8. Information security baselines for information assets vary depending on which of the following?
a. Availability and reliability
b. Sensitivity and criticality
c. Integrity and accountability
d. Assurance and nonrepudiation
8. b. Information security baselines vary depending on the sensitivity and criticality of the information asset, which is part of the confidentiality goal. The other three choices are not related to the confidentiality goal.
9. Which of the following characteristics of information security are critical for electronic transactions?
a. Trust and accountability
b. Trust and usefulness
c. Usefulness and possession
d. Accountability and possession
9. a. Trust and accountability are critical and needed in electronic transactions to make the customer comfortable with transactions, whereas usefulness and possession are needed to address theft, deception, and fraud.
10. From a corporate viewpoint, information integrity is most needed in which of the following?
a. Financial reporting
b. Inventory information
c. Trade secrets
d. Intellectual property
10. a. Corporate financial reporting requires integrity of information so that it is protected against unauthorized modification. The scope of financial reporting includes presenting balance sheet, income statement, cash flows, and the annual report with footnotes and disclosures.
Confidentiality is required to protect personnel (employees) data such as medical records, trade secrets, or intellectual property rights (e.g., copyrights) and business data such as shipping, billing, and inventory information.
11. The relative priority given to confidentiality, integrity, and availability goals varies according to which of the following?
1. Type of information system
2. Cost of information system
3. Data within the information system
4. Business context of use
a. 1 and 2
b. 2 and 3
c. 1 and 4
d. 3 and 4
11. d. The relative priority and significance given to confidentiality, integrity, and availability goals vary according to the data within the information system and the business context in which they are used. Cost and the type of information systems used are important but not that relevant to these goals.
12. Effective information security governance requires which of the following?
1. Corporate executive management endorsement
2. IT executive management endorsement
3. Board member endorsement
4. IT security officer endorsement
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
12. b. Corporate executive management must be conducive to effective information security governance. When corporate senior management follows the policies, it sends a positive signal to the rest of the organization. All the board members should endorse the information security governance policies. Note that the corporate executive management and the board members approve and endorse the security policies while the IT executive management and the IT security officer implements such policies.
13. Which of the following is the major purpose of self-assessment of information security for improving the security?
a. Establish future targets
b. Understand the current status
c. Find out the industry average
d. Analyze the current target
13. a. Information security self-assessment results can be used to establish targets for future development, based on where the organization wants to reach (major purpose) and how to improve security. The other three choices (minor purposes) can help in establishing future targets.
14. What does risk analysis in the contingency planning process not include?
a. Prioritization of applications
b. Development of test procedures
c. Assessment of threat impact on the organization
d. Development of recovery scenarios
14. b. Test procedures are detailed instructions that usually are not considered during a risk analysis exercise. Risk analysis is the initial phase of the contingency planning process, whereas testing comes after developing and documenting the plan. Application prioritization, assessment of impact on the organization (exposures and implications), and recovery scenarios are part of the risk analysis exercise. Risk analysis is a prerequisite to a complete and meaningful disaster recovery–planning program. It is the assessment of threats to resources and the determination of the amount of protection necessary to adequately safeguard them.
15. Which of the following is not a key activity that facilitates the integration of information security governance components?
a. Operational planning
b. Organizational structure
c. Roles and responsibilities
d. Enterprise architecture
15. a. The key activities that facilitate integration of information security governance components include strategic planning, organizational structure (design and development), roles and responsibilities, enterprise architecture, and security objectives. Operational planning is derived from strategic planning.
16. Which of the following is not an example of protected communications controls that are part of technical preventive controls?
a. Cryptographic technologies
b. Data encryption methods
c. Discretionary access controls
d. Escrowed encryption algorithms
16. c. Discretionary access controls (DAC) define access control security policy. The other choices are examples of protected communications controls, which ensure the integrity, availability, and confidentiality of sensitive information while it is in transit.
Cryptographic technologies include data encryption standard (DES), Triple DES (3DES), and secure hash standard. Data encryption methods include virtual private networks (VPNs) and Internet Protocol security (IPsec). Escrowed encryption algorithms include Clipper.
17. For risk mitigation strategies, which of the following is not a proper and effective action to take when a determined attacker’s potential or actual cost is too great?
a. Apply security design principles.
b. Decrease an attacker’s motivation.
c. Implement security architectural design.
d. Establish nontechnical security controls.
17. b. Usually, protection mechanisms to deter a normal and casual attacker are applied to decrease an attacker’s motivation by increasing the attacker’s cost when the attacker’s cost is less than the potential gain for the attacker. However, these protection mechanisms may not prevent a determined attacker because the attacker’s potential gain could be more than the cost or the attacker is seeking for a strategic and competitive advantage with the attack.