Upgrade to remove ads
Terms in this set (37)
Risk controls are adequate when ____
the residual risk is less than or equal to acceptable risk
Value at risk can be used:
to determine maximum probable loss over a period of time
Value at risk (VAR)
provides a quantitative value of the maximum probable loss in a given time period—typically at 95 or 99 percent certainty.
High-impact, low-likelihood situations are typically most cost effectively covered by ________
transferring the risk to a third party, e.g., insurance
Reducing exposure reduces _______
the likelihood of a vulnerability being exploited
factor in calculating impact of lost connectivity:
Financial losses incurred by the business units
Control baselines are MOST directly related to the:
organization's risk appetite
first step in a risk analysis process to determine the impact to the organization
Calculate the value of the information or asset
Unless the exploitation of vulnerability by a threat has ________ , there is no risk to the organization.
Purpose of controls:
Bring residual risk to acceptable levels
Most effective way to avoid introduction of malware into the end user's computers.
Restricting execution of mobile code
Which program element should be implemented FIRST in asset classification and control?
Why might an organization rationally choose to mitigate a risk that is estimated to be at a level higher than its stated risk appetite but within its stated risk tolerance?
Senior management may have concern that the stated impact is underestimated
- best way to erase confidential information stored on magnetic tapes
- the magnetic tapes would quickly dispose of all information because the magnetic domains are thoroughly scrambled and would not allow reuse
It is always good practice to engage _______ when addressing security threats and risk.
management of the business unit
_____ is the weakest link in encryption
Who is responsible for ensuring that security awareness and training material is effectively deployed to reach the intended audience?
Information Security Department
What is the BEST way to identify an application back door?
Source code review
What is an advantage of sending messages using steganographic techniques as opposed to using encryption?
The existence of messages is unknown. The existence of messages is hidden in another file, such as a JPEG image, when using steganography.
Symmetric or secret key encryption
requires a separate key for each pair of individuals who wish to have confidential communication, resulting in an exponential increase in the number of keys as the number of users increase, creating an intractable distribution and storage problems.
Public key infrastructure keys
increase arithmetically, making it more practical from a scalability point of view.
Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?
Developing an information security baseline helps to _________
define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality/classification levels.
An extranet server should be placed _________
on a screened subnet, which is a demilitarized zone.
firewalls should be installed _______
on hardened servers with minimal services enabled
Placing ______ or _______would leave it defenseless.
external router / outside the firewall
A security baseline can BEST be used for:
Establishing uniform system hardening
The approval of standards to meet the requirements of policies should be performed by __________
information security department
Who is the appropriate individual to ensure that new exposures have not been introduced into an existing application during the change management process?
Addressing production risks is PRIMARILY a function of:
What is the PRIMARY purpose of using risk analysis within a security program?
The risk analysis helps assess exposures and plan remediation.
can transfer operational risk and financial impacts associated with that risk; however, legal responsibility for the consequences of compromise generally remains with the original entity.
Who should be assigned as data owner?
The owner of the information asset should be the individual with the decision-making power in the department deriving the most benefit from the asset.
The value of any business asset is generally based on:
its contribution to generating revenues for the organization, both now and in the future
attacks inject malformed input
Controls are effective when:
residual risk is at a level acceptable to the organization.
The purpose of controls:
to bring residual risk to accept. The purpose of controls is to bring residual risk to acceptable levels
THIS SET IS OFTEN IN FOLDERS WITH...
CISM Domain 1
CISM Essentials Section 1
OTHER SETS BY THIS CREATOR
CISA Domain 5
CISM Domain 2
CISA Domain 1
CISA Domain 5