198. c. The planned security features are described in the security design documentation, which occurs after identifying vulnerabilities. If the IT system has not yet been designed, the search for vulnerabilities should focus on the organization’s security policies, security procedures, the system requirements definitions, and the vendor’s or developers’ security product analyses (e.g., white papers).
199. Which of the following proactive technical methods is used to complement the security controls review?
a. Information scanning tool
b. Vulnerability scanning tool
c. Network scanning tool
d. Penetration testing tool
199. d. Penetration testing tool can be used to complement the security controls review and to ensure that different facets of the IT system are secured. The penetration testing occurs after the review of security controls, which includes the use of the automated information scanning tool, automated vulnerability scanning tool, and automated network scanning tool, and security test and evaluation. The penetration testing uses the results obtained from the security controls review.
200. When an employee of an organization uses an internal system to connect with an external organization’s system for data exchange, the employee should comply with which of the following agreed upon trust relationships?
1. Conflict of interest statements
2. Rules of behavior
3. Remote session rules
4. Rules of operation
a. 1 and 2
b. 2 and 3
c. 1, 3, and 4
d. 1, 2, 3, and 4
200. d. Employees of an organization should be bound by the terms and conditions consistent with any agreed upon trust relationships between internal system owner and external system owner. These conditions include rules of behavior, remote session rules, rules of operation, and signed conflict of interest statements.
201. The security objective or principle of confidentiality does not deal with which of the following?
a. Authenticity
b. Sensitivity
c. Secrecy
d. Criticality
201. a. Authentication is a part of the integrity security objective or principle, whereas the other three choices are part of a confidentiality objective or principle.
202. Which of the following is not a goal of IT security?
a. Confidentiality
b. Integrity
c. Aggregation
d. Availability
202. c. Aggregation is an element of sensitivity where data is summarized to mask the details of a subject matter. The other three choices are the goals of IT security.
203. Which of the following is not an outcome of information security governance?
a. Strategic alignment
b. Information asset
c. Risk management
d. Resource management
203. b. Information asset is a business-critical asset, without which most organizations would not function properly. It is a business enabler, not an outcome. The other three choices are examples of outcome of information security governance.
204. Which of the following is not an input to the risk management and information security strategy?
a. Business strategy
b. Security requirements
c. Business processes
d. Risk assessments
204. b. Security requirements are the outputs of the risk management activity. Inputs to the risk management and information security strategy include business strategy, business processes, risk assessments, business input analysis, information resources, and regulatory requirements.
205. Which of the following is not a correct method of expressing information security baselines?
a. Technical standards
b. Procedural standards
c. Vendor standards
d. Personnel standards
205. c. Information security baselines can be expressed as technical, procedural, and personnel standards because they are internal to an organization. In addition to the above standards, the baseline should consider laws, regulations, policies, directives, and organizational mission/business/operational requirements, which could identify security requirements.
Vendors are external to an organization and it would be difficult to accommodate their standards into the baseline due to many vendors. In addition, vendor standards could be unpredictable and unstable.
