You are on page 1of 6

Cuestionario Information Security and Risk Management Revisin del intento 1

Comenzado el martes, 12 de julio de 2011, 17:30 Completado el martes, 12 de julio de 2011, 18:09 Tiempo empleado 39 minutos 9 segundos Calificacin 65 de un mximo de 100 (65%) Question 1 Puntos: 5 Three major goals promoted by ISC2 include which of the following? Seleccione una respuesta.

Confidentiality, integrity, and availability are often called de CIA triad. Correcto Puntos para este envo: 5/5. Question 2 Puntos: 5 Residual risk is calculated as which of the following? Seleccione una respuesta.

Potential risks include all possible and probable risks. Countermeasures cover some but not all potential risks.

Correcto Puntos para este envo: 5/5. Question 3 Puntos: 5 Which of the following is the correct equation in risk management? Seleccione una respuesta.

Risk management includes risk assessment and risk mitigation. Risk assessment is also called risk analysis. Risk mitigation includes risk transfer, risk reduction, risk avoidance, and risk acceptance. Risk research is a part of risk analysis.

Correcto Puntos para este envo: 5/5. Question 4 Puntos: 5 What can be done with the residual risk?

Seleccione una respuesta.

Residual risk is the remaining risk after countermeasures (controls) cover the risk population. The residual risk is either assigned to a third party (e.g. insurance company) or accepted by management as part of doing business: It may not be cost effective to further reduce residual risk.

Correcto Puntos para este envo: 5/5. Question 5 Puntos: 5 Which of the following is not part of risk analysis? Seleccione una respuesta.

Countermeasures and safeguards come after performing risk analysis. Risk analysis identifies the risks to system security and determines the probability or occurrence, theresulting impact, and the additional safeguards that mitigate this impact. Assets, threats, and vulnerabilities are part of risk analysis excercise.

Correcto Puntos para este envo: 5/5. Question 6 Puntos: 5 Ways of practicing due care. There are different ways management can choose to deal with risks that have been identified and calculated. Which of the following is not a responsible way of dealing with risk? Seleccione una respuesta.

Denying that a risk exists is not practicing due care and the company can be held liable if they take this approach. The following are ways that risk should/can be dealt with: - Risk reduction - Install security control - Risk transfer - Buy insurance - Risk acceptance. - Live with the risks and spend no money towards protection

Correcto Puntos para este envo: 5/5. Question 7 Puntos: 5 Who is legally responsible for protecting data? Which of the following is an example of an ultimate data owner? Seleccione una respuesta.

The key here is the word "ultimate". Employees and the administrator can be data owners in some situations, but senior management is ultimately the owner of business oriented data. Data owners are legally bound to the protection of data within a company. Because of this required responsibility, data owners should be members of senior management. These individuals practice due care with data classifications and associated security policies.

Correcto Puntos para este envo: 5/5. Question 8 Puntos: 5 Can be available to a larger sub-set of people. Which of the following data classifications provides the lowest level of protection? Seleccione una respuesta.

Data that is deemed "public" has no security mechanisms placed upon it. It is freely available to anyone. There are many different classification levels that companies use today. Military organizations often have many more data classification levels than commercial companies.

Correcto Puntos para este envo: 5/5. Question 9 Puntos: 5 Used to educate and prepare employees. There are many different reasons that a company should carry out security awareness for their employees. Security awareness training provides all of the following except? Seleccione una respuesta.

Security awareness has a host of benefits. Primarily, it serves to educate employees on the potential danger that exists and how to handle situations if they occur. However, no amount of training or security protection can stop an attack attempt. Attempts will happen, but it is the security program and awareness training that will help to reduce the effect the attempts will have on the company.

Correcto Puntos para este envo: 5/5. Question 10 Puntos: 5 One pertains to the use of numeric values and the other is based on educated opinions. What would be an appropriate difference between a qualitative and a quantitative risk analysis? Seleccione una respuesta.

A quantitative approach employs calculations using statistics of probabilities and ratios pertaining to the possibilities of specific threats. A qualitative approach is more subjective, using opinion polls and other subjective means that identify the priority of threats that pose possible risks.

Correcto

Puntos para este envo: 5/5. Question 11 Puntos: 5 Ultimately responsible. The ultimate responsibility for successful company security falls on whose shoulders? Seleccione una respuesta.

Although it is everyone's responsibility to abide by security policies and it is the responsibility of security professionals and IT groups to provide critical security functions, the ultimate responsibility lies with senior management. This is why they make the big bucks! Senior management personnel are liable for properly protecting the company against threats and must demonstrate due diligence and due care.

Correcto Puntos para este envo: 5/5. Question 12 Puntos: 5 Ensuring the integrity of business information is the PRIMARY concern of Seleccione una respuesta.

Procedures are looked at as the lowest level in the policy chain because they are closest to the computers and provide detailed steps for configuration and installation issues. They provide the steps to actually implement the statements in the policies, standards, and guidelines... Security procedures, standards, measures, practices, and policies cover a number of different subject areas.

Incorrecto Puntos para este envo: 0/5. Question 13 Puntos: 5 All of the following are basic components of a security policy EXCEPT the Seleccione una respuesta.

Policies are considered the first and highest level of documentation, from which the lower level elements of standards, procedures, and guidelines flow. This order, however, does not mean that policies are more important than the lower elements. These higher-level policies, which are the more general policies and statements, should be created first in the process for strategic reasons, and then the more tactical elements can follow.

Incorrecto Puntos para este envo: 0/5. Question 14 Puntos: 5 John covertly learns the user ID and password of a higher-ranked technician and uses the credentials to access certain areas of network. What term describes what John has done? Seleccione una respuesta.

Masquerading is a term that describes a person who pretends to be an authorized user to circumvent established controls. Data Diddling: Modification of data through unauthorized means. Examples include nondatabase manipulation of database files accessible to all users, modification of configuration files used to setup further machines, and modification of data residing in temporary files such as intermediate files created during compilation by most compilers.

Incorrecto Puntos para este envo: 0/5. Question 15 Puntos: 5 Your companys security director calls a meeting to stress the importance of data integrity within the company. There is a concern because of several violations that have been noticed lately. Of the examples below, which would not be considered an integrity violation? Seleccione una respuesta.

An analyst performing an unauthorized task is a problem, but it does not jeopardize the integrity of the data rather the confidentiality of it. As long as employee is not a making changes to the data, the integrity remains in tact. All of the other examples represent instances where data has been altered.

Correcto Puntos para este envo: 5/5. Question 16 Puntos: 5 Karen and her security team have been tasked with developing a security policy to be presented to senior management for a new start-up organization. Of the factors listed below, which is the most important in determining an effective security policy? Seleccione una respuesta.

Above all else, a security policy should be consistent with a companys overall mission. A good security policy will protect all critical assets which are vital in carrying out a specified mission. It is important that the directives that are outlined in the policy are integrated into business.

Incorrecto Puntos para este envo: 0/5. Question 17 Puntos: 5 Cary is working on a risk management project and must determine the degree of damage to a manufacturing facility downtown in the event of a flood. This degree of damage is referred to as: Seleccione una respuesta.

An assets exposure factor (EF) is its degree or percent of damage that would be realized in the event of a disaster. EF isused to calculate a single loss expectancy (SLE).

Incorrecto Puntos para este envo: 0/5. Question 18 Puntos: 5 Your company has hired a risk management firm to evaluate the organizations overall health and risks. One area that is quickly identified is a small warehouse in a heavily populated area which holds valuable assets. The warehouse has no perimeter defenses. This lack of protection would be characterized as a _________ Seleccione una respuesta.

The lack of physical controls in an area where crime is possible is a definite vulnerability for the company to consider. The threat in this scenario would be potential intruders that could exploit this vulnerability.

Correcto Puntos para este envo: 5/5. Question 19 Puntos: 5 In a heated debate between the IT department, operations, and the financial department, the issue of who owns the financial data in question is raised. Of the entities listed below, who is most likely the owner of this data? Seleccione una respuesta.

In most organizations, senior management delegates data ownership to business unit managers or department heads. It is their responsibility to classify the data. The IT department and operations are considered the data custodians because they handle the maintenance and daily task with the data but not the overall policy decisions.

Incorrecto Puntos para este envo: 0/5. Question 20 Puntos: 5 Protects the company's intellectual property. A security control often initiated by human resources, which involves a new employee or outside party being required to sign a document stating that they will not share company information with anyone is called a: Seleccione una respuesta.

Non disclosure agreements (NDAs) have become a common threat countermeasure in the world of business. A signedNDA prohibits an individual from sharing company information with outside parties. Failure to abide by this has legal ramifications.

Incorrecto Puntos para este envo: 0/5.

You might also like