Professional Documents
Culture Documents
7. Which of the following is the best personnel arrangement for the design and
management of security for an organization?
B: The best personnel arrangement for the design and management of
security for an organization is a team of internal security professionals.
1
9. Who is ultimately responsible for negligence in protecting the assets of an
organization?
A: Senior management is ultimately responsible for implementing prudent
due care and is liable for negligence in protecting the assets of an
organization.
10. Which of the following is not one of the three security control types that a
security administrator can employ to manage and impose security?
C: Administrative, technical, and physical are the three security control
types that a security administrator can employ to manage and impose
security.
14. A security administrator may employ all but which of the following types of
controls to implement a security solution?
A: Executive is not a valid type of security control. The three valid types of
security control are administrative, technical (or logical), and physical.
17. Which of the following is not one of the fundamental principles of security
included in the CIA triad?
C: While accountability is an important part of IT security, it is not one of
the three fundamental principles of security included in the CIA triad,
which includes Confidentiality, Integrity and Availability.
2
18. The ability of a computer system to provide adequate capacity for predictable
performance represents which of the fundamental security principles of the
CIA triad?
D: The ability of a computer system to provide adequate capacity for
predictable performance is an example of Availability.
25. Which of the following is not an example of a security control that focuses on
maintaining availability?
C: Implementing need to know access controls is an example of a security
control that focuses on maintaining confidentiality.
3
27. Which of the following is not an example of a security control that focuses on
maintaining confidentiality?
C: Change restrictions is an example of a security control that focuses on
maintaining integrity.
29. Which of the following is not an example of a security control that focuses on
maintaining integrity?
A: Network monitoring is an example of a security control that focuses on
maintaining availability.
4
B: Failing to enforce the password policy is an example of a vulnerability.
39. Which of the following is not true regarding an operational security plan?
A: A system specific plan includes an approved software list.
42. The top down approach to security management provides for all but which of
the following?
B: The top down approach to security management does not provide for the
assignment of responsibility to down-level administrators. Senior
management is always ultimately responsible for the success or failure
of the security policy and resulting security solution.
44. Risk is the ______________ of something happening that will damage assets.
D: Risk is the possibility of something happening that will damage assets.
46. Which of the following represent the primary security factors that a private
sector organization is concerned about?
B: Private sector organizations are primarily concerned about data
availability and integrity.
47. The most important aspect of security to military organizations is?
C: Confidentiality is the most important aspect of security to military
organizations.
5
48. What is the primary goal of risk management?
D: The primary goal of risk management is to reduce risk to an acceptable
level.
50. All but which of the following apply to senior management in relation to risk
analysis?
B: The Risk Assessment Team should be comprised of a representative
from most or all departments, not necessarily senior management.
55. Which of the following is not considered an element in determining the cost of
an asset?
A: The cost to train personnel to employ is not as relevant as the costs to
develop, acquire, and maintain an asset when determining the cost of an
asset. Training costs are often difficult to quantify since training on any
specific asset is typically grouped in training regarding overall IT
interaction. While this answer is technically correct, it is the least
correct answer of those offered.
56. Which of the following is not considered an element in determining the cost of
an asset?
6
B: The cost of backward engineering is the competitors cost, not the
organization.
58. Risk analysis is used to determine whether safeguards are all but which of the
following?
C: No safeguard is exhaustive of all risks.
59. The objectives of risk analysis include all but which of the following?
D: Risk analysis is used to compare safeguards, but it does not select the
countermeasure to implement. Countermeasure Selection is left to the
decision makers, i.e. senior management or their delegated
administrators.
61. The annualized loss expectancy can be calculated using which of the following
equations?
D: The annualized loss expectancy can be calculated using asset value x
exposure factor x annualized rate of occurrence. It can also be
calculated using single loss expectancy x annualized rate of occurrence.
62. Which of the following is not considered an element in determining the cost of
an asset?
C: The file formats used by the asset are typically not an element in
determining the cost of an asset.
63. Determining the value of an asset can be useful in all but which of the
following requirements or activities?
B: Asset valuation is useful in assigning classifications. Cost/Benefit
analysis can determine which safeguards to select. How much insurance
to get to cover a particular asset. Risk to a threat would not be
determined by asset value.
7
A: A quantitative risk analysis approach employs specific dollar values
assigned to each risk.
66. What form of qualitative risk analysis employs a group of people who reach a
consensus through an anonymous means of voting and exchanging ideas?
A: The Delphi technique is a form of qualitative risk analysis that employs
a group of people who reach a consensus through an anonymous means
of voting and exchanging ideas.
67. Which of the following is not a method used in qualitative risk analysis?
B: Quantitative, not qualitative, risk analysis can be automated with
software.
72. Which of the following is not an accepted response to the results of risk
analysis?
B: Rejecting risk is not an accepted response to the results of risk analysis.
8
74. Which of the following is not a valid example of assigning risk?
D: Delegating security policy implementation responsibilities is not a valid
example of assigning risk. Risk remains the responsibility of senior
management, it cannot be delegated.
76. Which of the following is not one of the five standard data classifications used
by the military?
C: Private is a data classification used by the private sector (i.e. corporate
business), not the military.
77. What level of private sector data classification represents assets that if
disclosed will not cause an adverse impact?
D: The public data classification represents assets that if disclosed will not
cause an adverse impact.
78. What is the difference between total risk and residual risk?
D: Residual risk is what remains after selected safeguards are applied (i.e.
controls gap). Residual risk = total risk - controls gap.
80. What form of security policy outlines the laws and industry restrictions placed
upon an organization?
B: Regulatory security policies outline the laws and industry restrictions
placed upon an organization.
9
B: Not inspecting the fire suppression system is an exposure.
88. Which of the following is the best definition for countermeasures and
safeguards?
D: Reduces the risk of a threat taking advantage of a vulnerability is the
best definition offered in this question for countermeasures and
safeguards.
93. What aspect of an asset determines whether it should be protected and to what
extent that protection should extend?
10
C: The value of asset determines its need for security.
94. Which of the following is typically not included in the valuation of an asset?
D: The cost to store and serve an asset is not included in the value
evaluation of an asset, that is considered a cost of the infrastructure.
95. What is the primary security purpose for mandatory week long minimum
yearly vacations?
D: Mandatory vacations are used to perform auditing.
98. Guidelines serve all but which of the following purposes within an
organization's formalized security structure?
A: Guidelines do not serve as step-by-step implementation manuals.
100. All but which of the following are characteristics of an effective security
plan?
C: Implementing cost effective safeguards is an aspect of a security plan,
but not all safeguards or security mechanisms are inexpensive. The cost
is not a characteristic of an efficient security plan.
102. The security model employed by an organization depends upon their primary
needs. What is the primary need of a government or military organization?
11
D: Confidentiality is the primary need of government and military
organizations.
103. Baselines are used for all but which of the following within an organization's
formalized security structure.
D: Baselines are not used as operational guides.
106. The greatest number of threats to the assets of an organization come from
where?
A: The greatest number of threats to the assets of an organization come
from inside the organization (over 85%).
107. Which of the following is not a task that should be performed by the risk
assessment/risk analysis team?
C: To implement an appropriate countermeasure is not a task of the risk
assessment team. They are only to provide cost/analysis of
countermeasures. It is the responsibility of management to select an
appropriate countermeasure based on the analysis and assign the
implementation procedure to the security management/administration
team.
108. Who is held liable for an organization's failure to perform due care and due
diligence?
C: The senior management is held liable for the failure to perform due care
and due diligence.
109. What is the cardinal rule of risk analysis?
D: The annual cost of safeguards should not exceed the possible annual cost
of the loss of an asset is the cardinal rule of risk analysis.
110. Which of the following risk analysis approaches assigns real numbers to the
costs of asset loss and countermeasure implementation?
12
B: Quantitative analysis assigns real numbers to the costs of asset loss and
countermeasure implementation.
111. Which of the following military data classification levels is used to label
assets that may cause some serious damage to national security if that asset was
disclosed?
B: Secret assets may cause serious damage to national security if that asset
was disclosed.
112. What security mechanism is often employed as the primary defense against
collusion?
A: Job rotation is the primary defense against collusion.
113. In the formula for calculating residual risk, what does the controls gap
element represent?
C: The controls gap represents countermeasures and safeguards.
115. Standards are used for what purpose in a formalized security structure?
C: Standards are used to establish uniformity across an organization.
116. Which qualitative analysis method is a group decision method that seeks a
consensus while retaining the anonymity of the participants?
A: Delphi Technique
117. All but which of the following statements are true in regards to security
awareness training?
B: Obtaining certifications is not a function of Security Awareness
Training.
118. What is the most important aspect of the exit interview for terminated
employees?
A: The most important aspect of the exit interview is to review non-
disclosure agreements.
13
A: Asset valuation does not typically improve asset hosting costs.
121. Risk analysis is used to ensure all but which of the following?
C: No system is 100% risk free.
124. The security model employed by an organization depends upon their primary
needs. What are the primary needs of a private sector business?
C: The primary needs of a private sector business are integrity and
availability.
125. Which of the four possible responses to the identification and cost/benefit
analysis of risk is considered an invalid response?
B: Reject is considered an invalid response.
14
B: Backup media verification is not a type of risk, rather it is a safeguard to
ensure the viability of backup restorations.
131. The percentage of loss of the value of an asset, which an organization would
incur if a threat event was realized, is known as?
D: The exposure factor is the percentage of loss of the value of an asset,
which an organization would incur if a threat event was realized.
132. In the realm of risk analysis, senior management is responsible for all but
which of the following?
A: The risk assessment team, not senior management, is responsible for
performing the cost/benefit analysis.
133. Job rotation as a security mechanism has shown itself effective against which
of the following?
C: Job rotation is directly affective against collusion.
135. The security administration team should be responsible for all but which of
the following?
C: Approving the security policy is the responsibility of senior
management, not the security administration team.
15