Answer: B
Hint: The other three answers are correct descriptions of controls.
Answer: C
Hint: Security designs should consider a layered approach to increase the work-factor an attacker must expend to successfully attack the system.
Answer: B
Hint: Although elements of all of the systems described could require specific controls for confidentiality, system B fits the definition most closely of a system requiring a very high level of confidentiality. Answer A is an example of a system requiring high availability. Answer C is an example of a system that requires medium integrity controls. Answer D is a system that requires only a low level of confidentiality.
Answer: B
Hint: Answers A,C and D are elements of policy development at the highest level. Key buiness resources would have been identified during the risk assessment process. The various roles are then defined to determine the various levels of access to those resoures. Answer D is the final step in the policy creation process and combines steps A and C. It determines which group gets access to each resource and what access privileges its members are assigned. Access to resources should be based on roles, not on individual identity.
Answer: A
Hint: The other three answers are correct statement about the visibility of IT security policy.
Answer: D
Hint: Risk assessment is the final result of the risk management methodology.
Answer: A
Hint: The other answers are elements of proper user account management.
Answer: C
Hint: Risk can never be totally eliminated NIST IT security principle #4 states: "Reduce risk to an acceptable level."
Answer: B
Hint: OMB Circular A-130 requires that a review of the security controls for each major government application be performed at least every three years.
Answer: B
Hint: A single system may utilize information from multiple Information Owners.
Answer: C
Hint: The other answers are generally accepted benefits of security awareness, training , and education.
Answer: B
Hint: Senior management has the final responsibility through due care and due diligence to preserve the capital of the organization and further its business model through the implementation of a security program. Although senior management does not have the functional role of managing security procedures, it has the ultimate responsibility to see that business continuity is preserved.
Answer: C
Hint: Answer C is an example of a system-specific policy- in this case the router's access controllists. The other three answers are examples of issue-specific policy, as defined by NIST.
Answer: B
Hint: The other answers are correct statements about security awareness, training, and educational programs.
Answer: C
Hint: Answers A, B and D describe policies. Procedures, standards, and guidelines are used to describe how policies will be implemented within an organization.
Answer: B
Hint: Answer A is a responsibility of senior management. Answer C is a description of the role of auditing. Answer D is the role of the user, or consumer, of security in an organization.
Answer: B
Hint: Performing a cost-benefit analysis of the proposed safeguard before implementation is vital. The level of security afforded could easily outweigh the value of a proposed safeguard. Other factors need to be considered in the safeguard selection process, such as accountability, ausitability, and the level of manual operations needed to maintai or operate the safeguard.
Answer: A
Hint: Value of the information asset to the organization is usually the first and foremost criteria used in determining its classification.
Answer: C
Hint: High-level policies are senior management statements of recognition of the importance of security controls to the mission of the organization.
Answer: C
Hint: Answer B, advisory policies , might specify penalties for noncompliance, but regulatory policies are required to be followed by the organization. Answers A and D are informational or recommended policies only.
Answer: C
Hint: Answer A is an SLE, B is an ARO, and D is an ALE.
Answer: C
Hint: Answer A is a guideline, B is a procedure, and D is a distracter.
Answer: D
Hint: The other answers are incorrect.
Answer: A
Answer: B
Hint: Single Loss Expectancy is derived by multiplying the Asset Value with its Exposure Factor. The other answers do not exist.
Answer: C
Hint: Internal personnel far and away constitute the largest amount of dollar loss due to unauthorized or inappropriate computer use.
Answer: A
Hint:
Answer: C
Hint: Answer A is the defintion of SLE, B is an ALE, and D is an EF.
Answer: A
Hint: Answer B is the formula for an SLE, and answers C and D are nonsence