You have just won a contact for a small software development firm, which has asked you to perform a risk analysis. The firm provided you information on previous incidents and has a list of the known environmental threats in the geographic area. The firm’s president believes that risk is something that can be eliminated. As a CISSP, how should you respond to this statement?

Which term describes the method of identifying vulnerabilities and threats and assessing the possible damage to determine where to implement security safeguards?

Proper security management dictates separation of duties of all the following reasons except which one?

As a potencial CISSP, you need to know Common Request for Comments (RFCs) and National Institute of Standards and Technology (NIST) standards. One such RFC is 2196. This Internet Engineering Task Force (IETF) document provides basic guidance on security in a networked environment. What is the title of this document?

Mr. Hunting, your former college math teacher, hears that you are studying for your CISSP exam and asks if you know the formula for total risk. What is the correct response?

What document gives detailed instructions on how to perform specific operations, providing a step-by-step guide?

Your CEO has hinted that security audits may be implemented next year. As a result, your director has become serious about performing some form of risk assessment. You are delegated the task of determining which type of risk assessment to perform. The director wants to learn more about the type of risk assessment that involves a team of internal business managers and technical staff. He does not want the assessment to place dollar amounts on identified risks. He wants the group to assign one of 26 common controls to each threat as it is identified. Which type of riks assessment does your manager want?

Which of the following is a document that is considered high-level in that it defines formal rules by which employees of the organization must abide?

Management requires that all employees with a company laptop keep their virus signatures up to date and run a full system scan at least weekly. It is suggested, however, that they update signatures every night if possible. In what document type would such suggestions likely be made?

What document is similar to a standard, but provides only broad guidance and recommendations?

You are asked to speak at the next staff meeting about security governance and discuss why risk analysis is important. What will you say?

One of your coworkers, who knows that you are studying for your CISSP exam, comes to you with the following question: What is a cost-benefit analysis? How will you answer?

Your risk management team has just finished calculating the treats to a company during a disaster. They determine that the company will suffer long-term reputation damage in the community that will reduce their future customer base in the event off a Personally Identifiable Information (PII) breach. The team believes that customers will go to another company. This is an example of:

Your consulting firm has won a contract for a small, yet growing, technology firm. The CEO has wisely decided that the firm’s proprietary technology is worth protecting and wants to find out whether anyone is in noncompliance. Which of the following is NOT a reason why this organization should develop information classification?

Your administrative assistant has started an online risk assessment certificate program. She has a question: What primary security concept difines the rights and privileges of a validated user? What will your answer be?

Which of the following can be used to protect confidentiality?

Your company has brought in a group of contract programmers and is concerned about the potential risk. Althogh management feels it is important to track these user’s activities, they also want to make sure that any changes to program code or data can be tied to a specific infividual. Which of the following best describes the means by which an individual cannot deny having performed an action or caused an event?

Which of the following can be used to protect integrity?

Christine has been given network access to pilot engineering design documents. Although she can view the documents, she cannot print them or make changes. Which of the following does she lack?

Which of the following can be used to provide accountability?

Which of the following BEST describes estimating that a risk will happen, determining safeguards to mitigate a risk, assessing vulnerability, and assigning values to assets?

Which of the following can be used to protect availability?

Which data classification method uses labels such as “confidential”, “private”, and “sensitive”?

Your risk assesment team has completed a review of the threat of natural disasters damaging your facility. Based on the information in Table 1.1, what is the Single Loss Expectancy (SLE) and the Annual Loss Expectancy (ALE)?

Which data classification method uses labels such as “confidential”, “sensitive but unclassified”, and “unclassified”?

You are an advisory board member for a local nonprofit organization. Because your fellow board members know of your expertise in security, they approach you with the following question: Who is ultimately responsible for information security? How will you answer them?

Examine Table 1.2 and list which line item is NOT correct.

What is the correct order for the following items?

What is ARO?

Which of the following does NOT require prior employee notification?

Your intern comes to you with the following question about your company’s change control board: What is NOT one of the primary reasons why a change control board is needed? How do you answer?

Which of the following should be performed in conjunction with a termination?

What is the highest level of government data classification?

Your manager is concerned about a new piece of software being developed by a contractor. Your manager wants you to verify that no means of unauthenticated access is left in the finished product. What is another name for a method of unauthenticated access into a program?

Which of the following is the lowest level of private-sector data classification?

Whose role is to examine security policies and procedures and provide reports to senior management about the effectiveness of security controls?

What is the process of determining the level of risk at which the organization can operate and function effectively?

Who has the functional responsibility of security?

James, the summer intern, ask if you can show him how to calculate ALE. What do you tell him?

What is the lowest level of government data classification?

Which of the following is NOT an acceptable response to risk?

You are an advisory board member for a local organaization. The organization has been given a new server, and members plan to use it to connect their 20 client computers to the Internet for email access. Currently, none of these computers has antivirus software installed. Your research indicates that there is a 90 percent chance that these systems will become infected after email is in use. There’s a good chance that a virus could bring down the network for an entire day. The nonprofit’s 10 paid employees make about $12 an hour. A local vendor has offered to sell 20 copies of antivirus software to the nonprofit organization for $500. The nonprofit wants to know what the ALE for this proposed change would be. Assuming that employees work an eight-hour day, how you answer?

The organization that you are an advisory board member of decides to go forward with the proposed Internet and email connectivity project. The CEO wants like to know how much money, if any, will be saved through the purchase of antivirus software. Here are the projected details: - 20 computers are connected to the Internet. - There’s a 90 percent probability of virus infection. - 10 paid employees make $12 an hour. - A successful virus outage could bring down the network for an entire day. - 20 copies of antivirus will cost the nonprofit $500.

Which of the following describes the process of revealing only external properties to other components?

Which of the following is the highest level of private-sector (commercial) data classification?

Which of the following is used to segregate details to focus on only one particular piece or item?

You have been asked to apply the principles of qualitative risk analysis to the organization. How do you accomplish this task?

According to NIST Special Publication (SP) 8002-7, what should be an organization’s goal in regard to risk?

Your director has asked you to implement a security awareness program. When considering a security awareness program which of the following is NOT correct?

Management wants you to evaluate the organization’s security policy. Those at the organization believe that encryption should be used on their network now that it is connected to the Internet. Primarily, they are concerned that malicious hackers may be able to tap into their systems and steal donor information and demographic data. Based on the principles of risk management, what should your decision to use encryption be based on? Choose the most correct answer.

Data abstraction is a practical necessity at what Trusted Computer System Evaluation Criteria (TCSEC) layer?

You work for a company that has a large web-based storefront. Recently, a vulnerability was discovered in the application’s front-end software. If this vulnerability is exploited, your company’s database could be breached. Any breach would mean the loss of competitive customer account information. Although no credit card information is on file, any pilfered information would result in the demise of your corporation. This website produces $500,000 in profit monthly. A new commercial application to secure websites like your company’s is available for $2 million. Your current application’s vendor is writing a patch to make available a workaround product that costs $20,000. Your insurance company will not cover any damages that occur under your current configuration. For an added fee of $1,000 a day, it will cover the patched configuration. For no added cost, it will cover all losses if you acquired the new commercial application. Meanwhile, your company has already spent $1.5 million writing your own replacement application. This application is undergoing a parallel test and is scheduled to be released in two more months. Which course of action should you recommend to your company?

Which term describes the efforts taken by a prudent person who implements controls to behave responsibly when caring for data entrusted to him or her?

Replace the italic words in the following sentence with the terms commonly used when discussing risk managment: A software product used by your company includes an unknown [weakness]. This [risk] can lead to an exploit from the Internet and enable a malicious hacker to [access] your costomer’s credit cards.

Place the following steps of the life cycle of a security program in sequential order.

Who is responsible for the security of data?

What formula identifies residual risk (RR)?

Information security seeks to protect a triad of principles. Which of the following is NOT included in that triad?

With regard to the classification of information, the levels of sensitivity used by the U.S. military include all the following except which one?

What does a company practice by developing and implementing security policies, procedures, and standards?

Which of the following terms is NOT related to quantitative risk analysis?

Which of the following is NOT part of the commercial information classification system?

As part of the risk assessment team, you are asked to describe which of the following is a flaw, loophole, oversight, or error that makes your company susceptible to attack or damage. What is your answer?

Which of the following terms is in the most logical order.

Examine Table 1.3. What does the table represent?

The result of a recent risk assessment has led to the upgrade of the organization’s firewall. Which risk control most closely fits this response?

Quantitative risk assessments seek to perform all the following except which one?

You are asked to calculate the ALE for a new IT asset where the ARO is 60 percent. If the Asset Value is $500 and the Single Loss Expectancy (SLE) is $450, what is the Exposure Factor (EF)?

You are called back to do more caluculations for a pending risk assessment because the company has gathered additional information. If the AV is now $1,000, what will the ALE be with an SLE of $800 and an ARO of twice yearly?

Your final risk-assessment task is to provide your manager with a quick assessment on a new asset. To do so, you are given the following information. Can you calculate the ALE? SLE = $2,500 , EF = .9 , ARO = .4 , RR = $30

Place the following risk assessment steps in order, from last to first. I. Derive annual loss potential II. Assign value to assets III. Reduce, transfer, or avoid the risk IV. Estimate potential loss V. Perform a threat analysis

What kind of qualitative risk assessment features anonymous feedback?

What element of the risk assessment process denotes the percentage of risk that a company would suffer if an asset were compromised by a realized risk?

You are asked to work with your manager to develop new security objectives. Which of these would be considered very short-term in nature?

Which form of risk assessment takes the most time, and why?

The National Security Agency’s (NSA’s) Infosec Assessment Methodology (IAM) is a good example of a qualitative risk-assessment methodology. As such, which of the following statements is LEAST correct?

What term best describes an instance of being vulnerable to losses from a threat?

Which of the following statements is incorrect?

How do you find out what level of risk the enterprise can safely tolerate and still continue to function effectively?

How is SLE determined?

What was the original name of ISO 27002?

OCTAVE is designed to act as a framework to support risk analysis. How many phases are in the OCTAVE framework?

You are asked to review some existing security documentation. Which of the following documents could best be described as descretionary and not mandatory?

You are asked to calculate the total cost of ownership (TCO). Which of the following does TCO NOT include?

You have several clients throughout the U.S. for which you are assigned to manage risk. One client is in Washington, D.C., another is in San Jose, and third is in Boston. Use the following scale to assess the quantitative risk-impact score for Boston.

Standards define compulsory requirements.

A parallel run is an example of a change management technique.

Lavels are a requirement of TCSEC C-level security.

Tangible value are all that need to be examined when performing an asset evaluation.

A policy is a management-driven objective.

The security officer is ultimately responsible for security.

The risk analysis team should be composed only of peaple from security management.

The asset owner is responsible for the security controls that are designed to protect the asset.

Application error is one type of risk that the organization should be concerned about.