1: According to your textbook which of the following is NOT part of risk analysis:
- Determine how likely each risk is to occur
- Identify any risks to assets
- Implement an acceptable use policy
- Determine the value of assets
2: A risk is defined as:
- A weakness in a system
- A potential for exploit of a weakness in a system
- The existence of a weakness in a system and the potential for an exploit
- An attempted security attack
3: If a manager obtains insurance for damage to an asset, this is called risk transference:
4: Managers should declare financial statements about asset values:
5: A principle that a single person should not have authority to execute a critical task is called:
- Access control
- Separation of duties (or privileges)
- Discretionary control
- Confidentiality
6: Unauthorized alteration of information is a breach of:
- Confidentiality
- Integrity
- Availability
- Protocol
7: Of the two types of attackers, which has the potential to do the most damage?
- Malicious Outsiders
- Non-Malicious Insiders
- Non-Malicious Outsiders
- Malicious Insiders
8: When controlling information such that only those who get the information are those who require it to do their job is called on a "need to know" basis:
9: Planning to have a "hot site" to restart operations in the case of a fatal incident is part of having a:
- Risk Assessment Plan
- Vulnerability Assessment Plan
- Business Continuity Plan
10: Planning for a "co-location" to continue business as usual in the case of an incident that disrupts operations at one site is part of having a:
- Risk Assessment Plan
- Disaster Recovery Plan
- Vulnerability Assessment Plan
- Business Continuity Plan
11: SLE represents:
- The proportion of assets that would be destroyed by a risk
- Damage to an asset each time a risk would incur in a year
- Number of times a risk may occur in a year
- Damage to an asset incurred cumulatively for each year of the asset's lifetime
12: Privilege creep means:
- An administrator gives him or herself the ability to examine private accounts
- An attacker uses a rootkit to escalate privileges to execute system functions
- When someone changes roles, they accrue both old and new privileges even if they are not needed
- When a user logs in as a normal user, the executes an "su" to become a superuser
13: The four choices that managers have when managing risks are, (1) risk avoidance, (2) risk prosecution, (3) risk acceptance, (4) risk transference.
14: The encryption algorithm AES avoids security through obscurity:
15: A security policy is a written document only:
16: Even though very simplistic, security "checklists" such as the ISO 27000: 27001/27002 (17799) - also known as the ISO 27000 (or ISO27K) family of standards is useful for security auditing in preparation for or as part of a security certification:
17: Conducting background checks on employees is illegal in the United States:
18: Least privilege means allocating only the minimum set of privileges required to perform a job function:
Short Essay:
19: Give a brief explanation of the differences between risk assessment and risk management. Give as an example the name of at least one standard or framework that is used for each one:
20: Briefly describe what responsibilities managers have in terms of security. In this description, note that managers in this context are not security officers or officers of a company and do NOT have fiduciary responsibilities. In other words, what are minimum security standards managers must adhere to regardless of their position?