4. To improve the system’s security posture
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
80. d. The results of information-security program assessment reviews can provide a much more reliable measure of security effectiveness. These results may be used to (i) fulfill the organization’s internal reporting requirements, (ii) support the certification and accreditation process for the system, (iii) support the continuing monitoring requirements, (iv) prepare for audits, and (v) identify resource needs to improve the system’s security posture.
81. Which of the following should not be contained in the Rules of Behavior document?
a. Copy of the security policy
b. Controls for working at home
c. Controls for dial-in access
d. Use of copyrighted work
81. a. The rules of behavior should not be a complete copy of the security policy or procedures guide, but rather cover controls at a high level. Examples of controls contained in rules of behavior include controls for working at home and controls for dial-in access, use of copyrighted work, password usage, connections to the Internet, searching databases, and divulging information. The security policy may contain an acceptable use policy.
82. Which of the following represents the best definition and equation for a comprehensive and generic risk model?
a. Breach x Threat x Vulnerability
b. Attack + Threat + Impact
c. Threat x Vulnerability x Impact
d. Attack + Vulnerability + Impact
82. c. Risk is the potential for an unwanted outcome resulting from internal or external factors, as determined from the likelihood of occurrence and the associated consequences. In other words, risk is the product of interactions among threats, vulnerabilities, and impacts. Threats deal with events and actions with potential to harm, vulnerabilities are weaknesses, and impacts are consequences.
The other three choices are incorrect because they do not have the required components in the correct equation for the risk.
83. Which of the following has been determined to be a reasonable level of risk?
a. Minimum risk
b. Acceptable risk
c. Residual risk
d. Total risk
83. b. Acceptable risk is the level of residual risk that has been determined to be a reasonable level of potential loss or disruption for a specific computer system.
Minimum risk is incorrect because it is the reduction in the total risk that results from the impact of in-place safeguards or controls. Residual risk is incorrect because it results from the occurrence of an adverse event after adjusting for the impact of all safeguards in-place. Total risk is incorrect because it is the potential for the occurrence of an adverse event if no mitigating action is taken (i.e., the potential for any applicable threat to exploit system vulnerability).
84. When a contractor representing an organization uses an internal system to connect with an external organization’s system for data exchange, the contractor should comply with which of the following agreed-upon trust relationships?
1. Conflict of interest statements
2. Rules of behavior
3. Remote session rules
4. Rules of operation
a. 1 only
b. 3 only
c. 2 and 4
d. 1, 2, 3, and 4
84. d. To comply with established trust relationships, employees and contractors have the same responsibility (principal and agent relationship) because the contractor is working on behalf of the internal organization. Hence, all the terms and conditions that apply to employees equally apply to contractors. These conditions include rules of behavior, remote session rules, rules of operation, and signed conflict of interest statements.
85. The aim of risk analysis is to strike a(n):
a. Technical balance between the impact of risks and the cost of protective measures
b. Operational balance between the impact of risks and the cost of protective measures
c. Economic balance between the impact of risks and the cost of protective measures
d. Legal balance between the impact of risks and the cost of protective measures
85. c. The aim of a risk analysis is to help systems management strike an economic balance between the impact of risks and the cost of protective measures. It lists risks first and protective measures second.
