Advertisement Area

1. Which choice below is an incorrect descripition of a control?

  1. Detective controls discover attacks and trigger preventative or corrective controls.
  2. Corrective controls reduce the likehood of a deliberate attack.
  3. Corrective controls reduce the effect of an attack.
  4. Controls are the countermeasures for vulnerabilities.

Answer: B

Hint: The other three answers are correct descriptions of controls.

2. Which statement below is accurate about the reasons to implement a layered security architecture ?

  1. A layered security approach is not necessary when using COTS products.
  2. A good packet-filtering router will eliminate the need to implement a layered security aechitecture.
  3. A layered security approach is intended to increase the work -factor for an attacker.
  4. A layered approach doesn't really improve the security postive of the organization.

Answer: C

Hint: Security designs should consider a layered approach to increase the work-factor an attacker must expend to successfully attack the system.

3. Which choice below represents an application or system demonostrating a need for a high level of confindenttiality potection and controls ?

  1. Unavailability of the system could result to in inability to meet payroll obligations and could cause work stoppage and failure of user organizations to meet critcal mission requirements . The system requires 24-hour access.
  2. The application contains proprietary business information and other financial information, which if disclosed to unauthorized sources, could cause an unfair advantage for vendors, contractors, or individuals and could result in financial loss or adverse legal action to user organizations.
  3. Destruction of the information would require significant expenditures of time and effort to replace. Although corrupted information would present an inconvenience to the staff, most information, and all vital information, is backed up by either paper documentation or on disk.
  4. The mission of this system is to produce local weather forecast information that is made available to the news meda forecasters and the general public at all times. None of the information requires protection against disclosure.

Answer: B

Hint: Although elements of all of the systems described could require specific controls for confidentiality, system B fits the definition most closely of a system requiring a very high level of confidentiality. Answer A is an example of a system requiring high availability. Answer C is an example of a system that requires medium integrity controls. Answer D is a system that requires only a low level of confidentiality.

4. Which choice below is NOT a cpncernod policy development at the high level ?

  1. Idenifying the key business resources
  2. Identifying the type of firewalls to be used for perimeter security
  3. Defining roles in the organization
  4. Determining the capability and functionality of each role

Answer: B

Hint: Answers A,C and D are elements of policy development at the highest level. Key buiness resources would have been identified during the risk assessment process. The various roles are then defined to determine the various levels of access to those resoures. Answer D is the final step in the policy creation process and combines steps A and C. It determines which group gets access to each resource and what access privileges its members are assigned. Access to resources should be based on roles, not on individual identity.

5. Which choice below is Not anaccurate statement about the visibility of IT security policy ?

  1. The IT security policy should not be afforded high visibility.
  2. The IT security policy could be visible through panel discussions with guest speakers.
  3. The IT security policy should be afforded high visibility.
  4. The IT security [olicy should be included as a regular topic at staff meetings at all levels of the organization.

Answer: A

Hint: The other three answers are correct statement about the visibility of IT security policy.

6. Which question below is NOT accurate regarding the process of risk assessment?

  1. The likehood of impact of a threat must be determined as an element of the risk assessment.
  2. The level of impact of a threat must be determined as an element of the risk assessment.
  3. Risk assessment is the final result of the risk managemnet methodology.
  4. Risk Assessment is the final result of the risk management methodology.

Answer: D

Hint: Risk assessment is the final result of the risk management methodology.

7. Which choice below would NOT be considered an element of paper user account management ?

  1. Users should be rotated out of their current duties.
  2. The users' accounts should be reviewed periodically.
  3. A process for tracking access authorizations should be implemented.
  4. Periodically re-screen personnel in sensitive positions.

Answer: A

Hint: The other answers are elements of proper user account management.

8. Which choice below is NOT one of NIST's 33 IT security pinciples ?

  1. Implement least privilege.
  2. Assume that external systems are insure.
  3. Totally eliminate any level of risk.
  4. Minimize the system elements to be trusted.

Answer: C

Hint: Risk can never be totally eliminated NIST IT security principle #4 states: "Reduce risk to an acceptable level."

9. How often should an independent review of the security controls be performed, according to OMB Circular A-130 ?

  1. Every year
  2. Every three years
  3. Every five years
  4. Never

Answer: B

Hint: OMB Circular A-130 requires that a review of the security controls for each major government application be performed at least every three years.

10. Which choice below BEST describes the difference between the System Owner and the Informaion Owner ?

  1. There is a one-to-one relationship between system owners and information owners.
  2. One system could have multiple information owners.
  3. The information Owner is responsible for defining the system's operating parameters.
  4. The System Owner is responsible for establishing the rules for appropriate use of the information.

Answer: B

Hint: A single system may utilize information from multiple Information Owners.

11. Which choice below is NOT a generally accepted benefit of security awareness, training, and education ?

  1. A security awareness program can help operators understand the value of the information.
  2. A security education program can help system administrators recognize unauthorized intrusion attempts.
  3. A security awareness and training program will help prevent natural disasters from occuring.
  4. A security awareness and training program can help an organization reduce the number and severity of errors and omissions.

Answer: C

Hint: The other answers are generally accepted benefits of security awareness, training , and education.

12. Who has the final responsibility for the preservation of the organization's information ?

  1. Technology providers
  2. Senior management
  3. Users
  4. Application owners

Answer: B

Hint: Senior management has the final responsibility through due care and due diligence to preserve the capital of the organization and further its business model through the implementation of a security program. Although senior management does not have the functional role of managing security procedures, it has the ultimate responsibility to see that business continuity is preserved.

13. Which choice below is NOT an example of an example of an issue-specific policy ?

  1. Email privacy policy
  2. Virus-checking disk policy
  3. Defined router ACLs
  4. Unfriendly employee termination policy

Answer: C

Hint: Answer C is an example of a system-specific policy- in this case the router's access controllists. The other three answers are examples of issue-specific policy, as defined by NIST.

14. Which statement below is NOT true about security awareness, training, and educational programs ?

  1. Awareness and training help users become more accountable for their actions.
  2. Security education assists management in determining who should be promoted.
  3. Security improves the users' awareness of the need to project information resources.
  4. Security education assists management in developing the in-house expertise to manage security programs

Answer: B

Hint: The other answers are correct statements about security awareness, training, and educational programs.

15. Which choice below is an accurate statement about standards ?

  1. Standards are the high-level statements made by senior management in support of information systems security.
  2. Standards are the first element created in an effective security policy program.
  3. Standards are used to describe how policies will be implemented within an organization.
  4. Standards are senior management's directives to create a computer security program.

Answer: C

Hint: Answers A, B and D describe policies. Procedures, standards, and guidelines are used to describe how policies will be implemented within an organization.

16. Which choice below is a role of the information Systems Security Officer ?

  1. The ISO establishes the overall goals of the organization's computer security program.
  2. The ISO is responsible for day-to-day security administration.
  3. The ISO is responsible for examining systems to see wheather they are meeting stated security requirements.
  4. The ISO is responsible for following security procedures and reporting security problems.

Answer: B

Hint: Answer A is a responsibility of senior management. Answer C is a description of the role of auditing. Answer D is the role of the user, or consumer, of security in an organization.

17. Which statement below is NOT correct about safeguard selection in the risk analysis process ?

  1. Maintenance costs need to be included in determining the total cost of the safeguard.
  2. The best possible safeguard should always be implemented, regardless of cost.
  3. The most commonly considered criteria is the cost effectiveness of the safeguard.
  4. Many elements need to be considered in determining the total cost of the safeguard.

Answer: B

Hint: Performing a cost-benefit analysis of the proposed safeguard before implementation is vital. The level of security afforded could easily outweigh the value of a proposed safeguard. Other factors need to be considered in the safeguard selection process, such as accountability, ausitability, and the level of manual operations needed to maintai or operate the safeguard.

18. Which choice below is usually the number-one-used criterion to determine the classification of an information object ?

  1. Value
  2. Useful life
  3. Age
  4. Personal association

Answer: A

Hint: Value of the information asset to the organization is usually the first and foremost criteria used in determining its classification.

19. What are high-level policies ?

  1. They are recommendations for procedural controls.
  2. They are the instructions on how to perform a Quantitative Risk Analysis.
  3. They are statements that indicate a senior management's intention to support InfoSec.
  4. They are step-by-step procedures to implement a safeguard.

Answer: C

Hint: High-level policies are senior management statements of recognition of the importance of security controls to the mission of the organization.

20. Which policy type is MOST likely to contain mandatory or compulsory standards ?

  1. Guidelines
  2. Advisory
  3. Regulatory
  4. Informative

Answer: C

Hint: Answer B, advisory policies , might specify penalties for noncompliance, but regulatory policies are required to be followed by the organization. Answers A and D are informational or recommended policies only.

21. What does an Exposure Factor (EF) describe ?

  1. A dollar figure that is assigned to a single event.
  2. A number that represents the estimated frequency of the occurrence of an expected threat
  3. The percentage of loss that a realized threat event would have on a specific asset
  4. The annual expected financial loss to an organization from a threat

Answer: C

Hint: Answer A is an SLE, B is an ARO, and D is an ALE.

22. What is the MOST accurate definition of a safeguard ?

  1. A guideline for policy recommendations
  2. A step-by-step instructional procedure
  3. A control designed to counteract a threat
  4. A control designed to counteract an asset

Answer: C

Hint: Answer A is a guideline, B is a procedure, and D is a distracter.

23. Which choice MOST accurately describes the differences between standards, guidelines, and procedures ?

  1. Standards are recommended policies, wheareas guidelines are mandatory policies.
  2. Procedures are step-by-step recommendations for complying with mandatory guidelines.
  3. Procedures are the general recommendations for compliance with mandatory guidelines.
  4. Procedures are step-by-step instructions for compliance with mandatory standards.

Answer: D

Hint: The other answers are incorrect.

24. What are the detailed instructions on how to perform or implement a control called ?

  1. Procedures
  2. Policies
  3. Guidelines
  4. Standards

Answer: A

25. How is an SLE derived ?

  1. (Cost-benfit) x (% of Asset Value)
  2. AV x EF
  3. ARO x EF
  4. % of AV- imlpementation cost

Answer: B

Hint: Single Loss Expectancy is derived by multiplying the Asset Value with its Exposure Factor. The other answers do not exist.

26. What is a noncompulsory recommendation on how to achieve compliance with published standards called ?

  1. Procedures
  2. Policies
  3. Guidelines
  4. Standards
p>Answer: C

27. Which group represents the Most likely source of an asset loss through inappropriate computer use ?

  1. Crackers
  2. Hackers
  3. Employees
  4. Saboteurs

Answer: C

Hint: Internal personnel far and away constitute the largest amount of dollar loss due to unauthorized or inappropriate computer use.

28. Which choice Most accurately describes the difference between the role of a data owner versus the role of a data custodian ?

  1. The custodian implements the information classification scheme after the initial assignment by the operations manager.
  2. The data owner implements the information classification scheme after the initial assignment by the custodian.
  3. The custodian makes the initial information classification assignments, whereas the operations manager implements the scheme.
  4. The custodian implements the information classification scheme after the initial assignment by the operations manager.

Answer: A

Hint:

29. What is an ARO ?

  1. A dollar figure assigned to a single event
  2. The annual expected financial loss to an organization from a threat
  3. A number that represents the estimated frequency of an occurrence of an expected threat
  4. The percentage of loss that a realized threat event would have on a specific asset

Answer: C

Hint: Answer A is the defintion of SLE, B is an ALE, and D is an EF.

30. Which formula accurately represents an Annualized Loss Expectancy (ALE) calculation ?

  1. SLE x ARO
  2. Asset Value(AV) x EF
  3. ARO xEF-SLE
  4. % of AROx AV

Answer: A

Hint: Answer B is the formula for an SLE, and answers C and D are nonsence