Information Security Management 1

01: According to your textbook which of the following is NOT part of risk analysis:

___ Determine how likely each risk is to occur

___ Identify any risks to assets

___ Implement an acceptable use policy

___ Determine the value of assets

02: A risk is defined as:

___ A weakness in a system

___ A potential for exploit of a weakness in a system

___ The existence of a weakness in a system and the potential for an exploit

___ An attempted security attack

03: If a manager obtains insurance for damage to an asset, this is called risk transference:

___ True

___ False

04: Managers should declare financial statements about asset values:

___ True

___ False

05: A principle that a single person should not have authority to execute a critical task is called:

___ Access control

___ Separation of duties (or privileges)

___ Discretionary control

___ Confidentiality

06: Unauthorized alteration of information is a breach of:

___ Confidentiality

___ Integrity

___ Availability

___Protocol

07: Of the two types of attackers, which has the potential to do the most damage?

___ Malicious Outsiders

___ Non-Malicious Insiders

___ Non-Malicious Outsiders

___ Malicious Insiders

08: When controlling information such that only those who get the information are those who require it to do their job is called on a “need to know” basis:

___ True

___ False

09: Planning to have a “hot site” to restart operations in the case of a fatal incident is part of having a:

___ Risk Assessment Plan

___ Disaster Recovery Plan

___ Vulnerability Assessment Plan

___ Business Continuity Plan

10: Planning for a “co-location” to continue business as usual in the case of an incident that disrupts operations at one site is part of having a:

___ Risk Assessment Plan

___ Disaster Recovery Plan

___ Vulnerability Assessment Plan

___ Business Continuity Plan

 

11:  SLE represents:

___ The proportion of assets that would be destroyed by a risk

___ Damage to an asset each time a risk would incur in a year

___ Number of times a risk may occur in a year

___ Damage to an asset incurred cumulatively for each year of the asset’s lifetime

12: Privilege creep means:

___ An administrator gives him or herself the ability to examine private accounts

___ An attacker uses a rootkit to escalate privileges to execute system functions

___ When someone changes roles, they accrue both old and new privileges even if they are not needed

___ When a user logs in as a normal user, the executes an “su” to become a superuser

13: The four choices that managers have when managing risks are, (1) risk avoidance, (2) risk prosecution, (3) risk acceptance, (4) risk transference.

___ True

___ False

14:  The encryption algorithm AES avoids security through obscurity:

___ True

___ False

15:  A security policy is a written document only:

___ True

___ False

16: Even though very simplistic, security “checklists” such as the ISO 27000: 27001/27002 (17799) – also known as the ISO 27000 (or ISO27K) family of standards is useful for security auditing in preparation for or as part of a security certification:

___ True

___ False

 

 

17: Conducting background checks on employees is illegal in the United States:

___ True

___ False

18: Least privilege means allocating only the minimum set of privileges required to perform a job function:

___ True

___ False

Short Essay:

19:  Give a brief explanation of the differences between risk assessment and risk management. Give as an example the name of at least one standard or framework that is used for each one:

 

20:  Briefly describe what responsibilities managers have in terms of security. In this description, note that managers in this context are not security officers or officers of a company and do NOT have fiduciary responsibilities. In other words, what are minimum security standards managers must adhere to regardless of their position?