c. Value to others
d. Value of immediate access
137. c. The value of information is measured by what others want from the owner. Negative value comes into play when there is a safety, security, or quality problem with a product. For example, the negative value of a product affects customers, manufacturers, vendors, and hackers, where the latter party can exploit an unsafe or unsecure product. Value of immediate access is situational and personal.
138. Risk is the possibility of something adverse happening to an organization. Which of the following steps is the most difficult one to accomplish in a risk management process?
a. Risk profile
b. Risk assessment
c. Risk mitigation
d. Risk maintenance
138. b. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk. Risk management includes two primary and one underlying activities. Risk assessment and risk mitigation are the primary activities, and uncertainty analysis is the underlying one.
Risk assessment, the process of analyzing and interpreting risk, is composed of three basic activities: (i) determining the assessment’s scope and methodology, (ii) collecting and synthesizing data, and (iii) interpreting the risk. A risk assessment can focus on many different areas of controls (including management, technical, and operational). These controls can designed into a new application and incorporated into all areas of an organization’s functions and operations (including telecommunication data centers, and business units). Because of the nature of the scope and the extent of risk assessment, it is the most difficult one to accomplish.
Risk profile and risk maintenance are not the most difficult to accomplish because they are the by-products of the risk assessment process. Risk profile for a computer system or facility involves identifying threats and developing controls and policies in order to manage risks.
Risk mitigation involves the selection and implementation of cost-effective security controls to reduce risk to a level acceptable to management, within applicable constraints. Again, risk mitigation comes after the completion of the risk assessment process.
139. The focus of risk management is that risk must be:
a. Eliminated
b. Prevented
c. Avoided
d. Managed
139. d. Risk must be managed because it cannot be completely eliminated or avoided. Some risks cannot be prevented in a cost-effective manner.
140. What is a risk event that is an identifiable uncertainty called?
a. Known-unknown
b. Unknown-unknown
c. Known-known
d. Unknown-known
140. a. Known-unknown is an identifiable uncertainty. Unknown-unknown is a risk event whose existence cannot be imagined. There is no risk in known-known because there is no uncertainty. Unknown-known is not relevant here.
141. Which of the following is an optional requirement for organizations?
a. Policies
b. Procedures
c. Standards
d. Guidelines
141. d. Guidelines assist users, systems personnel, and others in effectively securing their systems. Guidelines are suggestive and are not compulsory within an organization.
142. Which of the following is the least sensitive data classification scheme?
a. Unclassified
b. Unclassified but sensitive
c. Secret
d. Confidential
142. a. Data that is not sensitive or classified is unclassified. This is the least sensitive category, whereas secret is the most sensitive category.
143. Which of the following is not an example of a trade secret?
a. Customer lists
b. Supplier names
c. Technical specifications
d. Employee names
143. d. To qualify as a trade secret, information must be of competitive value or advantage to the owner or his business. Trade secrets can include technical information and customer and supplier lists. Employee names do not come under the trade secret category because they are somewhat public information, requiring protection from recruiters.
144. Which of the following covers system-specific policies and procedures?
a. Technical controls
b. Operational controls
c. Management controls
d. Development controls
144. c. Management controls are actions taken to manage the development, maintenance, and use of the system, including system-specific policies, procedures, and rules of behavior, individual roles and responsibilities, individual accountability, and personnel security decisions.
Technical controls include hardware and software controls used to provide automated protection to the computer system or applications. Technical controls operate within the technical systems and applications.
Operational controls are the day-to-day procedures and mechanisms used to protect operational systems and applications. Operational controls affect the system and application environment.
Development controls include the process of assuring that adequate controls are considered, evaluated, selected, designed, and built into the system during its early planning and development stages, and that an ongoing process is established to ensure continued operation at an acceptable level of risk during the installation, implementation, and operation stages.
145. Organizational electronic-mail policy is an example of which of the following?
a. Advisory policy
b. Regulatory policy
c. Specific policy
d. Informative policy
145. c. Advisory, regulatory, and informative policies are broad in nature and cover many topics and areas of interest. E-mail policy is an example of specific policy dealing with communication between and among individuals.
146. What should be done when an employee leaves an organization?
a. Review of recent performance evaluation
b. Review of human resource policies
c. Review of nondisclosure agreements
d. Review of organizational policies
146. c. When an employee leaves an organization, he should be reminded of nondisclosure agreements that he signed upon his hiring. This agreement includes measures to protect confidential and proprietary information such as trade secrets and inventions.
147. For computer security, integrity does not mean which of the following?
a. Accuracy
b. Authenticity
c. Completeness
d. Timeliness
147. d. Timeliness is a part of the availability goal, whereas accuracy, authenticity, and completeness are part of the integrity goal.
148. For computer security, confidentiality does not mean which of the following?