1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 115
Выбрать главу

2. Which of the following is not part of risk analysis?

a. Assets

b. Threats

c. Vulnerabilities

d. Countermeasures

2. d. Countermeasures and safeguards come after performing risk analysis. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Assets, threats, and vulnerabilities are part of risk analysis exercise.

3. Security safeguards and controls cannot do which of the following?

a. Risk reduction

b. Risk avoidance

c. Risk transfer

d. Risk analysis

3. d. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Risk analysis is a management exercise performed before deciding on specific safeguards and controls. Risk reduction, risk avoidance, and risk transfer are part of risk mitigation, which results from applying the selected safeguards and controls.

4. Selection and implementation of security controls refer to which of the following?

a. Risks analysis

b. Risk mitigation

c. Risk assessment

d. Risk management

4. b. Risk mitigation involves the selection and implementation of security controls to reduce risks to an acceptable level. Risk analysis is the same as risk assessment. Risk management includes both risk analysis and risk mitigation.

5. Which of the following is closely linked to risk acceptance?

a. Risk detection

b. Risk prevention

c. Risk tolerance

d. Risk correction

5. c. Risk tolerance is the level of risk that an entity or a manager is willing to assume or accept to achieve a potential desired result. Some managers accept more risk than others do due to their personal affinity toward risk.

6. The amount of risk an organization can handle should be based on which of the following?

a. Technological level

b. Acceptable level

c. Affordable level

d. Measurable level

6. b. Often, losses cannot be measured in monetary terms alone. Risk should be handled at an acceptable level for an organization. Both affordable and technological levels vary with the type of organization (e.g., small, medium, or large size and technology-dependent or not).

7. Which of the following methods for handling a risk involves a third party?

a. Accept risk

b. Share risk

c. Reduce risk

d. Transfer risk

7. d. An insurance company or a third party is involved in transferring risk. The other three choices do not involve a third party because they are handled within an organization. One division’s risk can be shared by other divisions of an organization.

8. Which of the following security risk assessment techniques uses a group of experts as the basis for making decisions or judgments?

a. Risk assessment audits

b. Delphi method

c. Expert systems

d. Scenario-based threats

8. b. The Delphi method uses a group decision-making technique. The rationale for using this technique is that it is sometimes difficult to get a consensus on the cost or loss value and the probabilities of loss occurrence. Group members do not meet face-to-face. Rather, each group member independently and anonymously writes down suggestions and submits comments that are then centrally compiled. This process of centrally compiling the results and comments is repeated until full consensus is obtained.

Risk assessment audits are incorrect because these audits do not provide the same consensus as the one reached by a group of experts available in the Delphi method. Usually, one or two individuals perform audits, not groups. Expert system is incorrect because it is a computer-based systems developed with the knowledge of human experts. These systems do not reach a consensus as a group of people. Scenario-based threats are incorrect because possible threats are identified based on scenarios by a group of people. However, this system does not have the same consensus reached as in the Delphi method. The process of submitting results and comments make the Delphi method more useful than the other methods.

9. The costs and benefits of security techniques should be measured in monetary terms where possible. Which of the following is the most effective means to measure the cost of addressing relatively frequent threats?

a. Single-occurrence losses

b. Annual loss expectancy

c. Fatal losses

d. Catastrophic losses

9. b. Annualized loss expectancy (ALE) is the estimated loss expressed in monetary terms at an annual rate, for example, dollars per year. The ALE for a given threat with respect to a given function or asset is equal to the product of the estimates of occurrence rate, loss potential, and vulnerability factor.

A single-occurrence loss (SOL) is incorrect because it is the loss expected to result from a single occurrence of a threat. It is determined for a given threat by first calculating the product of the loss potential and vulnerability factor for each function and asset for the threat analyzed. Then the products are summed to generate the SOL for the threat. Because the SOL does not depend on an estimate of the threat’s occurrence rate, it is particularly useful for evaluating rare but damaging threats. If a threat’s SOL estimate is unacceptably high, it is prudent risk management to take security actions to reduce the SOL to an acceptable level.

Both fatal losses and catastrophic losses are big and rare. Fatal losses involve loss of human life and catastrophic loss incurs great financial loss. In short, ALE is useful for addressing relatively frequent threats whereas SOL and fatal or catastrophic losses address rare threats.

Sources and References

“Directions in Security Metrics Research (NISTIR 7564),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, April 2009.

“Guide for Developing Performance Metrics for Information Security (NIST SP800-80 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, May 2006.

“Information Security Handbook: A Guide for Managers (NIST SP 800-100 Draft),” Chapter 2, Information Security Governance, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.

“Information Security Handbook: A Guide for Managers (NIST SP 800-100 Draft),” Chapter 4, Awareness and Training, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.

“An Introduction to Computer Security: The NIST Handbook (NIST SP 800-12),” Chapter 5, Computer Security Policy, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 1995.

“An Introduction to Computer Security: The NIST Handbook (NIST SP 800-12),” Chapter 6, Computer Security Program Management, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 1995.

~ 115 ~