Only $2.99/month

Terms in this set (68)


A. Multifactor authentication safeguards against an account being accessed without authorization. If a malicious hacker has gained access to the account, this control has already been bypassed.

B. Audit logging may be useful in identifying activities undertaken using an administrator account, but it is a lagging indicator unlikely to be effective in time to limit the scope of impact associated with a compromise.

C. Privileged accounts, such as those used by administrators, are typically sought after by malicious hackers because of the perception that they will be exempt from most controls and have permission to do everything. However, except in the smallest organizations, administrators tend to be specialized in particular areas (e.g., specific servers, specific databases, firewalls, etc.). Although employing least privilege will not reduce the potential impact of a compromised account within the scope of its intended use, having specialized administrator accounts can greatly limit the impact to the organization as a whole. Even in small organizations where one person holds all roles, establishing specialized administrator accounts subject to least-privilege restrictions limits the potential impact of loss associated with an account compromise.

D. A password policy requiring frequent changes can limit the reuse value of a compromised account, but it is unlikely that changes will be sufficiently restrictive to affect an account before it has been used by a malicious hacker who controls it.

A. Summarizing project risk does not necessarily lead to an understanding of all risk, e.g., not realizing the benefits or impact of project risk on programs and portfolios or business or strategic objectives. Unintended consequences, reputation and brand risk, and strategic objectives need to be considered in order to assess strategic IT risk.

B. Strategic IT risk is related to the strategy and strategic objectives of the organization. Once this is understood, a conversation with senior executives will provide an enterprise view of the dependencies and expectations for IT, which leads to an understanding of the potential risk.

C. Enterprise architecture (EA) is fundamentally about producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there (preferably by optimizing resource risk while realizing benefits). This view of IT should demonstrate the linkage of IT to organizational objectives and produce a view of current risk, but the development of EA takes significant effort, resources and time. Enterprise architectures also benefit from being informed by an understanding of organizational strategy and the views of the senior executives, which change rapidly in the current business environment and, therefore, need to be regularly reviewed.

D. Developing an understanding of current incidents will not directly provide a strategic view of the objectives of the organization and how the organization is dependent on IT to achieve those objectives.