risk tolerance
Risk correction
c. Risk tolerance is the level of risk an entity or a manager is willing to assume or accept to achieve a potential desired result. Some managers accept more risk than others do because of their personal affinity toward risk.
The amount of risk an organization can handle should be based on which of the following:
Technological level
Acceptable level
Affordable level
Measurable level
b. Often, losses cannot be measured in monetary terms alone, such as loss of customer confidence and loyalty. Risk should be handled at an acceptable level for an organization. Both affordable and technological levels vary with the type of organization (e.g., small, medium, or large size and technology dependent or not).
In terms of information systems security, a risk is defined as which of the following combinations?
Attack plus vulnerability
Threat plus attack
Threat plus vulnerability
Threat plus breach
c. Vulnerability is a weakness in security policy, procedure, personnel, management, administration, hardware, software, or facilities affecting security that may allow harm to an information system. The presence of vulnerability does not in itself cause harm. It is a condition that may allow the information system to be harmed by an attack. A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction or modification of data or denial-of-service. An attack is an attempt to violate data security. A risk is the probability that a particular threat can exploit a particular vulnerability of a system. An exposure is an instance of vulnerability in which losses may result from the occurrence of one or more attacks. A countermeasure is any action, control, device, procedure, technique, or other measure that reduces the vulnerability of a threat to a system. A breach is the successful circumvention or disablement of a security control, with or without detection, which if carried to completion, could result in a penetration of the system.
Risk management is made up of primary and secondary activities. Which of the following is an example of a secondary activity?
Risk analysis data
Risk assessment
Risk mitigation
Risk methodology
a. Risk management must often rely on speculation, best guesses, incomplete data, and many unproven assumptions. The risk-based data are another source of uncertainty and are an example of a secondary activity. Data for risk analysis normally come from two sources: statistical data and expert analysis. Both have shortcomings; for example, the sample may be too small, or expert analysis may be subjective based on assumptions made.

Risk assessment, the process of analyzing and interpreting risk, is composed of three basic activities: (i) determining the assessment’s scope and methodology, (ii) collecting and synthesizing data, and (iii) interpreting the risk. A risk assessment methodology should be a relatively simple process that could be adapted to various organizational units and involves a mix of individuals with knowledge of the business operations and technical aspects of the organization’s systems and security controls.

Risk mitigation involves the selection and implementation of cost-effective security controls to reduce risk to a level acceptable to management, within applicable constraints. Risk methodology is a part of risk assessment. It can be formal or informal, detailed or simplified, high or low level, quantitative (computationally based) or qualitative (based on descriptions or rankings), or a combination of these. No single method is best for all users and all environments. The other three choices are examples of primary activities.

From a risk management viewpoint, which of the following options is not acceptable?
Accept the risk
Assign the risk
Avoid the risk
Defer the risk
d. “Deferring risk” means either ignoring the risk at hand or postponing the issue until further consideration. If the decision to defer the risk is a calculated one, it is hoped that management had the necessary data.

“Accept the risk” is satisfactory when the exposure is small and the protection cost is high. “Assign the risk” is used when it costs less to assign the risk to someone else than to directly protect against it. “Avoid the risk” means placing necessary measures so that a security incident will not occur at all or so that a security event becomes less likely or costly.

What is an attacker repeatedly using multiple different attack vectors repeatedly to generate opportunities called?
Adverse action
Advanced threat
Threat agent
Threat source
b. An advanced (persistent) threat is conducted by an adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception), to generate opportunities to achieve its objectives. The advanced threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.

Adverse actions are actions performed by a threat agent on an asset. These actions influence one or more properties of an asset from which that asset derives its value. A threat consists of a threat agent, a targeted asset, and an adverse action of that threat agent on that asset. Threat agents are entities that can adversely act on assets. Examples of threat agents include hackers, users, computer processes, software development staff, and accidental/intentional errors. Threat agents and threat sources are the same in that their intents and methods are targeted at the intentional exploitation of vulnerability or a situation and the methods that may accidentally trigger vulnerability.

What does a “deviation from an organization-wide approved security policy” mean?
Risk acceptance
Risk assignment
Risk reduction
Risk containment
a. To deviate from an organization-wide approved security policy, the business unit management needs to prepare a letter explaining the reason for the deviation and recognizing and accepting the related risk. Risk assignment is transferring risk to a third party. Risk reduction and risk containment deal with limiting risk by implementing controls.
When performing risk analysis, annual loss exposure is calculated as which of the following?
Impact multiplied by frequency of occurrence
Impact minus frequency of occurrence
Impact plus frequency of occurrence
Impact divided by frequency of occurrence
a. Quantitative means of expressing both potential impact and estimated frequency of occurrence are necessary to perform a risk analysis. The essential elements of a risk analysis are an assessment of the damage that can be caused by an unfavorable event and an estimate of how often such an event may happen in a period of time. Because the exact impact and frequency cannot be specified accurately, it is only possible to approximate the loss with an annual loss exposure, which is the product of the estimated impact in dollars and the estimated frequency of occurrence per year. The product of the impact and the frequency of occurrence would be the statement of loss.
A risk analysis provides management of all the following except:
Accepting the occurrence of a harmful event
Reducing the impact of occurrence of a harmful event
Ranking critical applications
Recognizing that a potential for loss exists
c. A risk analysis provides senior management with information to base decisions on, such as whether it is best to accept or prevent the occurrence of a harmful event, to reduce the impact of such occurrences, or to simply recognize that a potential for loss exists.

The risk analysis should help managers compare the cost of the probable consequences to the cost of effective safeguards. Ranking critical applications comes after the risk analysis is completed. Critical applications are those without which the organization could not function. Proper attention should be given to ensure that critical applications and software are sufficiently protected against loss.

Which of the following methods for handling risk involves a third party?
Accepting risk
Eliminating risk
Reducing risk
Transferring risk
d. An insurance company or a third party is involved in transferring risk. All the other three choices do not involve a third party because they are handled within an organization.
Which of the following security risk assessment techniques uses a group of experts as the basis for making decisions or judgments?
Risk assessment audits
Delphi method
Expert systems
Scenario-based threats
b. The Delphi method uses a group decision-making technique. The rationale for using this technique is that it is sometimes difficult to get a consensus on the cost or loss value and the probabilities of loss occurrence. Group members do not meet face-to-face. Rather, each group member independently and anonymously writes down suggestions and submits comments that are then centrally compiled. This process of centrally compiling the results and comments is repeated until full consensus is obtained.

Risk assessment audits are incorrect because these audits do not provide the same consensus as the one reached by a group of experts in the Delphi method. Usually, one or two individuals perform audits, not groups. Expert systems are incorrect because they are computer-based systems developed with the knowledge of human experts. These systems do not reach a consensus as a group of people. Scenario-based threats are incorrect because possible threats are identified based on scenarios by a group of people. However, this system does not have the same consensus reached as in the Delphi method. The process of submitting results and comments makes the Delphi method more useful than the other methods.

The costs and benefits of security techniques should be measured in monetary terms where possible. Which of the following is the most effective means to measure the cost of addressing relatively frequent threats?
Single-occurrence losses
Annualized loss expectancy
Fatal losses
Catastrophic losses
b. The annualized loss expectancy (ALE) is the estimated loss expressed in monetary terms at an annual rate, for example, dollars per year. The ALE for a given threat with respect to a given function or asset is equal to the product of the estimates of occurrence rate, loss potential, and vulnerability factor.

Single-occurrence loss (SOL) is incorrect because it is the loss expected to result from a single occurrence of a threat. It is determined for a given threat by first calculating the product of the loss potential and vulnerability factor for each function and asset for the threat being analyzed. Then the products are summed to generate the SOL for the threat. Because the SOL does not depend on an estimate of the threat’s occurrence rate, it is particularly useful for evaluating rare but damaging threats. If a threat’s SOL estimate is unacceptably high; it is prudent risk management to take security actions to reduce the SOL to an acceptable level.

Both fatal losses and catastrophic losses are big and rare. Fatal losses involve loss of human life, and catastrophic loss incurs great financial loss. In short, the ALE is useful for addressing relatively frequent threats, whereas SOL and fatal or catastrophic losses address rare threats.

Surveys and statistics indicate that the greatest threat to any computer system is:
Untrained or negligent users
Vendors and contractors
Hackers and crackers
Employees
d. Employees of all categories are the greatest threat to any computer system because they are trusted the most. They have access to the computer system, they know the physical layout of the area, and they could misuse the power and authority. Most trusted employees have an opportunity to perpetrate fraud if the controls in the system are weak. The consequence of untrained or negligent users is the creation of errors and other minor inconveniences.

Although vendors and contractors are a threat, they are not as great a threat as employees are. With proper security controls, threats arising from hackers and crackers can be minimized, if not completely eliminated. Hackers and crackers are the same, and they access computer systems for fun and/or damage.

Risk management consists of risk assessment and risk mitigation. Which of the following is not an element of risk mitigation?
Measuring risk
Selecting appropriate safeguards
Implementing and test safeguards
Accepting residual risk
a. The term risk management is commonly used to define the process of determining risk, applying controls to reduce the risk, and then determining if the residual risk is acceptable. Risk management supports two goals: measuring risk (risk assessment) and selecting appropriate controls that can reduce risk to an acceptable level (risk mitigation). Therefore, measuring risk is part of risk assessment.

The other three choices are incorrect because they are elements of risk mitigation. Risk mitigation involves three steps: determining those areas where risk is unacceptable; selecting effective safeguards and evaluating the controls; and determining if the residual risk is acceptable.

The value of information is measured by its:
Negative value
Value to the owner
Value to others
Value of immediate access
c. The value of information is measured by what others want from the owner. Negative value comes into play when there is a safety, security, or quality problem with a product. For example, the negative value of a product affects customers, manufacturers, vendors, and hackers, where the latter party can exploit an unsafe or unsecure product. Value of immediate access is situational and personal.
Risk is the possibility of something adverse happening to an organization. Which of the following steps is the most difficult one to accomplish in a risk management process?
Risk profile
Risk assessment
Risk mitigation
Risk maintenance
b. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk. Risk management includes two primary and one underlying activities. Risk assessment and risk mitigation are the primary activities, and uncertainty analysis is the underlying one.

Risk assessment, the process of analyzing and interpreting risk, is composed of three basic activities: (i) determining the assessment’s scope and methodology, (ii) collecting and synthesizing data, and (iii) interpreting the risk. A risk assessment can focus on many different areas of controls (including management, technical, and operational). These controls can designed into a new application and incorporated into all areas of an organization’s functions and operations (including telecommunication data centers, and business units). Because of the nature of the scope and the extent of risk assessment, it is the most difficult one to accomplish.

Risk profile and risk maintenance are not the most difficult to accomplish because they are the by-products of the risk assessment process. Risk profile for a computer system or facility involves identifying threats and developing controls and policies in order to manage risks.

The focus of risk management is that risk must be:
Eliminated
Prevented
Avoided
Managed
d. Risk must be managed because it cannot be completely eliminated or avoided. Some risks cannot be prevented in a cost-effective manner.
What is a risk event that is an identifiable uncertainty called?
Known-unknown
Unknown-unknown
Known-known
Unknown-known
a. Known-unknown is an identifiable uncertainty. Unknown-unknown is a risk event whose existence cannot be imagined. There is no risk in known-known because there is no uncertainty. Unknown-known is not relevant here.
Which of the following is an optional requirement for organizations?
Policies
Procedures
Standards
Guidelines
d. Guidelines assist users, systems personnel, and others in effectively securing their systems. Guidelines are suggestive and are not compulsory within an organization.
Which of the following is the least sensitive data classification scheme?
Unclassified
Unclassified but sensitive
Secret
Confidential
a. Data that is not sensitive or classified is unclassified. This is the least sensitive category, whereas secret is the most sensitive category.
Which of the following is not an example of a trade secret?
Customer lists
Supplier names
Technical specifications
Employee names
d. To qualify as a trade secret, information must be of competitive value or advantage to the owner or his business. Trade secrets can include technical information and customer and supplier lists. Employee names do not come under the trade secret category because they are somewhat public information, requiring protection from recruiters.
Which of the following covers system-specific policies and procedures?
Technical controls
Operational controls
Management controls
Development controls
c. Management controls are actions taken to manage the development, maintenance, and use of the system, including system-specific policies, procedures, and rules of behavior, individual roles and responsibilities, individual accountability, and personnel security decisions.

Technical controls include hardware and software controls used to provide automated protection to the computer system or applications. Technical controls operate within the technical systems and applications.

Operational controls are the day-to-day procedures and mechanisms used to protect operational systems and applications. Operational controls affect the system and application environment.

Development controls include the process of assuring that adequate controls are considered, evaluated, selected, designed, and built into the system during its early planning and development stages, and that an ongoing process is established to ensure continued operation at an acceptable level of risk during the installation, implementation, and operation stages.

Organizational electronic-mail policy is an example of which of the following?
Advisory policy
Regulatory policy
Specific policy
Informative policy
c. Advisory, regulatory, and informative policies are broad in nature and cover many topics and areas of interest. E-mail policy is an example of specific policy dealing with communication between and among individuals.
What should be done when an employee leaves an organization?
Review of recent performance evaluation
Review of human resource policies
Review of nondisclosure agreements
Review of organizational policies
c. When an employee leaves an organization, he should be reminded of nondisclosure agreements that he signed upon his hiring. This agreement includes measures to protect confidential and proprietary information such as trade secrets and inventions.
For computer security, integrity does not mean which of the following?
Accuracy
Authenticity
Completeness
Timeliness
d. Timeliness is a part of the availability goal, whereas accuracy, authenticity, and completeness are part of the integrity goal.
For computer security, confidentiality does not mean which of the following?
Nonrepudiation
Secrecy
Privacy
Sensitivity
a. Nonrepudiation is a part of the integrity goal, whereas secrecy, privacy, sensitivity, and criticality are part of the confidentiality goal.
Which of the following security goals is meant for intended uses only?
Confidentiality
Integrity
Availability
Accountability
c. Availability is for intended uses only and not for any other uses. Another definition of availability is ensuring timely and reliable access to and use of system-related information by authorized entities. Confidentiality (C), integrity (I), and availability (A) are security goals and are often called the CIA triad. Confidentiality is preserving authorized restrictions on information access and disclosure. Integrity is the property that protected and sensitive data has not been modified or deleted in an unauthorized and undetected manner. Accountability is tracing actions of an entity uniquely to that entity.
The advanced encryption standard (AES) is useful for securing which of the following?
Confidential but classified material
Secret but classified material
Top secret but unclassified material
Sensitive but unclassified material
d. The advanced encryption standard (AES) is an encryption algorithm used for securing sensitive but unclassified material. The loss, misuse, or unauthorized access to or modification of sensitive but unclassified material might adversely affect an organization’s security interests.

AES is not useful for securing confidential but classified material. AES is not useful for securing secret but classified material. AES is not useful for securing top secret but unclassified material. Top secret cannot be unclassified.

Business data classification schemes usually do not include which of the following?
Private
Public
For internal use only
Secret
d. The data classification terms such as secret and top secret are mostly used by government. The terms used in the other choices usually belong to business data classification scheme.
Data containing trade secrets is an example of which of the following data classification schemes?
Classified
Unclassified
Unclassified but sensitive
Confidential
c. A classified category includes sensitive, confidential, secret, and top secret. An unclassified category is public information, whereas an unclassified but sensitive category requires some protection as in the case of trade secrets.
Which of the following assists in complying with others?
Policy
Procedure
Standard
Guideline
b. Procedures normally assist in complying with applicable policies, standards, and guidelines because they deal with specific steps to carry out a specific task.
Which of the following is referred to when at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a moderate impact value and no security objective is assigned a high impact value for an information system?
Low-impact system
Moderate-impact system
High-impact system
No-impact system
b. A low-impact system is defined as an information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a potential impact value of low. In a moderate-impact system, at least one objective is assigned as moderate and no objective is assigned as high. In a high-impact system, at least one objective is assigned as high. No-impact system is incorrect because every system will have some impact, whether low, moderate, or high.
Which of the following security controls are needed when data is transferred from low network users to high network users?
Software/hardware guards
Automated processing
Automated blocking
Automated filtering
1 and 2
1 and 3
2 and 3
3 and 4
b. Data should be sanitized or separated between high network data/users and low network data/users. When data is transferred from low network users to high network users (i.e., data is regraded), automated data-blocking techniques with firewalls and software/hardware guards are needed to regulate the transfer.

When data is transferred from high network users to low network users (i.e., data is regraded), software/hardware guards, automated processing, and automated filtering techniques are needed to regulate the transfer. The goal of automated processing, blocking, and filtering techniques is an attempt to eliminate or identify viruses and other malicious code transfers. The goal of software/hardware guard is to facilitate transfer of data between private and public networks.

Which of the following is a prerequisite to IT security training?
Certification
Education
Awareness
Training
c. Awareness, training, and education are important processes for helping staff members carry out their roles and responsibilities for information technology security, but they are not the same. Awareness programs are a prerequisite to IT security training. Training is more formal and more active than awareness activities and is directed toward building knowledge and skills to facilitate job performance.

Education integrates all the security skills and competencies of the various functional specialists and adds a multidisciplinary study of concepts, issues, and principles. Normally, organizations seldom require evidence of qualification or certification as a condition of appointment.

When developing information systems security policies, organizations should pay particular attention to which of the following?
User education
User awareness
User behavior
User training
c. A relatively new risk receiving particular attention in organizational policies is user behavior. Some users may feel no compunction against browsing sensitive organizational computer files or inappropriate Internet sites if there is no clear guidance on what types of user behaviors are acceptable. These risks did not exist before the extensive use of networks, electronic mail, and the Internet.
A common technique for making an organization’s information systems security policies more useful is to distinguish between:
Policies and procedures
Policies and guidelines
Principles and practices
Policies and standards
b. Policies generally outline fundamental requirements that top management consider imperative, whereas guidelines provide more detailed rules for implementing the broader policies. Guidelines, while encouraged, are not considered to be mandatory.
Who must bear the primary responsibility for determining the level of protection needed for IT resources?
Information systems security analysts
Business managers
Information systems security managers
Information systems auditors
b. Business managers (functional managers) should bear the primary responsibility for determining the level of protection needed for information systems resources that support business operations. Therefore, business managers should be held accountable for managing the information security risks associated with their operations, much as they would for any other type of business risk. Both the information systems security analysts and managers can assist the business manager, whereas the systems auditor can evaluate the level of protection available in an information system.

The level of protection starts at the chief executive officer (CEO) level. This means having a policy on managing threats, responsibilities, and obligations, which will be reflected in employee conduct, ethics, and procurement policies and practices. Information security must be fully integrated into all relevant organizational policies, which can occur only when security consciousness exists at all levels.

Which of the following is a better method to ensure that information systems security issues have received appropriate attention by senior management of an organization?
Establish a technical-level committee
Establish a policy-level committee
Establish a control-level committee
Establish a senior-level committee
d. Some organizations have established senior-level committees consisting of senior managers to ensure that information technology issues, including information security, receive appropriate attention and support. The other committees collect data on specific issues that each committee deals with and recommend actions to senior-level committees for their approval.
What is a key characteristic that should be common to all information systems security central groups?
Organizational reporting relationships
Information systems security responsibilities
Information systems security technical assistance
Support received from other organizational units
b. The two key characteristics that a security central group should include (i) clearly defined information security responsibilities and (ii) dedicated staff resources to carry out these responsibilities.
To ensure that information systems security policies serve as the foundation of information systems security programs, organizations should link:
Policies to standards
Policies to business risks
Policies to procedures
Policies to controls
b. Developing a comprehensive set of policies is the first step in establishing an organization-wide security program. The policy should be linked to business risks and adjusted on a continuing basis to respond to newly identified risks or areas of misunderstanding.
Which of the following is a useful technique for impressing the users about the importance of organization-wide information systems security policies?
Making policies available through the Internet
Ensuring policies are available through physical bulletin boards
Requiring a signed statement from all users that they will abide by the policies
Ensuring policies are available through electronic bulletin boards
c. A statement is required from new users at the time access to information system resources was first provided and from all users periodically, usually once a year. Requiring a signed statement can serve as a useful technique for impressing on the users the importance of understanding organizational policies. In addition, if the user was later involved in a security violation, the statement can serve as evidence that he had been informed of organizational policies.
Which of the following considers the loss of security objectives (i.e., confidentiality, integrity, and availability) that could be expected to have a limited, serious, or severe adverse effect on an organization’s operations, assets, systems, or individuals and on other organizations?
Low-impact
Moderate-impact
Potential impact
High-impact
c. Potential impact considers all three levels of impact such as (i) a limited adverse effect representing a low impact, (ii) a serious adverse effect representing a moderate impact, and (iii) a severe or catastrophic adverse effect representing a high impact.
Effective information systems security measures cannot be maintained due to which of the following reasons?
Lack of awareness
Lack of a policy
Lack of a procedure
Lack of enforcement
d. If employees see that management is not serious about security policy enforcement, they will not pay attention to security, thus minimizing its effectiveness. In addition to the lack of enforcement, inconsistent enforcement is a problem.
Sensitivity criteria for a computer-based information system are not defined in terms of which of the following?
The value of having an application system
The cost of developing and maintaining an application system
The value of having the needed information
The cost of not having an application system
b. Sensitivity criteria are largely defined in terms of the value of having, or the cost of not having, an application system or needed information.
What is the first thing to do upon unfriendly termination of an employee?
Complete a sign-out form immediately.
Send employee to the accounting department for the last paycheck.
Remove the system access quickly.
Send employee to the human resource department for benefits status.
c. Whether the termination is friendly or unfriendly, the best security practice is to disable the system access quickly, including login to systems. Out-processing often involves a sign-out form initialed by each functional manager with an interest in the separation of the employee. The sign-out form is a type of checklist. Sending the employee to the accounting and human resource departments may be done later.
Which of the following have similar structures and complementary objectives?
Training and awareness
Hackers and users
Compliance and common sense
Need-to-know and threats
a. Training makes people learn new things and be aware of new issues and procedures. They have similar objectives—that is, to learn a new skill or knowledge. Hence, they complement each other.

A hacker is a person who attempts to compromise the security of an IT system, especially whose intention is to cause disruption or obtain unauthorized access to data. On the other hand, a user has the opposite objective, to use the system to fulfill his job duties. Hence, they conflict with each other.

Compliance means following the standards, rules, or regulations with no deviations allowed. On the other hand, common sense tells people to deviate when conditions are not practical. Hence, they conflict with each other.

Need-to-know means a need for access to information to do a job. Threats are actions or events that, if realized, can result in waste, fraud, abuse, or disruption of operations. Hence, they conflict with each other.

Establishing a data ownership program should be the responsibility of:
Functional users
Internal auditors
Data processors
External auditors
a. Functional users (business users) own the data in computer systems. Therefore, they have an undivided interest and responsibility in establishing a data ownership program.

Internal/external auditors are incorrect because they have no responsibility in establishing a data ownership program even though they recommend one. Data processors are incorrect because they are custodians of the users’ data.

When can the effectiveness of an information systems security policy be compromised?
When a policy is published
When a policy is reexamined
When a policy is tested
When policy enforcement is predictable
d. Information systems security policies should be made public, but the actual enforcement procedures should be kept private. This is to prevent policies from being compromised when enforcement is predictable. The surprise element makes unpredictable enforcements more effective than predictable ones. Policies should be published so that all affected parties are informed. Policies should be routinely reexamined for their workability. Policies should be tested to ensure the accuracy of assumptions.
There are many different ways to identify individuals or groups who need specialized or advanced training. Which of the following methods is least important to consider when planning for such training?
Job categories
Job functions
Specific systems
Specific vendors
d. One method is to look at job categories, such as executives, functional managers, or technology providers. Another method is to look at job functions, such as system design, system operation, or system user. A third method is to look at the specific technology and products used, especially for advanced training for user groups and training for a new system. Specific vendors are least important during planning but important in implementation.
Which of the following information systems security objective is most important in an IT security program?
The objective must be specific.
The objective must be clear.
The objective must be achievable.
The objective must be well defined.
c. The first step in the management process is to define information systems security objectives for the specific system. A security objective needs to be more specific; it should be concrete and well defined. It also should be stated so that it is clear and achievable. An example of an information systems security objective is one in which only individuals in the accounting and personnel departments are authorized to provide or modify information used in payroll processing. What good is a security objective if it is not achievable although it is specific, clear, and well defined?
In which of the following planning techniques are the information needs of the organization defined?
Strategic planning
Tactical planning
Operational planning
Information systems planning
d. Four types of planning help organizations identify and manage IT resources: strategic, tactical, operational, and information systems planning. IS planning is a special planning structure designed to focus organizational computing resource plans on its business needs. IS planning provides a three-phased structured approach for an organization to systematically define, develop, and implement all aspects of its near- and long-term information needs.

Strategic planning defines the organization’s mission, goals, and objectives. It also identifies the major computing resource activities the organization will undertake to accomplish these plans.

Tactical planning identifies schedules, manages, and controls the tasks necessary to accomplish individual computing resource activities, using a shorter planning horizon than strategic planning. It involves planning projects, acquisitions, and staffing.

Operational planning integrates tactical plans and support activities and defines the short-term tasks that must be accomplished to achieve the desired results.

Which of the following is a somewhat stable document?
Information technology strategic plan
Information technology operational plan
Information technology security plan
Information technology training plan
a. The IT strategic plan sets the broad direction and goals for managing information within the organization and supporting the delivery of services to customers. It should be derived from and relate to the organization’s strategic plan. The plan typically contains an IT mission statement, a vision describing the target IT environment of the future, an assessment of the current environment, and broad strategies for moving into the future. The IT strategic plan is a somewhat stable document. It does not require annual updates. However, an organization should periodically review and update the IT strategic plan as necessary to reflect significant changes in the IT mission or direction. The strategies presented in the IT strategic plan provide the basis for the IT operational plan, which includes security and training plans.

The IT operational plan describes how the organization will implement the strategic plan. The operational plan identifies logical steps for achieving the IT strategic vision. It may present an implementation schedule, identify key milestones, define project initiatives, and include resources (e.g., funding and personnel) estimates. The operational plan should identify dependencies among the IT strategies and present a logical sequence of project initiatives to assure smooth implementation.

The IT security plans and training plans are incorrect because they are components of the IT operational plan. Security plans should be developed for an organization or an individual system. These plans document the controls and safeguards for maintaining information integrity and preventing malicious/accidental use, destruction, or modification of information resources within the organization. Training plans document the types of training the IT staff will require to effectively perform their duties. The IT operational plans, security plans, and training plans are in a constant state of flux.

An information technology operational plan answers all the following questions except:
How do we get there?
When will it be done?
What is our goal?
Who will do it?
c. The IT operational plan describes how the organization will implement the strategic plan. Usually, the operational plan answers the following questions: How do we get there? When will it be done? Who will do it? The strategic plan answers the question: What is our goal?
Which of the following meets the criteria for an IT strategic plan?
Developing enterprise information technology models
Initiating work process redesign
Conducting business systems planning
Assessing internal and external environment
d. The IT strategic planning is long-range thinking. Planners apply analytic techniques, creativity, and sound judgment to anticipate the requirements of the future. The strategic planning approach provides a framework for bounding the scope and presenting the results of long-range thinking. A strategic planning approach should foster strategic thinking and innovation, assess the organization’s mission, vision, and strategies, define the IT mission, vision, and goals, and assess the internal and external environment. Internal influences are those that have implications for managing the organization such as customers, competitors, contractors, vendors, and user organizations (i.e., internal environment). External influences are broad in scope, often imposed from the outside environment, and uncontrollable by the organization. An organization derives its challenges and opportunities from external influences such as financial community, governments, and industry (i.e., external environment).

The other three choices are examples of IT approaches to augment the development of strategic plans and include enterprise IT models, work process redesign, and business systems planning. Enterprise models provide a means for examining the current environment. They do not foster the development of an organizational direction (i.e., mission and vision). Hence, they do not meet the criteria for strategic planning.

Work process redesign is synonymous with the following concepts: business re-engineering, business process improvement, and business process design. This approach helps managers to define relationships and activities within the organization. Business systems–planning is used to identify information requirements but does not consider strategic methodologies. Information planning approaches do not study organizational cultural issues or provide a strategic work focus.

Which of the following is not an example of IT mission statements?
Streamlining work processes through automation
Maintaining reliability and timeliness of information
Anticipating technological advances and problems
Minimizing the cost to the organization by using information technology efficiently
b. Maintaining reliability and timeliness of information is a goal statement. Goals specify objectives that support the organization’s mission. The IT mission supports the organization’s mission provided in its strategic plan. The IT mission statement identifies the basic concept of IT, the reason IT exists, and how IT supports the organization’s mission. The IT mission statement may be examined three times during the planning process: at the beginning, after analyzing the current environment, and at the end. The IT organization collects, manages, controls, disseminates, and protects the information used by the organization.

IT supports the organization’s mission by streamlining work processes through automation, anticipating technological advances and problems, and minimizing the cost to the organization by using IT efficiently.

An information technology operational plan does not include:
Risk assessment
Project descriptions
Project resource estimates
Project implementation schedules
a. Risk assessment is part of the IT strategic plan along with mission, vision, goals, environmental analysis, strategies, and critical success factors. Typically a strategic plan covers a 5-year time span and is updated annually. IT operational planning begins when strategic planning ends. During operational planning, an organization develops a realistic implementation approach for achieving its vision based on its available resources.

The IT operational plan consists of three main parts: project descriptions, project resource estimates, and project implementation schedules. Depending upon its size and the complexity of its projects, an organization may also include the following types of documents as part of its operational plan: security plan summary, information plans, and information technology plans.

The scope of the information technology tactical plan does not include:
Budget plans
Application system development and maintenance plans
Technical support plans
Service objectives
d. The scope of an IT tactical plan includes budget plans, application system development and maintenance plans, and technical support plans, but not service objectives. This is because service objectives are part of the IT operational plan along with performance objectives. Operational plans are based on the tactical plan but are more specific, providing a framework for daily activity. The focus of operational plans is on achieving service objectives.

Effective plans focus attention on objectives, help anticipate change and potential problems, serve as the basis for decision making, and facilitate control. IT plans are based on the overall organization’s plans. The IT strategic, tactical, and operational plans provide direction and coordination of activities necessary to support mission objectives, ensure that the IT meets user requirements, and enable IT management to cope effectively with current and future changing requirements. Detailed plans move from abstract terms to closely controlled implementation schedules.

Tactical plans span approximately 1 year’s time. Tactical plans address a detailed view of IT activities and focus on how to achieve IT objectives. Tactical plans include budgetary information detailing the allocation of resources or funds assigned to IT components. Often, the budget is the basis for developing tactical plans.

An important measure of success for any IT project is whether the:
Project was completed on time
Project was completed within budget
Project manager has conserved organizational resources
Project has achieved its projected benefits
d. One of the critical attributes for successful IT investments requires that organizations should use projected benefits, not project completion on time and within budget as important measures of success for any IT project. Business goals should be translated into objectives, results-oriented measures of performance, both quantitative and qualitative, which can form the basis for measuring the impact of IT investments. Management regularly monitors the progress of ongoing IT projects against projected cost, schedule, performance, and delivered benefits. It does not matter whether the project manager has conserved organizational resources as long as the project has achieved its projected benefits. Achievement of the (remaining two) choices does not automatically achieve the project’s projected benefits.
Staffing decisions and hiring procedures are critical in solving computer-related security issues and problems. Which of the following is the correct sequence of steps involved in the staffing process?
Determining the sensitivity of the position
Defining the job duties
Filling the position
Determining the computer access levels
1, 2, 3, and 4
2, 4, 3, and 1
2, 4, 1, and 3
1, 4, 2, and 3
c. Personnel issues are closely linked to logical access security controls. Early in the process of defining a position, security issues should be identified and dealt with. After a job position and duties have been broadly defined, the responsible supervisor should determine the type of computer access levels (e.g., add, modify, and delete) needed for that position or job.

Knowledge of the job duties and access levels that a particular position requires is necessary for determining the sensitivity of the position (whether a security clearance is required). The responsible supervisor should correctly identify position sensitivity levels and computer access levels so that appropriate, cost-effective background checks and screening methods can be completed.

When a position’s sensitivity has been determined, the position is ready to be staffed. Background checks and screening methods help determine whether a particular individual is suitable for a given position. Computer access levels and position sensitivity can also be determined in parallel.

Establishing an information system security function program within an organization should be the responsibility of:
Information systems management
Internal auditors
Compliance officers
External auditors
a. Both information systems management and functional user management have a joint and shared responsibility in establishing an information systems security function within an organization. It is because the functional user is the data owner and information systems management is the data custodian. Internal/external auditors and compliance officers have no responsibility in actually establishing such a function; although, they make recommendations to management to establish such a function.
Risk management is an aggregation of which of the following?
Risk assessment
Risk mitigation
Ongoing risk evaluation
Risk profile
1 and 2
2 and 3
1 and 4
1, 2, and 3
d. Risk management is an aggregation of risk assessment, risk mitigation, and ongoing evaluation of risk. Risk profile for a computer system or facility involves identifying threats and developing controls and policies in order to manage risks.
Which of the following is not the major reason for conducting risk assessment?
It is required by law or regulation.
It is integrated into the system development life-cycle process.
It is a good security practice.
It supports the business objectives.
a. Risk assessment should be conducted and integrated into the system/software development life cycle (SDLC) process for information systems, not because it is required by law or regulation, but because it is a good security practice and supports the organization’s business objectives or mission.
Which of the following is the first step in the risk assessment process?
Threat identification
Vulnerability identification
System characterization
Risk analysis
c. System characterization is the first step in the risk assessment process. When characterizing the system, the mission criticality and sensitivity are described in sufficient terms to form a basis for the scope of the risk assessment. Characterizing an information system establishes the scope of the risk assessment effort, delineates the operational authorization or accreditation boundaries, and provides information (e.g., hardware, software, system connectivity, and associated personnel). This step begins with identifying the system boundaries, resources, and information.
A low-impact system does not require which of the following to fully characterize the system?
Questionnaires
Hands-on security testing and evaluation
Interviews
Automated scanning tools
b. A system’s impact can be defined in terms of low, moderate, or high. For example, a system determined to be of low impact may not require hands-on security testing and evaluation. Various techniques, such as questionnaires, interviews, documentation reviews, and automated scanning tools can be used to collect the information needed to fully characterize the system.
The level of effort and granularity of the risk assessment are based on which of the following?
Threat identification
Vulnerability identification
Risk analysis
Security categorization
d. The level of effort and the granularity (i.e., the level of depth at which the assessment investigates the security of the system) of the risk assessment are based on security categorization.
Which of the following can be used to augment the vulnerability source reviews in the risk assessment process of identifying vulnerabilities?
Penetration testing
Previous risk assessments
Previous audit reports
Vulnerability lists
a. Penetration testing and system security testing methods (e.g., use of automated vulnerability scanning tools and security, test, and evaluation methods) can be used to augment the vulnerability source reviews and identify vulnerabilities that may not have been previously identified in other sources.
The risk analysis steps performed during the risk assessment process do not include which of the following?
Control analysis
Likelihood determination
Vulnerability identification
Risk determination
c. Risk analysis includes four substeps: control analysis, likelihood determination, impact analysis, and risk determination. Vulnerability identification is performed prior to risk analysis. The control analysis results are used to strengthen the determination of the likelihood that a specific threat might successfully exploit a particular vulnerability. Checklists and questionnaires are used in the control analysis exercise.
Regarding external service providers operating in external system environments, which one of the following items is required when the other three items are not present to provide sufficient confidence?
Level of trust
Compensating controls
Level of control
Chain of trust
b. Where a sufficient level of trust, level of control, or chain of trust cannot be established in the external system and/or by the external service provider through a service-level agreement (SLA), an internal organization employs compensating controls or accepts a greater degree of risk. Compensating controls include management, operational, and technical controls in lieu of the recommended controls that provide equivalent or comparable protection. An external service provider operating and controlling an external information system can provide a service that is used by an internal organization in a consumer-producer relationship. Examples of these relationships include joint ventures, partnerships, outsourcing, licensing, and supply chain arrangements.
Security control recommendations made during the risk assessment process provide input for which of the following?
Impact analysis
Risk mitigation
Risk analysis
Control analysis
b. Risk analysis, impact analysis, and control analysis are done prior to security control recommendations. Therefore, security control recommendations are essential input for the risk mitigation process.
Which of the following should reflect the results of the risk assessment process?
Control recommendations
Risk determinations
Plans of action and milestones
System security plans
1 and 2
1 and 3
2 and 4
3 and 4
d. Organizations should ensure that the risk assessment results are appropriately reflected in the system’s plan of action and milestones and system security plans. Control recommendations and risk determinations are done prior to documenting the results of the risk assessment.
System security categorization is used in which of the following ways?
To determine minimum baseline security controls
To aid in the estimating the level of threat and vulnerability pair
To reduce the residual risk to an acceptable level
To repeat the risk management cycle for better results
1 and 2
1 and 3
2 and 4
3 and 4
a. The security categorization is used in two ways: (i) to determine which baseline security controls are selected and (ii) to aid in estimating the level of risk posed by a threat and vulnerability pair identified during the risk assessment step. Items 3 and 4 are part of the risk mitigation step.
From an economies of scale viewpoint, the assessment, implementation, and monitoring activities of common security controls are not conducted at which of the following levels?
Organizational level
Individual system level
Multiple systems level
Functional level
b. Common security controls do not benefit at the individual system level because they benefit many systems and the principle of economies of scale is applicable here. Organizations can leverage controls used among multiple systems by designating them as common controls where assessment, implementation, and monitoring activities are conducted at an organizational level or by functional level or areas of specific expertise (e.g., human resources and physical security).
Which of the following is not a goal of the risk management evaluation and assessment process in ensuring that the system continues to operate in a safe and secure manner?
Implement a strong configuration management program.
Monitor the system security on a continuous basis.
Eliminate all potential threats, vulnerabilities, and risks to the system.
Track findings from the security control assessment process.
c. Because it is not practical or cost-effective to eliminate all potential threats, vulnerabilities, and risks to the system, management should consider only the possible threats, vulnerabilities, and risks to the system so that management can better prepare the system to operate in its intended environment securely, safely, and effectively.
Which of the following statements is not true? Risk management is the process that allows IT security managers to:
Balance the operational and economic cost of protective measures
Achieve gains in mission-essential security capabilities
Protect IT systems and data that support the organization’s mission
Request funding to protect all systems, assets, and data in a comprehensive manner
d. Most organizations have a tight budget for IT security; therefore, IT security spending must be reviewed as thoroughly as other management decisions. It is not wise to protect all systems, assets, and data in a comprehensive manner. Risk management is the process that allows IT security managers to balance the operational and economic costs of protective measures to achieve mission-essential security capabilities and to protect the IT systems and data that support the organization’s mission.
A plan of action and milestones document used in the security assessment and authorization process is not based on which of the following?
Security impact analysis
Security controls assessment
Business impact analysis
Continuous monitoring activities
c. A business impact analysis (BIA) is a part of business continuity planning (BCP) process, not security assessment and authorization process.

The other three choices are part of the security assessment and authorization process. The plan of action and milestone (POA&M) document is developed to show the remedial actions to correct the weaknesses noted during the assessment of the security controls and the results from security impact analysis to reduce the weaknesses in the system. The POA&M document also contains continuous monitoring activities.

If an IT system has not yet been designed, the search for vulnerabilities should not focus on which of the following?
Security policies
Security procedures
Planned security features
White papers
c. The planned security features are described in the security design documentation, which occurs after identifying vulnerabilities. If the IT system has not yet been designed, the search for vulnerabilities should focus on the organization’s security policies, security procedures, the system requirements definitions, and the vendor’s or developers’ security product analyses (e.g., white papers).
Which of the following proactive technical methods is used to complement the security controls review?
Information scanning tool
Vulnerability scanning tool
Network scanning tool
Penetration testing tool
d. Penetration testing tool can be used to complement the security controls review and to ensure that different facets of the IT system are secured. The penetration testing occurs after the review of security controls, which includes the use of the automated information scanning tool, automated vulnerability scanning tool, and automated network scanning tool, and security test and evaluation. The penetration testing uses the results obtained from the security controls review.
When an employee of an organization uses an internal system to connect with an external organization’s system for data exchange, the employee should comply with which of the following agreed upon trust relationships?
Conflict of interest statements
Rules of behavior
Remote session rules
Rules of operation
1 and 2
2 and 3
1, 3, and 4
1, 2, 3, and 4
d. Employees of an organization should be bound by the terms and conditions consistent with any agreed upon trust relationships between internal system owner and external system owner. These conditions include rules of behavior, remote session rules, rules of operation, and signed conflict of interest statements.
The security objective or principle of confidentiality does not deal with which of the following?
Authenticity
Sensitivity
Secrecy
Criticality
a. Authentication is a part of the integrity security objective or principle, whereas the other three choices are part of a confidentiality objective or principle.
Which of the following is not a goal of IT security?
Confidentiality
Integrity
Aggregation
Availability
c. Aggregation is an element of sensitivity where data is summarized to mask the details of a subject matter. The other three choices are the goals of IT security.
Which of the following is not an outcome of information security governance?
Strategic alignment
Information asset
Risk management
Resource management
b. Information asset is a business-critical asset, without which most organizations would not function properly. It is a business enabler, not an outcome. The other three choices are examples of outcome of information security governance.
Which of the following is not an input to the risk management and information security strategy?
Business strategy
Security requirements
Business processes
Risk assessments
b. Security requirements are the outputs of the risk management activity. Inputs to the risk management and information security strategy include business strategy, business processes, risk assessments, business input analysis, information resources, and regulatory requirements.
Which of the following is not a correct method of expressing information security baselines?
Technical standards
Procedural standards
Vendor standards
Personnel standards
c. Information security baselines can be expressed as technical, procedural, and personnel standards because they are internal to an organization. In addition to the above standards, the baseline should consider laws, regulations, policies, directives, and organizational mission/business/operational requirements, which could identify security requirements.

Vendors are external to an organization and it would be difficult to accommodate their standards into the baseline due to many vendors. In addition, vendor standards could be unpredictable and unstable.

Regarding information security governance, which of the following does not change, unlike others?
Programs
Assets
Mission
Practices
c. An organization’s basic mission does not change because it is the guiding principle to follow at all times. However, the organization may change its security practices and protection mechanisms over IT assets and computer programs. Yet, these changes must be made within the boundaries of the mission requirements and guidelines. Note that the information security governance must follow the IT governance and the corporate governance principles.
What is the most important objective of system security planning?
To improve the protection of information system resources
To protect highly sensitive systems
To protect highly critical systems
To focus on accredited systems
a. The most important objective of system security planning is to improve the protection of information system resources (e.g., systems, programs, people, data, and equipment). All information systems have some level of sensitivity and criticality and some systems may be accredited. The sensitive, critical, and accredited systems are part of the information system resources and they need protection as part of good management practices.
Which of the following policy types is usually broad in scope and function?
Program policies
Issue-specific policies
System-specific policies
Network policies
a. Program policy is usually broad in scope in that it does not require much modification over time, whereas other types of policies are likely to require more frequent revisions as changes in technology take place.
Which of the following is not a part of access agreements?
Nondisclosure agreements
Rules-of-behavior agreements
Employment agreements
Conflict-of-interest agreements
c. Employment agreements come before the access agreements. Access agreements include nondisclosure, acceptable use, rules-of-behavior, and conflict-of-interest for individuals requiring access to information and information system resources before authorizing access to such resources.
Which of the following linkages provide a high-level focus?
Link information security metrics to the organization strategic goals
Link information security metrics to the organization strategic objectives
Link information security activities to the organization-level strategic planning
Link information security metrics to the information security program performance
c. Information security metrics provides a low-level focus whereas security activities, which are part of the security program, provide a high-level focus. Security metrics monitors and measures implementation and effectiveness of security controls within the context of the security program.
Which of the following IT security metrics focuses on implementation?
Percentage of system users that have received basic awareness training
Percentage of operational systems that have completed certification and accreditation following major changes
Percentage of new systems that completed certification and accreditation prior to the implementation
Percentage of systems successfully addressed in the testing of the contingency plan
a. “Percentage of system users that have received basic awareness training” is an example of implementation metrics. The other three choices are examples of effectiveness metrics.

Which of the following IT security metrics focuses on efficiency?
Percentage of systems successfully testing the contingency plan at the alternative processing site
Percentage of systems that use automated tools to validate performance of periodic maintenance
Percentage of individuals screened before being granted access to organizational information and information systems
Percentage of system components that undergo maintenance on schedule
d. “Percentage of system components that undergo maintenance on schedule” is an example of efficiency metrics. The other three choices are examples of implementation metrics.

Effectiveness/efficiency metrics measure the results of security services delivery (i.e., monitors the results of security controls implementation). Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts).

Which of the following is a prerequisite to IT security training?
Security basics
Awareness
Security literacy
Education
b. Awareness programs act as a prerequisite to IT security training. Awareness programs set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure.
The security objective or principle of integrity does not deal with which of the following?
Accuracy
Privacy
Non-repudiation
Accountability
b. Privacy is a part of a confidentiality objective or principle, whereas the other three choices are part of the integrity objective or principle. Privacy protection is the establishment of controls to ensure the security and confidentiality of data records and restricting access to such records. Confidentiality is preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Hence, privacy and confidentiality are related to each other.

Integrity is the property that protected and sensitive data has not been modified or deleted in an unauthorized and undetected manner. Accuracy is a qualitative assessment of correctness of data or freedom from error (i.e., data needs integrity). Non-repudiation is a service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party. Accountability generates the requirements for actions of an individual to be traced uniquely to that individual (i.e., supports prevention, detection, fault isolation, and non-repudiation). Hence, accuracy, accountability, and non-repudiation all require that data and information must have integrity. If data that an individual is handling is not accurate and if an individual can deny sending or receiving a message, how can that individual be held accountable for his actions? Note that the terms integrity, accuracy, non-repudiation, and accountability have different definitions and meanings depending on the context of use.

Which of the following verifies that the other three security principles have been adequately met by a specific implementation?
Assurance
Integrity
Confidentiality
Availability
a. Assurance verifies that the security principles such as integrity, availability, confidentiality, and accountability have been adequately met by a specific implementation.
Regarding information security governance, which of the following should take place for noncompliance?
Change in policies
Change in procedures
Change in practices
Periodic assessments
d. Periodic assessments and reports on activities can be a valuable means of identifying areas of noncompliance. The other three choices can result from the periodic assessments.
Which of the following must be considered when the system boundaries are drawn and when establishing a control baseline?
Confidentiality
Impact levels
Integrity
Availability
b. The impact levels (i.e., low, moderate, or high) must be considered when the system boundaries are drawn and when selecting the initial set of security controls (i.e., control baseline). Confidentiality, integrity, and availability are security objectives for which potential impact is assessed.
Which of the following is not an element of information quality?
Reproducibility
Utility
Integrity
Objectivity
a. Information quality is an encompassing term composed of utility integrity and objectivity. Reproducibility means that the information can be substantially reproduced, subject to an acceptable degree of imprecision.
Which of the following information security governance structures provides the creation of interorganizational and intra-organizational communication mechanisms in establishing the appropriate policies, procedures, and processes dealing with risk management and information security strategies?
Centralized governance
Decentralized governance
Hybrid governance
Virtual governance
a. The information security governance model should be aligned with the IT governance model and the corporate governance model. A centralized approach to governance requires strong, well-informed central leadership and provides consistency throughout the organization. Centralized governance structures also provide less autonomy for subordinate (sector) organizations that are part of the parent organization. To achieve the centralized governance, interorganizational and intra-organizational communication mechanisms are created.

Decentralized governance is the opposite of the centralized governance, hybrid governance is a combination of centralized and decentralized governance, and virtual governance does not and should not exist.

Which of the following outcomes of information security governance, a part of information technology (IT) governance, relates to investments in risk management?
Strategic alignment
Risk management processes
Risk management resources
Delivered value
d. The information security governance model should be aligned with the IT governance model and the corporate governance model. Delivered value means optimizing risk management investments in support of organizational objectives (i.e., demanding value from the investments).

Strategic alignment means risk management decisions made in business functions should be consistent with organizational goals and objectives. Risk management processes frame, assess, respond to, and monitor risk to organizational operations and assets, individuals, and other organizations. Risk management resources deal with effective and efficient allocation of given resources.

Which of the following information security governance structures establish the appropriate policies, procedures, and processes dealing with risk management and information security strategies at the cost of consistency throughout the organization as a whole?
Centralized governance
Decentralized governance
Hybrid governance
Virtual governance
b. The information security governance model should be aligned with the IT governance model and the corporate governance model. A decentralized approach accommodates subordinate (sector) organizations with divergent business needs and operating unit environments at the cost of consistency throughout the organization as a whole. The effectiveness of this approach is greatly increased by the sharing of risk-related information among subordinate units so that no subordinate sector is able to transfer risk to another without the latter’s informed consent. The sector also shares risk-related information with parent organization to determine its impact on the organization as a whole.

Centralized governance is the opposite of the decentralized governance, hybrid governance is a combination of centralized and decentralized governance, and virtual governance does not and should not exist.

Which of the following is not an example of issue-specific policies?
Use of unauthorized software
Operational security rules
Acquisition of software
Doing computer work at home
b. Operational security rules are part of system-specific security policy, whereas the other three choices are part of issue-specific policies.
Which of the following IT security metrics focuses on effectiveness?
Average frequency of audit records reviewed and analyzed for inappropriate activity
Percentage of security incidents caused by improperly configured access controls
Percentage of audit log findings reported to appropriate officials
Percentage of systems using automated mechanisms to conduct analysis and reporting of inappropriate activities
b. “Percentage of security incidents caused by improperly configured access controls” is an example of effectiveness metrics.

The other three choices deal with efficiency and implementation metrics. Audit records reviewed deals with efficiency metrics, whereas audit log findings and automated mechanisms deal with implementation metrics.

Effectiveness or efficiency metrics measure the results of security services delivery (i.e., monitors the results of security controls implementation).

Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts).

Which of the following IT security metrics focuses on impact?
Percentage of information system security personnel that have received security training
Percentage of systems compliant with the baseline configuration
Sum of costs of each incident within the reporting period
Percentage of configuration changes documented in the latest baseline configuration
c. “Sum of costs of each incident within the reporting period” is an example of impact metrics. The other three choices are examples of implementation metrics.

Impact metrics measure the results of business or mission impact of security activities and events (i.e., provides the most direct insight into the value of security to the firm). Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts).

IT security training provides which of the following levels?
Data
Information
Knowledge
Insight
c. IT security training provides knowledge levels, awareness provides data and information levels, and education provides insight levels.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 9.

Risk management is a major priority of the SPK Company. The following data has been collected for one asset in the company: Natural threats are realized once every five years. The total asset value is $1,000,000. Every time a threat causes damage, it cost the company an average of $100,000. The company has the choice of getting insurance for $10,000 per year or moving to a new location that will be a onetime cost of $35,000. The SPK priorities in the risk management strategy are accuracy and long-term repeatability of process.

What can be done with the residual risk?
It can be either assigned or accepted.
It can be either identified or evaluated.
It can be either reduced or calculated.
It can be either exposed or assessed.
a. Residual risk is the remaining risk after countermeasures (controls) cover the risk population. The residual risk is either assigned to a third party (e.g., insurance company) or accepted by management as part of doing business. It may not be cost-effective to further reduce residual risk.
Which of the following is not part of risk analysis?
Assets
Threats
Vulnerabilities
Countermeasures
d. Countermeasures and safeguards come after performing risk analysis. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Assets, threats, and vulnerabilities are part of risk analysis exercise.
Security safeguards and controls cannot do which of the following?
Risk reduction
Risk avoidance
Risk transfer
Risk analysis
d. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Risk analysis is a management exercise performed before deciding on specific safeguards and controls. Risk reduction, risk avoidance, and risk transfer are part of risk mitigation, which results from applying the selected safeguards and controls.
Selection and implementation of security controls refer to which of the following?
Risks analysis
Risk mitigation
Risk assessment
Risk management
b. Risk mitigation involves the selection and implementation of security controls to reduce risks to an acceptable level. Risk analysis is the same as risk assessment. Risk management includes both risk analysis and risk mitigation.
Which of the following is closely linked to risk acceptance?
Risk detection
Risk prevention
Risk tolerance
Risk correction
c. Risk tolerance is the level of risk that an entity or a manager is willing to assume or accept to achieve a potential desired result. Some managers accept more risk than others do due to their personal affinity toward risk.
The amount of risk an organization can handle should be based on which of the following?
Technological level
Acceptable level
Affordable level
Measurable level
b. Often, losses cannot be measured in monetary terms alone. Risk should be handled at an acceptable level for an organization. Both affordable and technological levels vary with the type of organization (e.g., small, medium, or large size and technology-dependent or not).
Which of the following methods for handling a risk involves a third party?
Accept risk
Share risk
Reduce risk
Transfer risk
d. An insurance company or a third party is involved in transferring risk. The other three choices do not involve a third party because they are handled within an organization. One division’s risk can be shared by other divisions of an organization.
Which of the following security risk assessment techniques uses a group of experts as the basis for making decisions or judgments?
Risk assessment audits
Delphi method
Expert systems
Scenario-based threats
b. The Delphi method uses a group decision-making technique. The rationale for using this technique is that it is sometimes difficult to get a consensus on the cost or loss value and the probabilities of loss occurrence. Group members do not meet face-to-face. Rather, each group member independently and anonymously writes down suggestions and submits comments that are then centrally compiled. This process of centrally compiling the results and comments is repeated until full consensus is obtained.

Risk assessment audits are incorrect because these audits do not provide the same consensus as for the one reached by a group of experts available in the Delphi method. Usually, one or two individuals perform audits, not groups. An expert system is incorrect because it is a computer-based system developed with the knowledge of human experts. These systems do not reach a consensus as a group of people. Scenario-based threats are incorrect because possible threats are identified based on scenarios by a group of people. However, this system does not have the same consensus reached as in the Delphi method. The process of submitting results and comments make the Delphi method more useful than the other methods.

The costs and benefits of security techniques should be measured in monetary terms where possible. Which of the following are the most effective means to measure the cost of addressing relatively frequent threats?
Single-occurrence losses
Annual loss expectancy
Fatal losses
Catastrophic losses
b. Annualized loss expectancy (ALE) is the estimated loss expressed in monetary terms at an annual rate, for example, dollars per year. The ALE for a given threat with respect to a given function or asset is equal to the product of the estimates of occurrence rate, loss potential, and vulnerability factor.

A single-occurrence loss (SOL) is incorrect because it is the loss expected to result from a single occurrence of a threat. It is determined for a given threat by first calculating the product of the loss potential and vulnerability factor for each function and asset for the threat analyzed. Then the products are summed to generate the SOL for the threat. Because the SOL does not depend on an estimate of the threat’s occurrence rate, it is particularly useful for evaluating rare but damaging threats. If a threat’s SOL estimate is unacceptably high, it is prudent risk management to take security actions to reduce the SOL to an acceptable level.

Both fatal losses and catastrophic losses are big and rare. Fatal losses involve loss of human life and catastrophic loss incurs great financial loss. In short, ALE is useful for addressing relatively frequent threats whereas SOL and fatal or catastrophic losses address rare threats.

Sources and References

“Directions in Security Metrics Research (NISTIR 7564),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, April 2009.

“Guide for Developing Performance Metrics for Information Security (NIST SP800-80 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, May 2006.

“Information Security Handbook: A Guide for Managers (NIST SP 800-100 Draft),” Chapter 2, Information Security Governance, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.

“Information Security Handbook: A Guide for Managers (NIST SP 800-100 Draft),” Chapter 4, Awareness and Training, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.

To study CyberSecurity

Information Security Governance and Risk Management

Leave a comment Cancel reply

Information Security Governance and Risk Management

Share this:

Related

Leave a comment Cancel reply