Within the context of the CBK, which of the following provides a MINIMUM level of security ACCEPTABLE for an environment ?
In a properly segregated environment, whi
ch of the following tasks is compatible with the task of security administrator?
Within the realm of IT security, which of the following combinations best defines risk?
Threat coupled with a vulnerability
Step-by-step instructions used to satisfy control requirements is called a:
Who should provide access authorization to computerized information?
IT security measures should:
Be tailored to meet organizational security goals.
What is the goal of the Maintenance phase in a common development process of a security policy?
to review of the document on the specified review date
Three key things that must be considered for the planning and implementation of access control mechanisms do NOT include:
the system's vulnerability to viruses
Which of the following best defines add-on security?
Protection mechanisms implemented after an information system has become operational.
Which of the following should NOT be addressed by employee termination practices?
Employee bonding to protect against losses due to theft.
Which of the following best allows risk management results to be used knowledgeably?
An uncertainty analysis
Why do many organizations require every employee to take a mandatory vacation of a week or more?
To reduce the opportunity for an employee to commit an improper or illegal act.
Related to information security, the guarantee that the message sent is the message received is an example of which of the following?
What would be the Annualized Rate of Occurrence (ARO) of the threat "user input error", in the case where a company employs 100 data entry clerks and every one of them makes one input error each month?
What can be best defined as the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment?
Which of the following is not a responsibility of a database administrator?
Providing access authorization to databases
Which of the following would BEST be defined as an absence or weakness of safeguard that could be exploited?
One of these statements about the key elements of a good configuration process is NOT true
Controlling modifications to system hardware in order to protect resource from changes
A deviation from an organization-wide security policy requires which of the following?
What are the three FUNDAMENTAL principles of security?
Confidentiality, integrity and availability
Which of the following is most concerned with personnel security?
Preservation of confidentiality information systems requires that the information is not disclosed to:
Unauthorized persons or processes.
Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data?
System and information owners
Which of the following should NOT be a role of the Security Administrator?
Authorizing access rights
Which of the following is not a component of a Operations Security "triples"?
Related to information security, integrity is the opposite of which of the following?
What can be described as a measure of the magnitude of loss or impact on the value of an asset?
Ultimately, the security of computer-based information systems is which of the following?
a management issue.
Which of the following would best relate to resources being used only for intended purposes?
An effective information security policy should not have which of the following characteristic?
Be designed with a short- to mid-term focus
Which of the following would VIOLATE the Due Care concept?
Data owners not laying out the foundation of data protection
Which of the following is NOT a part of a risk analysis?
Choose the best countermeasure
Related to information security, the prevention of the intentional or unintentional unauthorized disclosure of contents is which of the following?
Which of the following is not a goal of integrity?
Prevention of the modification of information by authorized users.
What is the main responsibility of information (data) owner?
determining the data sensitivity or classification level
What is opposite of the C.I.A. in risk management:
disclosure, alteration, destruction
Who is responsible for initiating corrective actions when there are security violations?
Which of the following is NOT a common integrity goal?
Prevent paths that could lead to inappropriate disclosure.
Which approach to a security program makes sure that the people actually responsible for protecting the company's assets are DRIVING the program?
The top-down approach
Who should DECIDE how a company should approach security and what security measures should be implemented?
What can best be defined as high-level statements, beliefs, goals and objectives?
How should a risk be HANDLED when the cost of the countermeasure OUTWEIGHS the cost of the risk?
Accept the risk
What is called a weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks?
Which of the following should be given technical security training?
IT support personnel and system administrators
How is Annualized Loss Expectancy (ALE) derived from a threat?
SLE x ARO
Which of the following is an advantage of a qualitative over a quantitative risk analysis?
It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.
Which of the following statements pertaining to a security policy is incorrect?
It specifies how hardware and software should be used throughout the organization.
What is the main purpose of Corporate Security Policy?
to communicate management's intentions in regards to information security
Which of the following is the weakest link in a security system?
Which of the following is not a responsibility of an information owner?
Running regular backups and periodically testing the validity of the backup data.
Computer security should be first and foremost which of the following:
Which one of the following individuals has PRIMARY responsibility for determining the classification level of information?
The control of communications test equipment should be clearly addressed by security policy for which of the following reasons?
Test equipment can be used to browse information passing on a network.
What is called an event or activity that has the potential to cause harm to the information systems or networks?
The major objective of system configuration management is which of the following?
Which of the following is BEST defined as a physical control?
Which data classification SHOULD APPLY to commercial trade secrets?
What is the difference between Advisory and Regulatory security policies?
Advisory policies are not mandated. Regulatory policies must be implemented.
Which of the following is the best reason for the use of an automated risk analysis tool?
Minimal information gathering is required due to the amount of information built into the tool.
Which of the following questions should a user be unable to answer regarding their organization's information security policy?
What are the actions that need to be performed in case of a disaster?
Which of the following would be the first step in establishing an information security program?
Adoption of a corporate information security policy statement.
Which of the following would best classify as a management control?
Review of security controls
Making sure that the data is accessible when and where it is needed is which of the following?
In a discretionary access environments, which of the following entities is authorized to grant information access to other people?
What would BEST define risk management?
The process of reducing risk to an acceptable level
According to private sector data classification levels, how would salary levels and medical information be classified?
Which of the following is given the responsibility of the maintenance and protection of the data?
Which of the following tasks may be performed by the same person in a wellcontrolled information processing facility/computer center?
System development and systems maintenance
Which of the following statements pertaining to quantitative risk analysis is false?
It requires little experience to apply
What can be defined as an event that could cause harm to the information systems?
Which of the following department managers would be best suited to oversee the development of an information security policy?
All risks must be:
Which must bear the primary responsibility for determining the level of protection needed for information systems resources?
What is a difference between a Quantitative Analysis versus a Qualitative Risk Analysis?
quantitative analysis provides formal cost/benefit analysis and qualitative does not
The preliminary steps to security planning include all of the following EXCEPT which of the following?
Establish a security audit function.
Which of the following questions would not help in assessing personnel security controls?
Is access to facilities by personnel controlled through the use of guards, identification badges, or entry devices such as key cards or biometrics?
Which one of the following represents an ALE calculation?
single loss expectancy x annualized rate of occurrence.
Related to information security, availability is the opposite of which of the following?
Which of the following could be BEST defined as the likelihood of a threat agent taking advantage of a vulnerability?
Why would an information security policy require that communications test equipment be controlled?
The equipment can be used to browse information passing on a network
The absence of a safeguard or weakness in a system that may possibly be exploited is called a(n)?
Which of the following represents an ALE calculation?
Single loss expectancy X annualized rate of occurrence
Which of the following is the MOST important aspect relating to employee termination?
The appropriate company staff are notified about the termination.
Making sure that only those who are supposed to access the data can access is which of the following?
In the CIA triad, what does the letter A stand for?
In an organization, an Information Technology security function should:
Be lead by a Chief Security Officer and report directly to the CEO.
Who should measure the effectiveness of security related controls in an organization?
the systems auditor.
One purpose of a security awareness program is to modify:
employee's attitudes and behaviors.
Risk mitigation and risk reduction controls can be of which of the following types?
preventive, detective, or corrective
ISO 17799 is a standard for:
Information Security Management
Which of the following groups represents the leading source of computer crime losses?
One of the following assertions is not a characteristic of Internet Protocol Security (IPsec)
Data is delivered in the exact order in which it is sent
What is the property ensure that only those who are supposed to access the data can access it is:
What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of once every five years and an exposure factor (EF) of 30%?
Which of the following choices is NOT part of a security policy?
description of specific technologies used in the field of information security
If risk is defined as "the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets" then risk has all of the following elements EXCEPT?
Controls addressing the threats
Which of the following is NOT an administrative control?
Logical access control mechanisms
Related to information security, confidentiality is the opposite of which of the following?
What is called the probability that a threat to an information system will materialize?
Which of the following is NOT a technical control?
Monitoring for physical intrusion
Which of the following is not a way for programmers to bypass normal security controls while developing their software?
A Trojan horse
What does "residual risk" mean?
The security risk that remains after controls have been implemented
Controls are implemented to:
mitigate risk and reduce the potential for loss
Making sure that the data has not been changed unintentionally, due to an accident or malice is:
Which of the following would be the best criterion to consider in determining the classification of an information asset?
Which of the following are steps of a common development process of creating a security policy, standards and procedures?
initial and evaluation, development, approval, publication, implementation, maintenance
Who is responsible for providing reports to the senior management on the effectiveness of the security controls?
Information systems auditors
Which of the following embodies all the detailed actions that personnel are required to follow?
Which of the following is responsible for MOST of the security issues?