Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
84 Cards in this Set
- Front
- Back
|
Annualized Loss Expectancy (ALE) value is derived from an algorithm of the product of annual rate of occurrence and
A. Cost of all losses expected. B. Previous year’s actual loss. C. Average of previous losses. D. Single loss expectancy. |
D. Single loss expectancy.
|
|
|
How is Annualized Loss Expectancy (ALE) derived from a threat?
A. ARO x (SLE – EF) B. SLE x ARO C. SLE/EF D. AV x EF |
B. SLE x ARO
|
|
|
Which risk management methodology uses the exposure factor multiplied by the asset value to determine its outcome?
A. Annualized Loss Expectancy B. Single Loss Expectancy C. Annualized Rate of Occurrence D. Information Risk Management |
B. Single Loss Expectancy
|
|
|
Which of the following represents an ALE calculation?
A. Singe loss expectancy x annualized rate of occurrence. B. Gross loss expectancy x loss frequency. C. Actual replacement cost – proceeds of salvage. D. Asset value x loss expectancy. |
A. Singe loss expectancy x annualized rate of occurrence.
|
|
|
Which formula accurately represents an Annualized Loss Expectancy (ALE) calculation?
A. SLE × ARO B. Asset Value (AV) × EF C. ARO × EF - SLE D. % of ARO ×AV |
A. SLE × ARO
|
|
|
Which choice below is the BEST description of an Annualized Loss
Expectancy (ALE)? A. The expected risk factor of an annual threat event, derived by multiplying the SLE by its ARO B. The percentile of the value of the asset expected to be lost, used to calculate the SLE C. A value determined by multiplying the value of the asset by its exposure factor D. An estimate of how often a given threat event may occur annually |
A. The expected risk factor of an annual threat event, derived by
multiplying the SLE by its ARO |
|
|
Which of the following is not a component of a Operations Security “triples”?
A. Asset B. Threat C. Vulnerability D. Risk |
D. Risk
|
|
|
Operations Security seeks to primarily protect against which of the following?
A. object reuse B. facility disaster C. compromising emanations D. asset threats |
D. asset threats
|
|
|
The Physical Security domain addresses three areas that can be utilized to physically protect an
enterprise’s resources and sensitive information. Which of the following is not one of these areas? A. Threats B. Countermeasures C. Vulnerabilities D. Risks |
B. Countermeasures
|
|
|
Which one of the following threats does NOT rely on packet size or large volumes of data?
A. SYN flood B. Spam C. Ping of death D. Macro virus |
D. Macro virus
|
|
|
Man-in-the-middle attacks are a real threat to what type of communication?
A. Communication based on random challenge. B. Communication based on face to face contact. C. Communication based on token. D. Communication based on asymmetric encryption. |
D. Communication based on asymmetric encryption.
|
|
|
Which of the following threats is not addressed by digital signature and token technologies?
A. Spoofing B. replay attacks C. password compromise D. denial-of-service |
D. denial-of-service
|
|
|
Within the realm of IT security, which of the following combinations best defines risk?
A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Vulnerability coupled with an attack. D. Threat coupled with a breach of security. |
B. Threat coupled with a vulnerability.
|
|
|
Which of the following is used to help business units understand the impact of a disruptive event?
A. A risk analysis. B. A business impact assessment. C. A vulnerability assessment. D. A disaster recovery plan. |
B. A business impact assessment.
|
|
|
Which of the following would be defined as an absence of safeguard that could be exploited?
A. A threat B. A vulnerability C. A risk D. An exposure |
B. A vulnerability
|
|
|
Total risk is equal to:(Choose All That Apply)
A. Threat B. Vulnerability C. Frequency D. Asset value E. Asset loss |
A. Threat
B. Vulnerability D. Asset value |
|
|
Which choice below is the BEST description of a vulnerability?
A. Apotential incident that could cause harm B. The minimization of loss associated with an incident C. Aweakness in a system that could be exploited D. Acompany resource that could be lost due to an incident |
C. Aweakness in a system that could be exploited
|
|
|
What is a risk?
|
a matched threat and vulnerability
|
|
|
Which one of the following security technologies provides safeguards for authentication before
securely sending information to a web server? A. Secure/Multipurpose Internet Mail Extension (S/MIME) B. Common Gateway Interface (CGI) scripts C. Applets D. Certificates |
D. Certificates
|
|
|
Which of the following would be defined as an absence of safeguard that could be exploited?
A. A threat B. A vulnerability C. A risk D. An exposure |
B. A vulnerability
|
|
|
Which statement below is NOT correct about safeguard selection in the risk analysis process?
A. The most commonly considered criteria is the cost effectiveness of the safeguard. B. The best possible safeguard should always be implemented, regardless of cost. C. Maintenance costs need to be included in determining the total cost of the safeguard. D. Many elements need to be considered in determining the total cost of the safeguard. |
B. The best possible safeguard should always be implemented, regardless of cost.
|
|
|
What is the MOST accurate definition of a safeguard?
A. Acontrol designed to counteract a threat B. Aguideline for policy recommendations C. Astep-by-step instructional procedure D. Acontrol designed to counteract an asset |
A. Acontrol designed to counteract a threat
|
|
|
Which choice is NOT a good criterion for selecting a safeguard?
A. The ability to recover from a reset without damaging the asset B. Accountability features for tracking and identifying operators C. The ability to recover from a reset with the permissions set to allow all D. Comparing the potential dollar loss of an asset to the cost of a safeguard |
C. The ability to recover from a reset with the permissions set to allow
all |
|
|
Whatis the total cost of ownership?
|
It is the cost of a safeguard
|
|
|
The Clark-Wilson model focuses on data's:
A. Availability. B. Confidentiality. C. Format. D. Integrity. |
D. Integrity.
|
|
|
In most security protocols that support authentication, integrity and confidentiality,
A. Public key cryptography is used to create digital signatures. B. Private key cryptography is used to create digital signatures. C. Digital signatures are not implemented. D. DES is used to create digital signatures. |
A. Public key cryptography is used to create digital signatures.
|
|
|
As an analog of confidentiality labels, integrity labels in the Biba model are assigned according to which of the following rules?
A. Objects are assigned integrity labels according to their trustworthiness; subjects are assigned classes according to the harm that would be done if the data were modified improperly. B. Objects are assigned integrity labels identical to the corresponding confidentiality labels. C. Integrity labels are assigned according to the harm that would occur from unauthorized disclosure of the information. D. Subjects are assigned classes according to their trustworthiness; objects are assigned integrity labels according to the harm that would be done if the data were modified improperly. |
D. Subjects are assigned classes according to their trustworthiness; objects are assigned integrity
labels according to the harm that would be done if the data were modified improperly. |
|
|
What is confidentiality?
|
seeks to prevent the auauthorized disclosure of information
|
|
|
The theft of a laptop poses a threat to which tenet of the C.I.A. triad?
A. All of the above B. Availability C. Integrity D. Confidentiality |
A. All of the above
|
|
|
Ensuring the integrity of business information is the PRIMARY concern of
A. Encryption Security B. Procedural Security. C. Logical Security D. On-line Security |
B. Procedural Security.
|
|
|
What are the three fundamental principles of security?
A. Accountability, confidentiality, and integrity B. Confidentiality, integrity, and availability C. Integrity, availability, and accountability D. Availability, accountability, and confidentiality |
B. Confidentiality, integrity, and availability
|
|
|
Making sure that the data is accessible when and where it is needed is which of the following?
A. Confidentiality B. integrity C. acceptability D. availability |
D. availability
|
|
|
What is AAA
|
Authentication, Authorization, accountability
|
|
|
What is identification?
|
example user name
|
|
|
Example of authentication
|
password
|
|
|
Identification establishes:
A. Authentication B. Accountability C. Authorization D. None of the choices. |
B. Accountability
|
|
|
Nonrepudiation means
|
Nonrepudiation means a user cannot deny having performed a transaction
|
|
|
Compute the risk of a earthquake in San Franisco
Threat is a 4 Vulnerability 2 |
Threat X vulnerability = risk
4 X 2 = 8 |
|
|
Compute the risk of a earthquake in San Franisco
Threat is a 4 Vulnerability 2 impact 2 |
4 X 2 X 2 = 16
|
|
|
What part of an access control matrix shows capabilities that one user
has to multiple resources? A. Rows B. Columns C. Rows and columns D. Access control list |
A. Rows
|
|
|
In the access control matrix, the rows are:
A. Capability lists. B. Tuples. C. Access Control Lists (ACLs). D. Domains. |
A. Capability lists.
|
|
|
Which answer below is the BEST description of a Single Loss Expectancy (SLE)?
A. An algorithm that determines the expected annual loss to an organization from a threat B. An algorithm that represents the magnitude of a loss to an asset from a threat C. An algorithm used to determine the monetary impact of each occurrence of a threat D. An algorithm that expresses the annual frequency with which a threat is expected to occur |
C. An algorithm used to determine the monetary impact of each
occurrence of a threat |
|
|
How is an SLE derived?
A. ARO × EF B. AV × EF C. (Cost - benefit) × (% of Asset Value) D. % of AV - implementation cost |
B. AV × EF
|
|
|
What does an Exposure Factor (EF) describe?
A. The annual expected financial loss to an organization from a threat B. The percentage of loss that a realized threat event would have on a specific asset C. Anumber that represents the estimated frequency of the occurrence of an expected threat D. Adollar figure that is assigned to a single event |
B. The percentage of loss that a realized threat event would have on a
specific asset |
|
|
Which choice below is the BEST description of an Annualized Loss
Expectancy (ALE)? A. The expected risk factor of an annual threat event, derived by multiplying the SLE by its ARO B. The percentile of the value of the asset expected to be lost, used to calculate the SLE C. A value determined by multiplying the value of the asset by its exposure factor D. An estimate of how often a given threat event may occur annually |
A. The expected risk factor of an annual threat event, derived by
multiplying the SLE by its ARO |
|
|
Annualized Loss Expectancy (ALE) value is derived from an algorithm of the product of annual rate of occurrence and
A. Cost of all losses expected. B. Previous year’s actual loss. C. Average of previous losses. D. Single loss expectancy. |
D. Single loss expectancy.
|
|
|
What is the single loss expenctancy?
|
It is the cost of a single loss. SLE is the asset value times the exposure factor
|
|
|
What is the annual rate of occurrence?
|
the number of losses you suffer per year
|
|
|
What is the annualized loss expectancy?
|
is your yearly cost due to a risk
|
|
|
what is the total cost of ownership? upfront costs $100,000, 10,000 per yr support, $280,000 in staff pay to load laptop, It is a three year turn over
|
$136,667 per year for 3 years.
|
|
|
Your company seels iPods online and has suffered many attacks. Your company makes an average $20,000 profit per week a typical attack lowers the sales by 40%. You suffer 7 attacks a year. For a subscription fee of $10,000 a month you can stop the attacks. What is the annual rate of occurence?
A. $20,000 B. 40% C. 7 D. $10,000 |
7
|
|
|
Your company seels iPods online and has suffered many attacks. Your company makes an average $20,000 profit per week a typical attack lowers the sales by 40%. You suffer 7 attacks a year. For a subscription fee of $10,000 a month you can stop the attacks. What is the annual rate of occurence?
A. $20,000 B. $8,000 C. $84,000 D. $56,000 |
$56,000
|
|
|
A timely review of system access audit records would be an example of which of the basic security
functions? A. avoidance B. deterrence C. prevention D. detection |
D. detection
|
|
|
Which one of the following is a core infrastructure and service element of Business Continuity
Planning (BCP) required to effectively support the business processes of an organization? A. Internal and external support functions. B. The change management process. C. The risk management process. D. Backup and restoration functions. |
C. The risk management process.
|
|
|
Which of the following cannot be undertaken in conjunction with computer incident handling?
A. system development activity B. help-desk function C. system backup function D. risk management process |
A. system development activity
|
|
|
Why is there an exception area in a policy?
A. Policy isn't valid without it B. Management has to deal with various issues that may require exceptions C. All of the above D. None of the above |
B. Management has to deal with various issues that may
require exceptions |
|
|
An effective information security policy should not have which of the following characteristics?
A. Include separation of duties. B. Be designed with a short-to mid-term focus. C. Be understandable and supported by all stakeholders. D. Specify areas of responsibility and authority. |
B. Be designed with a short-to mid-term focus.
|
|
|
Policies are:
a. optional b. mandatory c. low level d. high level |
B. mandatory
d. High level |
|
|
The continual effort of making sure that the correct policies, procedures and standards are in place
and being followed is described as what? A. Due care B. Due concern C. Due diligence D. Due practice |
A. Due care
|
|
|
Which of the following embodies all the detailed actions that personnel are required to follow?
A. Standards B. Guidelines C. Procedures D. Baselines |
C. Procedures
|
|
|
What types of laws are considered standards of performance or conduct expected by government
agencies from companies, industries, and certain officials.(Chose all that apply) A. Civil B. Criminal C. Administrative D. Regulatory E. Tort |
C. Administrative
D. Regulatory |
|
|
_______ are the step-by-step instructions used to satisfy control requirements.
A. Policy B. Procedure C. Guideline D. Standard E. Outline |
B. Procedure
|
|
|
What are the detailed instructions on how to perform or implement a
control called? A. Guidelines B. Standards C. Policies D. Procedures |
D. Procedures
|
|
|
Which choice MOST accurately describes the differences between standards,
guidelines, and procedures? A. Procedures are the general recommendations for compliance with mandatory guidelines. B. Standards are recommended policies, and guidelines are mandatory policies. C. Procedures are step-by-step recommendations for complying with mandatory guidelines. D. Procedures are step-by-step instructions for compliance with mandatory standards. |
D. Procedures are step-by-step instructions for compliance with mandatory
standards. |
|
|
The baseline sets certain thresholds for specific errors or mistakes allowed and the amount of these occurrences that can take place before it is considered suspicious?
A. Checkpoint level B. Ceiling level C. Clipping level D. Threshold level |
C. Clipping level
|
|
|
Which choice below is NOT considered an information classification role?
A. Data custodian B. Data alterer C. Data user D. Data owner |
B. Data alterer
|
|
|
Which choice MOST accurately describes the difference between the role of a data owner versus the role of a data custodian?
A. The custodian implements the information classification scheme after the initial assignment by the owner. B. The data owner implements the information classification scheme after the initial assignment by the custodian. C. The custodian makes the initial information classification assignments, and the operations manager implements the scheme. D. The custodian implements the information classification scheme after the initial assignment by the operations manager. |
A. The custodian implements the information classification scheme after the initial assignment by
the owner. |
|
|
With Discretionary access controls, who determines who has access and what privilege they have?
A. End users. B. None of the choices. C. Resource owners. D. Only the administrators. |
C. Resource owners.
|
|
|
Under MAC, who can change the category of a resource?
A. All users. B. Administrators only. C. All managers. D. None of the choices. |
B. Administrators only.
|
|
|
In the public sector, as opposed to the private sector, due care is usually determined by
A. Minimum standard requirements. B. Legislative requirements. C. Insurance rates. D. Potential for litigation. |
B. Legislative requirements.
|
|
|
What is the primary reason for the chain of custody of evidence?
A. To ensure that no evidence is lost B. To ensure that all possible evidence is gathered C. To ensure that it will be admissible in court D. To ensure that incidents were handled with due care and due diligence |
C. To ensure that it will be admissible in court
|
|
|
The continual effort of making sure that the correct policies, procedures and standards are in place
and being followed is described as what? A. Due care B. Due concern C. Due diligence D. Due practice |
A. Due care
|
|
|
Which choice below is NOT a common example of exercising due care or due diligence in security practices?
A. Implementing employee casual Friday B. Implementing security awareness and training programs C. Implementing controls on printed documentation D. Implementing employee compliance statements |
A. Implementing employee casual Friday
|
|
|
Which of the following is a preventive control?
A. Motion detectors B. Guard dogs C. Audit logs D. Intrusion detection systems |
B. Guard dogs
|
|
|
In biometrics, a one-to-one search to verify an individual's claim of an
identity is A. Audit trail review. B. Accountability. C. Authentication. D. Aggregation. |
C. Authentication.
|
|
|
Clipping levels are used to:
A. Reduce the amount of data to be evaluated in audit logs. B. Limit errors in callback systems. C. Limit the number of letters in a password. D. Set thresholds for voltage variations. |
A. Reduce the amount of data to be evaluated in audit logs.
|
|
|
What is a certification
|
a detailed inspection which verifies whether a system meets the documented security requirement
|
|
|
What is called the formal acceptance of the adequacy of a system’s overall security by the
management?A. Certification B. Acceptance C. Accreditation D. Evaluation |
C. Accreditation
|
|
|
Which one of the following is an ethical consideration of computer technology?
A. Ownership of proprietary software. B. Information resource management. C. Service level agreements. D. System implementation and design. |
B. Information resource management.
|
|
|
The IAB defines which of the following as a violation of ethics?
A. Performing a DoS B. Downloading an active control C. Performing a penetration test D. Creating a virus E. Disrupting Internet communications |
E. Disrupting Internet communications
|
|
|
The IAB defines which of the following as a violation of ethics?
A. Performing a DoS B. Downloading an active control C. Performing a penetration test D. Creating a virus E. Disrupting Internet communications |
E. Disrupting Internet communications
|
|
|
According to the Internet Activities Board (IAB), an activity that causes
which of the following is considered a violation of ethical behavior on the Internet? A. Wasting resources B. Using a computer to bear false witness C. Using a computer to steal D. Appropriating other peoples intellectual output |
A. Wasting resources
|
|
|
The Internet Activities Board (IAB) considers which of the following
behaviors relative to the Internet as unethical? A. Negligence in the conduct of Internet experiments B. Recordkeeping in which an individual cannot find out what information concerning that individual is in the record C. Improper dissemination and use of identifiable personal data D. Recordkeeping whose very existence is secret |
A. Negligence in the conduct of Internet experiments
|
|
|
What is ISC code of ethics canons in order.
|
Protect society, the commonweath, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance & protect the profession. |
