[ad_1]
1. Which formula is typically used to describe the components of
information security risks?
| A) | Risk = Likelihood X Vulnerability |
| B) | Risk = Threat X Vulnerability |
| C) | Risk = Threat X Likelihood |
| D) | Risk = Vulnerability X Cost |
Question 2
Earl is preparing a risk register for his organization’s risk
management program. Which data element is LEAST likely to be
included in a risk register?
| A) | Description of the risk |
| B) | Expected impact |
| C) | Risk survey results |
| D) | Mitigation steps |
Question 3
Alan is developing a business impact assessment for his
organization. He is working with business units to determine the
maximum allowable time to recover a particular function. What value
is Alan determining?
| A) | Recovery time objective (RTO) |
| B) | Recovery point objective (RPO) |
| C) | Business recovery requirements |
| D) | Technical recovery requirement |
Question 4
Which one of the following is an example of a direct cost that
might result from a business disruption?
| A) | Damaged reputation |
| B) | Lost market share |
| C) | Lost customers |
| D) | Facility repair |
Question 5
Tom is the IT manager for an organization that experienced a
server failure that affected a single business function. What type
of plan should guide the organization’s recovery effort?
| A) | Disaster recovery plan (DRP) |
| B) | Business impact analysis (BIA) |
| C) | Business continuity plan (BCP) |
| D) | Service level agreement (SLA) |
Question 6
Dawn is selecting an alternative processing facility for her
organization’s primary data center. She would like to have a
facility that balances cost and switchover time. What would be the
best option in this situation?
| A) | Hot site |
| B) | Warm site |
| C) | Cold site |
| D) | Primary site |
Question 7
Holly would like to run an annual major disaster recovery test
that is as thorough and realistic as possible. She also wants to
ensure that there is no disruption of activity at the primary site.
What option is best in this scenario?:
| A) | Checklist test |
| B) | Full interruption test |
| C) | Parallel test |
| D) | Simulation test |
Question 8
George is the risk manager for a U.S. federal government agency.
He is conducting a risk assessment for that agency’s IT risk. What
methodology is best suited for George’s use?
| A) | Risk Management Guide for Information Technology Systems (NIST SP800-30) |
| B) | CCTA Risk Analysis and Management Method (CRAMM) |
| C) | Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) |
| D) | ISO/IEC 27005, “Information Security Risk Management” |
Question 9
A hospital is planning to introduce a new point-of-sale system
in the cafeteria that will handle credit card transactions. Which
one of the following governs the privacy of information handled by
those point-of-sale terminals?
| A) | Health Insurance Portability and Accountability Act (HIPAA) |
| B) | Payment Card Industry Data Security Standard (PCI DSS) |
| C) | Federal Information Security Management Act (FISMA) |
| D) | Federal Financial Institutions Examination Council (FFIEC) |
Question 10
What is NOT one of the three tenets of information security?
| A) | Confidentiality |
| B) | Integrity |
| C) | Safety |
| D) | Availability |
Question 11
Which one of the following is an example of a logical access
control?
| A) | Key for a lock |
| B) | Password |
| C) | Access card |
| D) | Fence |
Question 12
During which phase of the access control process does the system
answer the question, “What can the requestor access?”
| A) | Identification |
| B) | Authentication |
| C) | Authorization |
| D) | Accountability |
Question 13
Ed wants to make sure that his system is designed in a manner
that allows tracing actions to an individual. Which phase of access
control is Ed concerned about?
| A) | Identification |
| B) | Authentication |
| C) | Authorization |
| D_ | Accountability |
Answer
Solution 1:
Risk can be represented by threat and vulnerability.
Thus, the correct option is B)
Solution 2:
For risk management, definition of risk, its impact, and
mitigation steps are most important things. Thus, these factors
will be included in a risk register.
Thus, the correct option is C) Risk survey
results.
Solution 3:
Recovery time objective is the time in which a business or any
functional unit recovers after disaster. RPO does not tell about
recovery period. It tells for what time data might remain lost
before recovery. Other options tell about requirements.
Thus, the correct option is A) Recovery time Objective
(RTO).
Solution 4:
Direct losses are monetized. In all options, lost market share
is the monetary lost.
Thus, the correct option is D) Facility
Repair.
Solution 5:
To develop strategies, a company always evaluate the
consequences of any interruption to critical business operations.
This evaluation is known as Business impact analysis.
Thus, the correct option is B) Business impact
analysis.
Solution 6:
Hot site is the exact copy of primary site which takes few hours
after disaster to be switched with minimal cost.
Thus, the correct option is A) Hot site.
Solution 7:
In Full interruption test, complete business is stopped for a
period time. In Simulation test, some of activities are stopped.
Parallel testing and business activities can be done
simultaneously.
Thus, the correct option is C) Parallel
test.
Solution 8:
NIST SP800-30 has been developed for risk assessment of federal
information systems.
Thus, the correct answer is A) Risk Management Guide for
Information Technology Systems (NIST SP800-30).
Solution 9:
Payment Card Industry data security standard is the organization
that controls cardholder data to reduce frauds.
Thus, the correct option is B) Payment Card Industry
data security standard (PCI DSS).
Solution 10:
Three tenats of information security are confidentiality,
availability, and integrity.
Thus, the correct option is C) Safety.
Solution 11:
Logical access control is the system which enables the
authorized users to access a specific system. Passwords is an
example of logical access control.
Thus, the correct option is B) Password.
Solution 12:
What authorities a person is having, which controls he/she can
access is known as authorization.
Thus, the correct option is C)
Authorization.
Solution 13:
Accountability means responsibility. It tells who is responsible
for the actions done.
Thus, the correct option is option D).
Accountability.
