2. To aid in the estimating the level of threat and vulnerability pair
3. To reduce the residual risk to an acceptable level
4. To repeat the risk management cycle for better results
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
193. a. The security categorization is used in two ways: (i) to determine which baseline security controls are selected and (ii) to aid in estimating the level of risk posed by a threat and vulnerability pair identified during the risk assessment step. Items 3 and 4 are part of the risk mitigation step.
194. From an economies of scale viewpoint, the assessment, implementation, and monitoring activities of common security controls are not conducted at which of the following levels?
a. Organizational level
b. Individual system level
c. Multiple systems level
d. Functional level
194. b. Common security controls do not benefit at the individual system level because they benefit many systems and the principle of economies of scale is applicable here. Organizations can leverage controls used among multiple systems by designating them as common controls where assessment, implementation, and monitoring activities are conducted at an organizational level or by functional level or areas of specific expertise (e.g., human resources and physical security).
195. Which of the following is not a goal of the risk management evaluation and assessment process in ensuring that the system continues to operate in a safe and secure manner?
a. Implement a strong configuration management program.
b. Monitor the system security on a continuous basis.
c. Eliminate all potential threats, vulnerabilities, and risks to the system.
d. Track findings from the security control assessment process.
195. c. Because it is not practical or cost-effective to eliminate all potential threats, vulnerabilities, and risks to the system, management should consider only the possible threats, vulnerabilities, and risks to the system so that management can better prepare the system to operate in its intended environment securely, safely, and effectively.
196. Which of the following statements is not true? Risk management is the process that allows IT security managers to:
a. Balance the operational and economic cost of protective measures
b. Achieve gains in mission-essential security capabilities
c. Protect IT systems and data that support the organization’s mission
d. Request funding to protect all systems, assets, and data in a comprehensive manner
196. d. Most organizations have a tight budget for IT security; therefore, IT security spending must be reviewed as thoroughly as other management decisions. It is not wise to protect all systems, assets, and data in a comprehensive manner. Risk management is the process that allows IT security managers to balance the operational and economic costs of protective measures to achieve mission-essential security capabilities and to protect the IT systems and data that support the organization’s mission.
197. A plan of action and milestones document used in the security assessment and authorization process is not based on which of the following?
a. Security impact analysis
b. Security controls assessment
c. Business impact analysis
d. Continuous monitoring activities
197. c. A business impact analysis (BIA) is a part of business continuity planning (BCP) process, not security assessment and authorization process.
The other three choices are part of the security assessment and authorization process. The plan of action and milestone (POA&M) document is developed to show the remedial actions to correct the weaknesses noted during the assessment of the security controls and the results from security impact analysis to reduce the weaknesses in the system. The POA&M document also contains continuous monitoring activities.
198. If an IT system has not yet been designed, the search for vulnerabilities should not focus on which of the following?
a. Security policies
b. Security procedures
c. Planned security features
d. White papers
