Information Security Management 1
01: According to your textbook which of the following is NOT part of risk analysis:
___ Determine how likely each risk is to occur
___ Identify any risks to assets
___ Implement an acceptable use policy
___ Determine the value of assets
02: A risk is defined as:
___ A weakness in a system
___ A potential for exploit of a weakness in a system
___ The existence of a weakness in a system and the potential for an exploit
___ An attempted security attack
03: If a manager obtains insurance for damage to an asset, this is called risk transference:
___ True
___ False
04: Managers should declare financial statements about asset values:
___ True
___ False
05: A principle that a single person should not have authority to execute a critical task is called:
___ Access control
___ Separation of duties (or privileges)
___ Discretionary control
___ Confidentiality
06: Unauthorized alteration of information is a breach of:
___ Confidentiality
___ Integrity
___ Availability
___Protocol
07: Of the two types of attackers, which has the potential to do the most damage?
___ Malicious Outsiders
___ Non-Malicious Insiders
___ Non-Malicious Outsiders
___ Malicious Insiders
08: When controlling information such that only those who get the information are those who require it to do their job is called on a “need to know†basis:
___ True
___ False
09: Planning to have a “hot site†to restart operations in the case of a fatal incident is part of having a:
___ Risk Assessment Plan
___ Disaster Recovery Plan
___ Vulnerability Assessment Plan
___ Business Continuity Plan
10: Planning for a “co-location†to continue business as usual in the case of an incident that disrupts operations at one site is part of having a:
___ Risk Assessment Plan
___ Disaster Recovery Plan
___ Vulnerability Assessment Plan
___ Business Continuity Plan
11: SLE represents:
___ The proportion of assets that would be destroyed by a risk
___ Damage to an asset each time a risk would incur in a year
___ Number of times a risk may occur in a year
___ Damage to an asset incurred cumulatively for each year of the asset’s lifetime
12: Privilege creep means:
___ An administrator gives him or herself the ability to examine private accounts
___ An attacker uses a rootkit to escalate privileges to execute system functions
___ When someone changes roles, they accrue both old and new privileges even if they are not needed
___ When a user logs in as a normal user, the executes an “su†to become a superuser
13: The four choices that managers have when managing risks are, (1) risk avoidance, (2) risk prosecution, (3) risk acceptance, (4) risk transference.
___ True
___ False
14: The encryption algorithm AES avoids security through obscurity:
___ True
___ False
15: A security policy is a written document only:
___ True
___ False
16: Even though very simplistic, security “checklists†such as the ISO 27000: 27001/27002 (17799) – also known as the ISO 27000 (or ISO27K) family of standards is useful for security auditing in preparation for or as part of a security certification:
___ True
___ False
17: Conducting background checks on employees is illegal in the United States:
___ True
___ False
18: Least privilege means allocating only the minimum set of privileges required to perform a job function:
___ True
___ False
Short Essay:
19: Give a brief explanation of the differences between risk assessment and risk management. Give as an example the name of at least one standard or framework that is used for each one:
20: Briefly describe what responsibilities managers have in terms of security. In this description, note that managers in this context are not security officers or officers of a company and do NOT have fiduciary responsibilities. In other words, what are minimum security standards managers must adhere to regardless of their position?