Who has the primary responsibility of determining the classification level for information?
a. Functional manager
b. Senior management
c. Owner
d. User
- The answer is C. A company can have one specific data owner or different data owners who have been delegated the responsibility of protecting specific sets of data.
One of the responsibilities that goes into protecting this information is properly classifying it.
- Which group causes the most risk of fraud and computer compromises?
a. Employees
b. Hackers
c. Attackers
d. Contractors
- The answer is A. It is commonly stated that internal threats provide 70-80 percent of the overall threat to a company. This is because employees already have privileged access to a wide range of company assets. The outsider who wants to cause damage must obtain this level of access before she can carry out the type of damage that internal personnel can carry out. A lot of the damages that are caused by internal employees are brought about by mistakes and system misconfigurations.
- If different user groups with different security access levels need to access the same information, which of the following actions should management take?
a. Decrease the security level on the information to ensure accessibility and usability of the information.
b. Require specific approval each time an individual needs to access the information.
c. Increase the security controls on the information.
d. Increase the classification label on the information.
- The answer is C. If data is going to be available to a wide range of people, more security should be implemented to ensure that only the necessary people access the data and the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.
- What does management need to consider the most when classifying data?
a. Type of employees, contractors, and customers who will be accessing the data.
b. Confidentiality, integrity, and availability.
c. First assess the risk level and implement the correct countermeasures.
d. The access controls that will be protecting the data.
- The answer is B. The best answer to this question is B because to properly classify data the data owner needs to evaluate the confidentiality, integrity, and availability requirements of the data. Once this is done this will dictate what employees, contractors, and users can access the data, which is expressed in answer A. This assessment will also help determine the controls that should be put into place.
- Who is ultimately responsible for making sure data is classified and protected?
a. Data owners
b. Users
c. Administrators
d. Management
- The answer is D. The key to this question is the use of the word “ultimately”. Management is ultimately responsible for everything that takes place within a company. They need to make sure data and resources are being properly protected on an on-going basis. They can delegate tasks to others, but they are ultimately responsible.
- What is a procedure?
a. Rules on how software and hardware must be used within the environment
b. Step-by-step directions on how to accomplish a task
c. Guidelines on how to approach security situations that are not covered by standards
d. Compulsory actions
- The answer is B. Standards are rules that must be followed, thus they are compulsory. Guidelines are recommendations. Procedures are step-by-step instructions.
- Which factor is the most important item when it comes to ensuring that security is successful in an organization?
a. Senior management support
b. Effective controls and implementation methods
c. Updated and relevant security policies and procedures
d. Security awareness by all employees
- The answer is A. Without the senior management’s support a security program will not receive the necessary attention, funds, resources, and enforcement capabilities.
- When is it acceptable to not take action on an identified risk? (Turn into true false)
a. Never—good security addresses and reduces all risks.?
b. When political issues prevent this type of risk from being addressed.
c. When the necessary countermeasure is complex.
d. When the cost of the countermeasure outweighs the value of the asset and potential loss.
- The answer is D. Companies may decide to live with specific risks they are faced
with because it would cost more to try and protect themselves than they have a
potential of losing if the threat became real. Countermeasures are usually complex to
a degree and there is almost always political issues surrounding different risks, but
these are not reasons to not implement a countermeasure.
- What are security policies?
a. Step-by-step directions on how to accomplish security tasks
b. General guidelines to use to accomplish a specific security level
c. Broad, high-level statements from the management
d. Detailed documents explaining how security incidents should be handled
- The answer is C. A security policy captures and dictates senior management’s perspectives and directives on what role security should play within the company. They are usually vague and use broad terms so that they can cover a wide range of items.
- Which is the most valuable technique when determining IF a specific security control should be implemented?
a. Risk analysis
b. Cost/benefit analysis
c. ALE results
d. Identifying the vulnerabilities and threats causing the risk
- The answer is B. Although the other answers may seem correct, B is the best answer here. This is because a risk analysis is performed to identify risks and come up with suggested countermeasures. The ALE tells the company how much it could loss if a specific threat became real. The ALE value will go into the cost/benefit analysis, but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure. All the data captured in answer A, C, and D is ported into a cost/benefit analysis.
- Which best describes the purpose of the ALE calculation?
a. Quantifies the security level of the environment
b. Estimates the loss possible for a countermeasure
c. Quantifies the cost/benefit result
d. Estimates the loss potential of a threat in a year span
- The answer is D. The ALE calculation estimates the potential loss that can affect one asset from a specific threat within a one-year time span. This value is used to figure out the amount of money that should be earmarked to protect this asset from this threat.
- Tactical planning is:
a. Mid-term
b. Long-term
c. Day-to-day
d. Six months
- The answer is A. There are three types of goals that make up the planning horizon; operational, tactical, and strategic. The tactical goals are mid-term goals that must be accomplished before the overall strategic goal is accomplished.
- What is the definition of a security exposure/exploit?
a. An instance of being exposed to losses from a threat
b. Any potential danger to information or systems
c. An information security absence or weakness
d. A loss potential of a threat
- The answer is A. An exposure means that a vulnerability has been exploited by a threat agent. Examples are; a hacker accessed a database through an open port on the firewall, an employee shares confidential information via e-mail, or a virus infects a computer.
- An effective security program requires a balanced application of:
a. Technical and non-technical methods (can also be preventative, detective, deterrent)
b. Countermeasures and safeguards (reactive in nature)
c. Physical security and technical controls (missing stuff like administrative controls)
d. Procedural security and encryption
- The answer is A. Security is not defined by a firewall, an access control mechanism, a security policy, company procedures, employee conduct, or authentication technologies. It is defined by all of these and how they integrate together within an environment. Security is not purely technical and it is not purely procedural, but a mix of the two.
- Which statement is true when looking at security objectives in the private business sector versus the military sector?
a. Only the military has true security.
b. Businesses usually care more about data integrity and availability, whereas the military is more concerned with confidentiality.
c. The military requires higher levels of security because the risks are so much higher.
d. The business sector usually cares most about data availability and confidentiality, whereas the military is most concerned about integrity.
- The answer is B. Although answer C may seem correct to you, it is a subjective answer. Businesses will see their threats and risks as being more important that another organization’s threats and risks. The military has a rich history of having to keep their secrets secret. This is usually not as important in the commercial sector relative to the military.
- How do you calculate residual risk?
a. Threats x risks x asset value
b. (Treats x asset value x vulnerability) x risks + control gap
c. SLE x frequency = ALE
d. (Threats x vulnerability x asset value) x controls gap
- The answer is D. The equation is more conceptual than it is practical. It is hard to assign a number to a vulnerability and a threat individually. What this equation is saying is look at the potential loss to a specific asset and look at the controls gap, which means what the specific countermeasure cannot protect against. What is left is the residual risk. Residual risk is what is left over after a countermeasure is implemented.
- Which of the following is not a purpose of doing a risk analysis?
a. Delegate responsibility.
b. Quantify impact of potential threats.
c. Identify risks.
d. Define the balance between the impact of a risk and the cost of the necessary countermeasure.
- The answer is A. The other three answers are the main reasons to carry out a risk analysis. An analysis is not carried out to delegate responsibilities. Management will take on this responsibility once the results of the analysis are reported to them and they understand what actually needs to be carried out.
- How does a risk analysis show management how much money to spend per security measure?
a. It shows management how much could be lost if the security measure is not implemented.
b. It calculates the frequency of the risk times the cost/benefit ratio of the ALE.
c. It shows management how much money could be saved if the security program was implemented.
d. It provides the qualitative severity of the security measure.
- The answer is A. The crux of carrying out a risk analysis is to calculate risk and estimate how much specific threats could cost the company. From these numbers and information management can make a decision on the best security mechanisms and how much should be spent on them.
- Which of the following is not a management role in the process of implementing and maintaining security?
a. Support
b. Perform risk analysis
c. Define purpose and scope
d. Delegate responsibility
- The answer is B. The number one ingredient management needs to provide when it comes to security is support. They need to define the role of security, the scope of security, and the different assessments that will be carried out and they will delegate who does what pertaining to security. They will not carry out the analysis, but is responsible for making sure one is done and that they act on the results that it provides.
- Why should the team that is going to perform and review the risk analysis information be made up of people in different departments?
a. To make sure the process is fair and that no one is left out.
b. They shouldn’t — it should be a small group brought in from outside the organization because otherwise the analysis is biased and unusable.
c. Because people in different departments understand the risks of their department and it ensures that the data going into the analysis is as close to reality as possible.
d. Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.
- The answer is C. An analysis is only as good as the data that goes into it. Data pertaining to risks the company faces should be extracted from the people who understand the business functions and environment of the company the best. Each department understands their own threats, resources, and may have possible solutions to specific risks that affect their part of the company
- Which best describes quantitative risk analysis?
a. Scenario-based analysis to research different security threats
b. A method used to apply severity levels to potential loss, probability of loss, and risks
c. A method that assigns monetary values to components in the risk assessment
d. A method that is based off of gut feelings and opinions
- The answer is C. A quantitative risk analysis assigns monetary values and percentages to the different components within the assessment. A qualitative analysis uses opinions of individuals and a rating system to gage the severity level of different threats and the benefits of specific countermeasures.
- Why is a truly quantitative risk analysis not possible to achieve?
a. It is possible, which is why it is used.
b. It assigns severity levels. Thus, it is hard to translate into monetary values.
c. It is dealing with purely quantitative elements.
d. Quantitative measures must be applied to qualitative elements.
- The answer is D. During a risk analysis the team is trying to properly predict the future and all the risks that future may bring. It is somewhat of a subjective exercise and educated guessing must take place. It is very hard to properly predict that a flood will take place once in ten years and cost a company up to $40,000 in damages, but this is what a quantitative analysis tries to accomplish.
- If there are automated tools for risk analysis, why does it take so much time to complete?
a. A lot of data has to be gathered to be inputted into the automated tool.
b. Management has to approve it and then a team has to be built.
c. Risk analysis cannot be automated because of the nature of the assessment.
d. Many people have to agree on the same data.
- The answer is A. An analysis usually takes a long time to complete because of all the data that must be properly gathered. There are usually a lot of different sources for this type of data and properly extracting it is extremely time consuming. In most situations it is setting up meetings with specific personnel and going through a question and answer process.
- Which of the following is a legal term that pertains to a company or individual taking reasonable actions and is used to determine liability?
a. Standards
b. Due process
c. Due care
d. Downstream liabilities
- The answer is C. A company’s, or individual’s, actions can be judged by the “Prudent Man Rule”, which looks at how a prudent, or reasonable, man would react in similar situations. Due care means to take these necessary actions to protect the company, its assets, customers, and employees. Computer security has many aspects pertaining to practicing due care and if management does not ensure that these things are in place, they can be found negligent.
