1. Name six different administrative controls used to secure personnel.

Possible answers include - job descriptions, - principle of least privilege, - separation of duties, - job responsibilities, - job rotation/cross-training, - performance reviews, - background checks, - job action warnings, - awareness training, - job training, - exit interviews/terminations, - nondisclosure agreements, - noncompete agreements, - employment agreements, - privacy declaration, - and acceptable use policies.

Chapter 6 Flashcards by Fernando Nakano

Name six different administrative controls used to secure personnel.

Possible answers include

job descriptions,
principle of least privilege,
separation of duties,
job responsibilities,
job rotation/cross-training,
performance reviews,
background checks,
job action warnings,
awareness training,
job training,
exit interviews/terminations,
nondisclosure agreements,
noncompete agreements,
employment agreements,
privacy declaration,
and acceptable use policies.

How well did you know this?

Not at all

Perfectly

What are the basic formulas used in quantitative risk assessment?

The formulas are as follows:

Exposure Factor (EF) or loss potential

Asset Value (AV)

Single Loss Expectancy (SLE)
- SLE = AV * EF

Annualized Rate of Occurrence (ARO)
ARO = # / yr

Annualized Loss Expectancy (ALE)
ALE = SLE * ARO

Annual Cost of Safeguard (ACS)

Cost/benefit = (ALE1 – ALE2) – ACS

How well did you know this?

Not at all

Perfectly

Describe the process or technique used to reach an anonymous consensus during a qualitative risk assessment?

The Delphi technique is an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest and uninfluenced responses from all participants.

The participants are usually gathered into a single meeting room. To each request for feedback, each participant writes down their response on paper anonymously.

The results are compiled and presented to the group for evaluation. The process is repeated until a consensus is reached.

How well did you know this?

Not at all

Perfectly

Discuss the need to perform a balanced risk assessment. What are the techniques that can be used and why is this necessary?

Risk assessment often involves a hybrid approach using both quantitative and qualitative methods. A purely quantitative analysis is not possible; not all elements and aspects of the analysis can be quantified because some are qualitative, some are subjective, and some are intangible.

Since a purely quantitative risk assessment is not possible, balancing the results of a quantitative analysis is essential.

The method of combining quantitative and qualitative analysis into a final assessment of organizational risk is known as hybrid assessment or hybrid analysis.

How well did you know this?

Not at all

Perfectly

Which of the following is the weakest element in any security solution?

A. Software products

B. Internet connections

C. Security policies

D. Humans

D. Regardless of the specifics of a security solution, humans are the weakest element.

How well did you know this?

Not at all

Perfectly

When seeking to hire new employees, what is the first step?

A. Create a job description.

B. Set position classification.

C. Screen candidates.

D. Request resumes.

A. The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired.

How well did you know this?

Not at all

Perfectly

Which of the following is a primary purpose of an exit interview?

A. To return the exiting employee’s personal belongings

B. To review the nondisclosure agreement

C. To evaluate the exiting employee’s performance

D. To cancel the exiting employee’s network access accounts

B. The primary purpose of an exit interview is to review the nondisclosure agreement (NDA) and other liabilities and restrictions placed on the former employee based on the employment agreement and any other security-related documentation.

How well did you know this?

Not at all

Perfectly

When an employee is to be terminated, which of the following should be done?

A. Inform the employee a few hours before they are officially terminated.

B. Disable the employee’s network access just as they are informed of the termination.

C. Send out a broadcast email informing everyone that a specific employee is to be terminated.

D. Wait until you and the employee are the only people remaining in the building before announcing the termination.

B. You should remove or disable the employee’s network user account immediately before or at the same time they are informed of their termination.

How well did you know this?

Not at all

Perfectly

If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, what is the process called that is used to ensure that these entities support sufficient security?

A. Asset identification

B. Third-party governance

C. Exit interview

D. Qualitative analysis

B. Third-party governance is the application of security oversight on third parties that your organization relies upon.

How well did you know this?

Not at all

Perfectly

A portion of the_________________ is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk.

A. Hybrid assessment

B. Risk aversion process

C. Countermeasure selection

D. Documentation review

D. A portion of the documentation review is the logical and practical investigation of business processes and organizational policies.

How well did you know this?

Not at all

Perfectly

Which of the following statements is not true?

A. IT security can provide protection only against logical or technical attacks.

B. The process by which the goals of risk management are achieved is known as risk analysis.

C. Risks to an IT infrastructure are all computer based.

D. An asset is anything used in a business process or task.

C. Risks to an IT infrastructure are not all computer based. In fact, many risks come from noncomputer sources. It is important to consider all possible risks when performing risk evaluation for an organization. Failing to properly evaluate and respond to all forms of risk, a company remains vulnerable.

How well did you know this?

Not at all

Perfectly

Which of the following is not an element of the risk analysis process?

A. Analyzing an environment for risks

B. Creating a cost/benefit report for safeguards to present to upper management

C. Selecting appropriate safeguards and implementing them

D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage

C. Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.

How well did you know this?

Not at all

Perfectly

Which of the following would generally not be considered an asset in a risk analysis?

A. A development process

B. An IT infrastructure

C. A proprietary system resource

D. Users’ personal files

D. The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis.

How well did you know this?

Not at all

Perfectly

Which of the following represents accidental or intentional exploitations of vulnerabilities?

A. Threat events

B. Risks

C. Threat agents

D. Breaches

A. Threat events are accidental or intentional exploitations of vulnerabilities.

How well did you know this?

Not at all

Perfectly

When a safeguard or a countermeasure is not present or is not sufficient, what remains?

A. Vulnerability

B. Exposure

C. Risk

D. Penetration

A. A vulnerability is the absence or weakness of a safeguard or countermeasure.

How well did you know this?

Not at all

Perfectly

Which of the following is not a valid definition for risk?

A. An assessment of probability, possibility, or chance

B. Anything that removes a vulnerability or protects against one or more specific threats

C. Risk = threat * vulnerability

D. Every instance of exposure

B. Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk.

How well did you know this?

Not at all

Perfectly

When evaluating safeguards, what is the rule that should be followed in most cases?

A. The expected annual cost of asset loss should not exceed the annual costs of safeguards.

B. The annual costs of safeguards should equal the value of the asset.

C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.

D. The annual costs of safeguards should not exceed 10 percent of the security budget.

C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.

How well did you know this?

Not at all

Perfectly

How is single loss expectancy (SLE) calculated?

A. Threat + vulnerability

B. Asset value ($) * exposure factor

C. Annualized rate of occurrence * vulnerability

D. Annualized rate of occurrence * asset value * exposure factor

Study These Flashcards

B. SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV * EF).

How is the value of a safeguard to a company calculated?

A. ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard

B. ALE before safeguard * ARO of safeguard

C. ALE after implementing safeguard – annual cost of safeguard – controls gap

D. Total risk – controls gap

Study These Flashcards

A. The value of a safeguard to an organization is calculated by ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard [(ALE1 – ALE2) – ACS].

What security control is directly focused on preventing collusion?

A. Principle of least privilege

B. Job descriptions

C. Separation of duties

D. Qualitative risk analysis

Study These Flashcards

C. The likelihood that a co-worker will be willing to collaborate on an illegal or abusive scheme is reduced because of the higher risk of detection created by the combination of separation of duties, restricted job responsibilities, and job rotation.

What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions?

A. Education

B. Awareness

C. Training

D. Termination

Study These Flashcards

C. Training is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to groups of employees with similar job functions.

Which of the following is not specifically or directly related to managing the security function of an organization?

A. Worker job satisfaction

B. Metrics

C. Information security strategies

D. Budget

Study These Flashcards

A. Managing the security function often includes assessment of budget, metrics, resources, information security strategies, and assessing the completeness and effectiveness of the security program.

While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk?

A. Virus infection

B. Damage to equipment

C. System malfunction

D. Unauthorized access to confidential information

Study These Flashcards

B. The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage to equipment.

You’ve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change?

A. Exposure factor

B. Single loss expectancy

C. Asset value

D. Annualized rate of occurrence

Study These Flashcards

D. A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.

1. Which of the following is the weakest element in any security solution? A. Software products B. Internet connections C. Security policies D. Humans

D. Regardless of the specifics of a security solution, humans are the weakest element.

2. When seeking to hire new employees, what is the first step? A. Create a job description. B. Set position classification. C. Screen candidates. D. Request resumes.

A. The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired.

3. Which of the following is a primary purpose of an exit interview? A. To return the exiting employee’s personal belongings B. To review the nondisclosure agreement C. To evaluate the exiting employee’s performance D. To cancel the exiting employee’s network access accounts

4. When an employee is to be terminated, which of the following should be done? A. Inform the employee a few hours before they are officially terminated. B. Disable the employee’s network access just as they are informed of the termination. C. Send out a broadcast email informing everyone that a specific employee is to be terminated. D. Wait until you and the employee are the only people remaining in the building before announcing the termination.

B. You should remove or disable the employee’s network user account immediately before or at the same time they are informed of their termination.

5. If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, what is the process called that is used to ensure that these entities support sufficient security? A. Asset identification B. Third-party governance C. Exit interview D. Qualitative analysis

B. Third-party governance is the application of security oversight on third parties that your organization relies upon.

6. A portion of the_________________ is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk. A. Hybrid assessment B. Risk aversion process C. Countermeasure selection D. Documentation review

D. A portion of the documentation review is the logical and practical investigation of business processes and organizational policies.

7. Which of the following statements is not true? A. IT security can provide protection only against logical or technical attacks. B. The process by which the goals of risk management are achieved is known as risk analysis. C. Risks to an IT infrastructure are all computer based. D. An asset is anything used in a business process or task.

8. Which of the following is not an element of the risk analysis process? A. Analyzing an environment for risks B. Creating a cost/benefit report for safeguards to present to upper management C. Selecting appropriate safeguards and implementing them D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage

9. Which of the following would generally not be considered an asset in a risk analysis? A. A development process B. An IT infrastructure C. A proprietary system resource D. Users’ personal files

D. The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis.

10. Which of the following represents accidental or intentional exploitations of vulnerabilities? A. Threat events B. Risks C. Threat agents D. Breaches

A. Threat events are accidental or intentional exploitations of vulnerabilities.

11. When a safeguard or a countermeasure is not present or is not sufficient, what remains? A. Vulnerability B. Exposure C. Risk D. Penetration

A. A vulnerability is the absence or weakness of a safeguard or countermeasure.

12. Which of the following is not a valid definition for risk? A. An assessment of probability, possibility, or chance B. Anything that removes a vulnerability or protects against one or more specific threats C. Risk = threat * vulnerability D. Every instance of exposure

B. Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk.

13. When evaluating safeguards, what is the rule that should be followed in most cases? A. The expected annual cost of asset loss should not exceed the annual costs of safeguards. B. The annual costs of safeguards should equal the value of the asset. C. The annual costs of safeguards should not exceed the expected annual cost of asset loss. D. The annual costs of safeguards should not exceed 10 percent of the security budget.

C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.

14. How is single loss expectancy (SLE) calculated? A. Threat + vulnerability B. Asset value ($) * exposure factor C. Annualized rate of occurrence * vulnerability D. Annualized rate of occurrence * asset value * exposure factor

B. SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV * EF).

15. How is the value of a safeguard to a company calculated? A. ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard B. ALE before safeguard * ARO of safeguard C. ALE after implementing safeguard – annual cost of safeguard – controls gap D. Total risk – controls gap

A. The value of a safeguard to an organization is calculated by ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard [(ALE1 – ALE2) – ACS].

16. What security control is directly focused on preventing collusion? A. Principle of least privilege B. Job descriptions C. Separation of duties D. Qualitative risk analysis

17. What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions? A. Education B. Awareness C. Training D. Termination

18. Which of the following is not specifically or directly related to managing the security function of an organization? A. Worker job satisfaction B. Metrics C. Information security strategies D. Budget

A. Managing the security function often includes assessment of budget, metrics, resources, information security strategies, and assessing the completeness and effectiveness of the security program.

19. While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk? A. Virus infection B. Damage to equipment C. System malfunction D. Unauthorized access to confidential information

B. The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage to equipment.

20. You’ve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change? A. Exposure factor B. Single loss expectancy C. Asset value D. Annualized rate of occurrence

D. A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.

Chapter 6 Flashcards

(44 cards)