46. a. All these controls are examples of preventive technical security controls. Nonrepudiation control ensures that senders cannot deny sending information and that receivers cannot deny receiving it. As a result, nonrepudiation control is typically applied at the point of transmission or reception of information. Access controls, authorization controls, and authentication controls support nonrepudiation services.
47. Setting performance targets for which of the following information security metrics is relatively easier than the others?
a. Implementation metrics
b. Effectiveness metrics
c. Efficiency metrics
d. Impact metrics
47. a. Setting performance targets for effectiveness, efficiency, and impact metrics is much more complex than the implementation metrics because these aspects of security operations do not assume a specific level of performance. Managers need to apply both qualitative and subjective reasoning to set effectiveness, efficiency, and impact performance targets.
Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts). Effectiveness/efficiency metrics measure the results of security services delivery (i.e., monitors the results of security controls implementation).
Impact metrics measure the results of business or mission impact of security activities and events (i.e., provides the most direct insight into the value of security to the firm).
48. Which of the following is not an example of detective controls in information systems?
a. Audit trails
b. Encryption
c. Intrusion detection
d. Checksums
48. b. Encryption is an example of preventive controls, which inhibit attempts to violate security policy. Detective controls warn of violations or attempted violation of security policies and include audit trails, intrusion detection methods, and checksums.
49. Loss of system or data integrity reduces which of the following?
a. Assurance
b. Authorization
c. Authentication
d. Nonrepudiation
49. a. Loss of system or data integrity reduces the assurance of an IT system because assurance provides the highest level of confidence in a system. The other three choices cannot provide such assurance.
50. Which of the following should be performed first?
a. Threat-source analysis
b. Vulnerability analysis
c. Threat analysis
d. Risk analysis
50. b. Threat analysis cannot be performed until after vulnerability analysis has been conducted because vulnerabilities lead to threats which, in turn, lead to risks. Threat-source analysis is a part of threat analysis. Therefore, vulnerability analysis should be performed first.
51. Which of the following risk mitigation options prioritizes, implements, and maintains security controls?
a. Risk assumption
b. Risk avoidance
c. Risk limitation
d. Risk planning
51. d. The purpose of a risk planning option is to manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains security controls. The purpose of the risk assumption option is to accept the potential risk and continue operating the IT system. The goal of risk avoidance is to eliminate the risk cause and/or consequence. (For example, forgo certain functions of the system or shut down the system when risks are identified.) The goal of risk limitation is to authorize system operation for a limited time during which additional risk mitigation controls are being put into place.
52. All the following are access agreements for employees prior to granting access to a computer system except:
a. Rules of engagement
b. Rules of behavior
c. Non-disclosure agreement
d. Acceptable use agreement
52. a. Rules of engagement applies to outside individuals (e.g., vendors, contractors, and consultants) when conducting penetration testing of a computer system. Employees do not have rules of engagement, and they are bound by the access agreements. Examples of access agreements include rules of behavior, non-disclosure agreements (i.e., conflict-of-interest statements), and acceptable use agreement (or policy).
