Test bank for Principles of Information Security 6th

Edition Whitman Mattord 1337102067 9781337102063

Download full test bank at:

https://testbankpack.com/p/test-bank-for-principles-of-information-security-6th-edition-
whitman-mattord-1337102067-9781337102063/

Download full solution manual at:

https://testbankpack.com/p/solution-manual-for-principles-of-information-security-6th-
edition-whitman-mattord-1337102067-9781337102063/

Chapter 05 Risk Management

TRUEFALSE

1. The upper management of an organization must structure the IT and information security
functions to defend the organization's information assets.

(A) True (B)

False

Answer : (A)

2. Risk control is the application of controls that reduce the risks to an organization's
information assets to an acceptable level.

(A) True (B)

False

Answer : (A)

3. According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to
be successful in an engagement.

(A) True (B)

False

Answer : (B)

4. Knowing yourself means identifying, examining, and understanding the threats facing the
organization.
(A) True (B)

False

Answer : (B)

5. In addition to their other responsibilities, the three communities of interest are responsible for
determining which control options are cost effective for the organization.

(A) True (B)

False

Answer : (A)
6. Residual risk is the risk that has not been removed, shifted, or planned for after vulnerabilities
have been completely resolved.

(A) True (B)

False

Answer : (B)

7. Identifying human resources, documentation, and data information assets of an organization is

less difficult than identifying hardware and software assets.

(A) True (B)

False

Answer : (B)

8. You should adopt naming standards that do not convey information to potential system attackers.

(A) True

(B) False

Answer : (A)

9. Within a data classification scheme, "comprehensive" means that an information asset should fit
in only one category.

(A) True (B)

False

Answer : (B)

10. A data classification scheme is a formal access control methodology used to assign a level of
availability to an information asset and thus restrict the number of people who can access it.

(A) True (B)

False

Answer : (B)

11. A security clearance is a component of a data classification scheme that assigns a status level
to systems to designate the maximum level of classified data that may be stored on them.

(A) True
(B) False

Answer : (B)

12. When determining the relative importance of each asset, refer to the organization's mission
statement or statement of objectives to determine which elements are essential, which are
supportive, and which are merely adjuncts.

(A) True (B)

False

Answer : (A)

13. When it is necessary to calculate, estimate, or derive values for information assets, you might
give consideration to the value incurred from the cost of protecting the information.

(A) True (B)

False

Answer : (A)

14. The value of information to the organization's competition should influence the asset's valuation.

(A) True

(B) False

Answer : (A)

15. You cannot use qualitative measures to rank information asset values.

(A) True

(B) False

Answer : (B)

16. The threats-vulnerabilities-assets (TVA) worksheet is a document that shows a comparative

ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in
the asset/threat pairings.

(A) True (B)

False

Answer : (A)
17. The defense control strategy is the risk control strategy that attempts to eliminate or reduce
any remaining uncontrolled risk through the application of additional controls and safeguards, but it
is not the preferred approach to controlling risk.

(A) True (B)

False

Answer : (B)

18. If the acceptance strategy is used to handle every vulnerability in the organization, its
managers may be unable to conduct proactive security activities and may portray an
apathetic approach to security in general.

(A) True (B)

False

Answer : (A)

19. To determine if the risk to an information asset is acceptable or not, you estimate the expected
loss the organization will incur if the risk is exploited.

(A) True (B)

False

Answer : (A)

20. In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with
the most likely loss from an attack; the SLE is the product of the asset's value and the annualized
loss expectancy.

(A) True (B)

False

Answer : (B)

21. Some information security experts argue that it is virtually impossible to determine the true
value of information and information-bearing assets.

(A) True (B)

False

Answer : (A)

22. Cost-benefit analyses (CBAs) cannot be calculated after controls have been functioning for a
time, as observation over time prevents precision in evaluating the benefits of the safeguard and
determining whether it is functioning as intended.

(A) True (B)

False

Answer : (B)

23. Process-based measures are performance measures that are focused on numbers and are less
strategic than metric-based measures.

(A) True (B)

False

Answer : (B)

24. Best business practices are often called recommended practices.

(A) True

(B) False

Answer : (A)

25. A best practice proposed for a small to medium-sized business will be similar to one used to help
design control strategies for a large multinational company.

(A) True (B)

False

Answer : (B)

26. One advantage to benchmarking is that best practices change very little over time.

(A) True

(B) False

Answer : (B)

27. Baselining is the comparison of past security activities and events against the
organization's current performance.

(A) True

(B) False
Answer : (B)

28. Operational feasibility is an assessment of whether the organization can acquire the technology
necessary to implement and support the proposed control.

(A) True (B)

False

Answer : (B)

29. Organizations should communicate with system users throughout the development of the
security program, letting them know that changes are coming, and reduce resistance to these
expected changes through communication, education, and involvement.

(A) True (B)

False

Answer : (A)

30. The results from risk assessment activities can be delivered in a number of ways: a report on a
systematic approach to risk control, a project-based risk assessment, or a topic-specific risk
assessment.

(A) True (B)

False

Answer : (A)

31. Establishing a competitive business model, method, or technique enables an organization to

provide a product or service that is superior and creates a(n) competitive advantage.

(A) True (B)

False

Answer : (A)

32. Risk control is the enumeration and documentation of risks to an organization's information
assets.

(A) True (B)

False

Answer : (B)
33. Risk acceptance defines the quantity and nature of risk that organizations are willing to accept
as they evaluate the trade-offs between perfect security and unlimited accessibility.

(A) True (B)

False

Answer : (B)

34. Pervasive risk is the amount of risk that remains to an information asset even after
the organization has applied its desired level of controls.

(A) True (B)

False

Answer : (B)

35. TVA safeguard risk is a combined function of (1) a threat less the effect of threat-reducing
safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset
less the effect of asset value-reducing safeguards.

(A) True (B)

False

Answer : (B)

36. Within data classification schemes, it is important that all categories used be classified and
mutually exclusive.

(A) True (B)

False

Answer : (B)

37. One way to determine which information assets are valuable is by evaluating which information
asset(s) would expose the company to liability or embarrassment if revealed.

(A) True (B)

False

Answer : (A)

38. Each of the threats faced by an organization must be evaluated, including determining the
threat's potential to endanger the organization, which is known as a threat prioritization.

(A) True (B)

False

Answer : (B)

39. Risk mitigation is the process of assigning a risk rating or score to each information asset.

(A) True (B)

False

Answer : (B)

40. Likelihood is the probability that a specific vulnerability within an organization will be the
target of an attack.

(A) True (B)

False

Answer : (A)

41. Loss event frequency is the combination of an asset's value and the percentage of it that might
be lost in an attack.

(A) True (B)

False

Answer : (B)

42. The mitigation control strategy attempts to reduce the impact of a successful attack through
planning and preparation.

(A) True (B)

False

Answer : (A)

43. The most common example of a mitigation procedure is a contingency plan.

(A) True
(B) False

Answer : (A)

44. A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the
organization when a disaster's scope or scale exceeds the ability of the organization to restore
operations, usually through relocation of critical business functions to an alternate location.

(A) True (B)

False

Answer : (B)

45. Cost mitigation is the process of preventing the financial impact of an incident by implementing
a control.

(A) True (B)

False

Answer : (B)

46. Exposure factor is the expected percentage of loss that would occur from a particular attack.

(A) True (B)

False

Answer : (A)

47. The computed value of the ALE compares the costs and benefits of a particular control
alternative to determine whether the control is worth its cost.

(A) True (B)

False

Answer : (B)

48. A(n) qualitative assessment is based on characteristics that do not use numerical measures.

(A) True

(B) False
Answer : (A)

49. Process-based measures are comparisons based on observed numerical data, such as numbers of
successful attacks.

(A) True (B)

False

Answer : (B)

50. Benchmarking is the process of comparing other organizations' activities against the
practices used in one's own organization to produce results it would like to duplicate.

(A) True (B)

False

Answer : (A)

51. Security efforts that seek to provide a superior level of performance in the protection of
information are referred to as best business practices.

(A) True (B)

False

Answer : (A)

52. In information security, benchmarking is the comparison of past security activities and events
against the organization's current performance.

(A) True (B)

False

Answer : (B)

53. Within organizations, the most important feasibility is technical feasibility, which defines what
can and cannot occur based on the consensus and relationships between the communities of
interest.

(A) True (B)

False

Answer : (B)
54. Operational feasibility is also known as behavioral feasibility.

(A) True (B)

False

Answer : (A)

55. Sometimes a risk assessment report is prepared for a specific IT project at the request of the
project manager, either because it is required by organizational policy or because it is good project
management practice.

(A) True (B)

False

Answer : (A)

MULTICHOICE

56. The concept of competitive refers to falling behind the competition.

(A) disadvantage

(B) drawback

(C) failure

(D) shortcoming

Answer : (A)

57. Risk is the application of security mechanisms to reduce the risks to an organization's
data and information systems.

(A) management

(B) control

(C) identification

(D) security

Answer : (B)

58. The first phase of risk management is .

(A) risk identification

(B) design

(C) risk control

(D) risk evaluation

Answer : (A)

59. Risk defines the quantity and nature of risk that organizations are willing to accept as
they evaluate the trade-offs between perfect security and unlimited accessibility.

(A) benefit

(B) appetite

(C) acceptance

(D) avoidance

Answer : (B)

60. addresses are sometimes called electronic serial numbers or hardware addresses.

(A) HTTP

(B) IP

(C) DHCP (D)

MAC Answer

: (D)

61. A(n) is an authorization issued by an organization for the repair, modification, or

update of a piece of equipment.

(A) IP (B)

FCO (C)

CTO (D)

HTTP

Answer : (B)

62. A(n) is a formal access control methodology used to assign a level ofconfidentiality to
an information asset and thus restrict the number of people who can access it.

(A) security clearance scheme

(B) data recovery scheme

(C) risk management scheme

(D) data classification scheme

Answer : (D)

63. Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For
materials that are not considered "National Security Information," data is the lowest-level
classification.

(A) sensitive

(B) confidential

(C) unclassified

(D) public

Answer : (C)

64. A assigns a status level to employees to designate the maximum level of classified data

they may access.

(A) security clearance scheme

(B) data recovery scheme

(C) risk management scheme

(D) data classification scheme

Answer : (A)

65. Management of classified data includes its storage and .

(A) distribution

(B) portability

(C) destruction

(D) All of the above

Answer : (D)

66. Some people search trash and recycling bins-a practice known as -to retrieve
information that could embarrass a company or compromise information security.
(A) shoulder surfing

(B) dumpster diving

(C) pretexting

(D) corporate espionage

Answer : (B)

67. In a(n) , assets or threats can be prioritized by identifying criteria with differing levels
of importance, assigning a score for each of the criteria, and then summing and ranking those
scores.

(A) threat assessment

(B) risk management program

(C) weighted factor analysis

(D) data classification scheme

Answer : (C)

68. The calculation of the likelihood of an attack coupled with the attack frequency to determine the
expected number of losses within a specified time range is called the .

(A) loss frequency

(B) annualized loss expectancy

(C) likelihood

(D) benefit of loss

Answer : (A)

69. equals the probability of a successful attack multiplied by the expected loss from a
successful attack plus an element of uncertainty.

(A) Loss magnitude

(B) Risk

(C) Loss frequency

(D) Loss

Answer : (B)
Another random document with
no related content on Scribd:
 1.E.5. Do not copy, display, perform, distribute or redistribute
this electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1
with active links or immediate access to the full terms of the
Project Gutenberg™ License.

1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if
you provide access to or distribute copies of a Project
Gutenberg™ work in a format other than “Plain Vanilla ASCII” or
other format used in the official version posted on the official
Project Gutenberg™ website (www.gutenberg.org), you must, at
no additional cost, fee or expense to the user, provide a copy, a
means of exporting a copy, or a means of obtaining a copy upon
request, of the work in its original “Plain Vanilla ASCII” or other
form. Any alternate format must include the full Project
Gutenberg™ License as specified in paragraph 1.E.1.

1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™
works unless you comply with paragraph 1.E.8 or 1.E.9.

1.E.8. You may charge a reasonable fee for copies of or

providing access to or distributing Project Gutenberg™
electronic works provided that:

• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
 about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt that
s/he does not agree to the terms of the full Project Gutenberg™
License. You must require such a user to return or destroy all
copies of the works possessed in a physical medium and
discontinue all use of and all access to other copies of Project
Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project

Gutenberg™ electronic work or group of works on different
terms than are set forth in this agreement, you must obtain
permission in writing from the Project Gutenberg Literary
Archive Foundation, the manager of the Project Gutenberg™
trademark. Contact the Foundation as set forth in Section 3
below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on,
transcribe and proofread works not protected by U.S. copyright
law in creating the Project Gutenberg™ collection. Despite
these efforts, Project Gutenberg™ electronic works, and the
medium on which they may be stored, may contain “Defects,”
such as, but not limited to, incomplete, inaccurate or corrupt
data, transcription errors, a copyright or other intellectual
property infringement, a defective or damaged disk or other
medium, a computer virus, or computer codes that damage or
cannot be read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES -

Except for the “Right of Replacement or Refund” described in
paragraph 1.F.3, the Project Gutenberg Literary Archive
Foundation, the owner of the Project Gutenberg™ trademark,
and any other party distributing a Project Gutenberg™ electronic
work under this agreement, disclaim all liability to you for
damages, costs and expenses, including legal fees. YOU
AGREE THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE,
STRICT LIABILITY, BREACH OF WARRANTY OR BREACH
OF CONTRACT EXCEPT THOSE PROVIDED IN PARAGRAPH
1.F.3. YOU AGREE THAT THE FOUNDATION, THE
TRADEMARK OWNER, AND ANY DISTRIBUTOR UNDER
THIS AGREEMENT WILL NOT BE LIABLE TO YOU FOR
ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE
OR INCIDENTAL DAMAGES EVEN IF YOU GIVE NOTICE OF
THE POSSIBILITY OF SUCH DAMAGE.

1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If

you discover a defect in this electronic work within 90 days of
receiving it, you can receive a refund of the money (if any) you
paid for it by sending a written explanation to the person you
received the work from. If you received the work on a physical
medium, you must return the medium with your written
explanation. The person or entity that provided you with the
defective work may elect to provide a replacement copy in lieu
of a refund. If you received the work electronically, the person or
entity providing it to you may choose to give you a second
opportunity to receive the work electronically in lieu of a refund.
If the second copy is also defective, you may demand a refund
in writing without further opportunities to fix the problem.

1.F.4. Except for the limited right of replacement or refund set

forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’,
WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR
ANY PURPOSE.

1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of
damages. If any disclaimer or limitation set forth in this
agreement violates the law of the state applicable to this
agreement, the agreement shall be interpreted to make the
maximum disclaimer or limitation permitted by the applicable
state law. The invalidity or unenforceability of any provision of
this agreement shall not void the remaining provisions.

1.F.6. INDEMNITY - You agree to indemnify and hold the

Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and
distribution of Project Gutenberg™ electronic works, harmless
from all liability, costs and expenses, including legal fees, that
arise directly or indirectly from any of the following which you do
or cause to occur: (a) distribution of this or any Project
Gutenberg™ work, (b) alteration, modification, or additions or
deletions to any Project Gutenberg™ work, and (c) any Defect
you cause.

Section 2. Information about the Mission of

Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new
computers. It exists because of the efforts of hundreds of
volunteers and donations from people in all walks of life.

Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™
collection will remain freely available for generations to come. In
2001, the Project Gutenberg Literary Archive Foundation was
created to provide a secure and permanent future for Project
Gutenberg™ and future generations. To learn more about the
Project Gutenberg Literary Archive Foundation and how your
efforts and donations can help, see Sections 3 and 4 and the
Foundation information page at www.gutenberg.org.

Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-
profit 501(c)(3) educational corporation organized under the
laws of the state of Mississippi and granted tax exempt status by
the Internal Revenue Service. The Foundation’s EIN or federal
tax identification number is 64-6221541. Contributions to the
Project Gutenberg Literary Archive Foundation are tax
deductible to the full extent permitted by U.S. federal laws and
your state’s laws.

The Foundation’s business office is located at 809 North 1500

West, Salt Lake City, UT 84116, (801) 596-1887. Email contact
links and up to date contact information can be found at the
Foundation’s website and official page at
www.gutenberg.org/contact

Section 4. Information about Donations to

the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission
of increasing the number of public domain and licensed works
that can be freely distributed in machine-readable form
accessible by the widest array of equipment including outdated
equipment. Many small donations ($1 to $5,000) are particularly
important to maintaining tax exempt status with the IRS.

The Foundation is committed to complying with the laws

regulating charities and charitable donations in all 50 states of
the United States. Compliance requirements are not uniform
and it takes a considerable effort, much paperwork and many
fees to meet and keep up with these requirements. We do not
solicit donations in locations where we have not received written
confirmation of compliance. To SEND DONATIONS or
determine the status of compliance for any particular state visit
www.gutenberg.org/donate.

While we cannot and do not solicit contributions from states

where we have not met the solicitation requirements, we know
of no prohibition against accepting unsolicited donations from
donors in such states who approach us with offers to donate.

International donations are gratefully accepted, but we cannot

make any statements concerning tax treatment of donations
received from outside the United States. U.S. laws alone swamp
our small staff.

Please check the Project Gutenberg web pages for current

donation methods and addresses. Donations are accepted in a
number of other ways including checks, online payments and
credit card donations. To donate, please visit:
www.gutenberg.org/donate.

Section 5. General Information About Project

Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could
be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose
network of volunteer support.

Project Gutenberg™ eBooks are often created from several

printed editions, all of which are confirmed as not protected by
copyright in the U.S. unless a copyright notice is included. Thus,
we do not necessarily keep eBooks in compliance with any
particular paper edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,

including how to make donations to the Project Gutenberg
Literary Archive Foundation, how to help produce our new
eBooks, and how to subscribe to our email newsletter to hear
about new eBooks.