32. d. After the information system security plan is accredited, it is important to periodically assess the plan and review any change in system status, system scope, system architecture, and system interconnections.
33. The effectiveness of security controls depends on which of the following?
1. System management
2. Legal issues
3. Quality assurance
4. Management controls
a. 1 only
b. 3 only
c. 4 only
d. 1, 2, 3, and 4
33. d. The effectiveness of security controls depends on such factors as system management, legal issues, quality assurance, internal controls, and management controls. Information security needs to work with traditional security disciplines, including physical and personnel security.
34. For information risk assessment, which of the following can improve the ability to realistically assess threats?
a. Intrusion detection tools
b. Natural threat sources
c. Human threat sources
d. Environmental threat sources
34. a. Common threat sources collect data on security threats, which include natural threats, human threat sources, and environmental threat sources. In addition, intrusion detection tools collect data on security events, thereby improving the ability to realistically assess threats to information.
35. Which of the following provides a 360-degree inspection of the system during the vulnerability identification of a system in the risk assessment process?
a. Automated vulnerability scanning tools
b. Security requirement checklist
c. Security advisories
d. Security test and evaluation
35. b. Developing a security requirements checklist, based on the security requirements specified for the system during the conceptual, design, and implementation phases of the system development life cycle (SDLC), can be used to provide a 360-degree inspection of the system.
Automated vulnerability scanning tools and security test and evaluation augment the basic vulnerability reviews. Security advisories are typically provided by the vendor and give the organization up-to-date information on system vulnerabilities and remediation strategies
36. During the risk assessment process of a system, what is the level of risk to the system derived by?
a. Multiplying the threat likelihood rating with the impact level
b. Subtracting the threat likelihood rating from the impact level
c. Adding the threat likelihood rating to the impact level
d. Dividing the threat likelihood rating by the impact level
36. a. When the ratings for threat likelihood (i.e., high, moderate, or low) and impact levels (i.e., high, moderate, or low) have been determined through appropriate analysis, the level of risk to the system and the organization can be derived by multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact level.
37. The effectiveness of recommended security controls is primarily related to which of the following?
a. System safety
b. System reliability
c. System complexity
d. System regulations
37. c. The effectiveness of recommended security controls is primarily related to system complexity and compatibility. The level and type of security controls should fit with the system complexity, meaning more controls are needed for complex systems and fewer controls are needed for simple systems. At the same time, security controls should match the system compatibility, meaning application-oriented controls are needed for application systems, and operating system–oriented controls are needed for operating systems. Other factors that should be considered include legislation and regulations, the organization’s policy, system impact, system safety, and system reliability.
38. Risk mitigation does not strive to do which of the following?
a. Control identification
b. Control prioritization
c. Control evaluation
d. Control implementation
38. a. Risk mitigation strives to prioritize, evaluate, and implement the appropriate risk-reducing controls recommended from the risk assessment process. Control identification is performed in the risk assessment process, which comes before risk mitigation.
39. Which one of the following items can be a part of other items?
a. Management controls
b. Operational controls
c. Technical controls
d. Preventive controls
