53. In general, which of the following is not a cost-effective or practical procedure required of vendors, consultants, and contractors who are hired for a short period of time to assist with computer hardware and software related work?
a. Service-level agreement
b. Rules of engagement
c. Background checks
d. Conflict-of-interest clauses
53. c. Due to higher turnover among vendors, consultants, and contractors and due to short timeframe work (e.g., a month or two), it is not cost effective or practical to conduct background checks because they are applicable to regular full-time employees. Vendors, consultants, and contractors must meet all the requirements mentioned in the other three choices. Background checks include contacting previous employers, verifying education with schools, and contacting friends and neighbors. However, for consultants and other non-employees, security clearance cheeks (e.g., police, court, and criminal records) are made when they handle sensitive information at work.
54. For risk mitigation strategies, which of the following is not a proper action to take when there is a likelihood that a vulnerability can be exploited?
a. Implement assurance techniques
b. Apply layered protections
c. Apply administrative controls
d. Implement architectural design
54. a. Assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. Assurance techniques include trustworthiness and predictable execution, which may not be effective or timely.
The other three choices reflect proper actions to take when there is likelihood that a vulnerability can be exploited.
55. Residual risk results from which of the following steps taken in the approach to control implementation, which is done as part of the risk mitigation strategy?
a. Conduct cost-benefit analysis
b. Select controls
c. Implement the selected controls
d. Develop a control implementation plan
55. c. Implementing the selected controls is the first step in the control implementation approach. The other three choices precede the implementation of the selected controls. The risk remaining after the implementation of new or enhanced security controls is the residual risk.
56. As part of security control assessment, which of the following must be in place prior to the start of penetration testing work by outsiders?
a. Rules of behavior
b. Rules of negotiation
c. Rules of engagement
d. Rules of employment
56. c. Detailed rules of engagement must be agreed upon by all parties before the commencement of any penetration testing scenario by outsiders. These rules of engagement contain tools, techniques, and procedures that are anticipated to be used by threat-sources in carrying out attacks.
Rules of behavior and rules of employment apply to internal employees. Rules of negotiation apply to both insiders and outsiders as a matter of work ethics.
57. Which of the following is not an example of supporting technical security controls used in mitigating risk?
a. Identification
b. Authentication
c. Cryptographic key management
d. Security administration
57. b. From a risk mitigation viewpoint, technical security controls are divided into two categories: supporting controls and other controls (i.e., prevention, detection, and recovery controls). This means supporting controls must be in place to implement other controls. Authentication is an example of preventive technical controls.
The other three choices (i.e., identification, cryptographic key management, and security administration) are examples of supporting technical security controls.
58. Which of the following is not an example of system protections?
a. Least privilege
b. Process separation
c. Authorization
d. Object reuse
58. c. Authorization is a part of preventive technical security controls, whereas system protections are an example of supporting technical security controls. Some examples of system protections include least privilege, process separation, and object reuse.
