181. Staffing decisions and hiring procedures are critical in solving computer-related security issues and problems. Which of the following is the correct sequence of steps involved in the staffing process?
1. Determining the sensitivity of the position
2. Defining the job duties
3. Filling the position
4. Determining the computer access levels
a. 1, 2, 3, and 4
b. 2, 4, 3, and 1
c. 2, 4, 1, and 3
d. 1, 4, 2, and 3
181. c. Personnel issues are closely linked to logical access security controls. Early in the process of defining a position, security issues should be identified and dealt with. After a job position and duties have been broadly defined, the responsible supervisor should determine the type of computer access levels (e.g., add, modify, and delete) needed for that position or job.
Knowledge of the job duties and access levels that a particular position requires is necessary for determining the sensitivity of the position (whether a security clearance is required). The responsible supervisor should correctly identify position sensitivity levels and computer access levels so that appropriate, cost-effective background checks and screening methods can be completed.
When a position’s sensitivity has been determined, the position is ready to be staffed. Background checks and screening methods help determine whether a particular individual is suitable for a given position. Computer access levels and position sensitivity can also be determined in parallel.
182. Establishing an information system security function program within an organization should be the responsibility of:
a. Information systems management
b. Internal auditors
c. Compliance officers
d. External auditors
182. a. Both information systems management and functional user management have a joint and shared responsibility in establishing an information systems security function within an organization. It is because the functional user is the data owner and information systems management is the data custodian. Internal/external auditors and compliance officers have no responsibility in actually establishing such a function; although, they make recommendations to management to establish such a function.
183. Risk management is an aggregation of which of the following?
1. Risk assessment
2. Risk mitigation
3. Ongoing risk evaluation
4. Risk profile
a. 1 and 2
b. 2 and 3
c. 1 and 4
d. 1, 2, and 3
183. d. Risk management is an aggregation of risk assessment, risk mitigation, and ongoing evaluation of risk. Risk profile for a computer system or facility involves identifying threats and developing controls and policies in order to manage risks.
184. Which of the following is not the major reason for conducting risk assessment?
a. It is required by law or regulation.
b. It is integrated into the system development life-cycle process.
c. It is a good security practice.
d. It supports the business objectives.
184. a. Risk assessment should be conducted and integrated into the system/software development life cycle (SDLC) process for information systems, not because it is required by law or regulation, but because it is a good security practice and supports the organization’s business objectives or mission.
185. Which of the following is the first step in the risk assessment process?
a. Threat identification
b. Vulnerability identification
c. System characterization
d. Risk analysis
185. c. System characterization is the first step in the risk assessment process. When characterizing the system, the mission criticality and sensitivity are described in sufficient terms to form a basis for the scope of the risk assessment. Characterizing an information system establishes the scope of the risk assessment effort, delineates the operational authorization or accreditation boundaries, and provides information (e.g., hardware, software, system connectivity, and associated personnel). This step begins with identifying the system boundaries, resources, and information.
186. A low-impact system does not require which of the following to fully characterize the system?
a. Questionnaires
b. Hands-on security testing and evaluation
c. Interviews
d. Automated scanning tools
