3. a. The primary purpose of a plan of action and milestones (POA&M) document is to correct deficiencies and to reduce or eliminate known vulnerabilities. The POA&M document updates are based on findings from security control assessment, security impact analyses, and continuous monitoring activities.
4. For information systems security, an exposure is defined as which of the following combinations?
a. Attack plus breach
b. Threat plus vulnerability
c. Threat plus attack
d. Attack plus vulnerability
4. d. An exposure is an instance of vulnerability in which losses may result from the occurrence of one or more attacks (i.e., attack plus vulnerability). An attack is an attempt to violate data security. Vulnerability is a weakness in security policy, procedure, personnel, management, administration, hardware, software, or facilities affecting security that may allow harm to an information system. The presence of vulnerability does not in itself cause harm. It is a condition that may allow the information system to be harmed by an attack. A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction or modification of data or denial-of-service. A breach is the successful circumvention or disablement of a security control, with or without detection, which if carried to completion, could result in a penetration of the system. Note that vulnerability comes first and breach comes next.
5. The benefits of good information security include which of the following?
1. Reduces risks
2. Improves reputation
3. Increases confidence
4. Enhances trust from others
a. 1 and 2
b. 2 and 3
c. 1, 2, and 3
d. 1, 2, 3, and 4
5. d. All four items are benefits of good information security. It can even improve efficiency by avoiding wasted time and effort in recovering from a computer security incident.
6. For risk mitigation, which of the following technical security controls are pervasive and interrelated with other controls?
a. Supporting controls
b. Prevention controls
c. Detection controls
d. Recovery controls
6. a. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls). Supporting controls are, by their nature, pervasive and interrelated with many other controls such as prevention, detection, and recovery controls. Supporting controls must be in place to implement other controls, and they include identification, cryptographic key management, security administration, and system protection.
Preventive controls focus on preventing security breaches from occurring in the first place. Detection and recovery controls focus on detecting and recovering from a security breach.
7. Information security must follow which of the following?
a. Top-down process
b. Bottom-up process
c. Top-down and bottom-up
d. Bottom-up first, top-down next
7. a. Information security must be a top-down process requiring a comprehensive security strategy explicitly linked to the organization’s business processes and strategy. Getting direction, support, and buy-in from top management sets the right stage or right tone for the entire organization.
8. Information security baselines for information assets vary depending on which of the following?
a. Availability and reliability
b. Sensitivity and criticality
c. Integrity and accountability
d. Assurance and nonrepudiation
8. b. Information security baselines vary depending on the sensitivity and criticality of the information asset, which is part of the confidentiality goal. The other three choices are not related to the confidentiality goal.
9. Which of the following characteristics of information security are critical for electronic transactions?
a. Trust and accountability
b. Trust and usefulness
c. Usefulness and possession
d. Accountability and possession
9. a. Trust and accountability are critical and needed in electronic transactions to make the customer comfortable with transactions, whereas usefulness and possession are needed to address theft, deception, and fraud.
10. From a corporate viewpoint, information integrity is most needed in which of the following?
a. Financial reporting
b. Inventory information
c. Trade secrets
d. Intellectual property
