The other three choices are proper and effective actions to take when the potential or actual cost for an attacker is too great, whether the attacker is a normal, casual, or determined, because they are stronger protection mechanisms. Both technical and nontechnical security controls can be used to limit the extent of the attack.

18. Which of the following actions are required to manage residual risk when new or enhanced security controls are implemented?

1. Eliminate some of the system’s vulnerabilities.

2. Reduce the number of possible threat-source/vulnerability pairs.

3. Add a targeted security control.

4. Reduce the magnitude of the adverse impact.

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 1, 2, 3, and 4

18. d. Implementation of new or enhanced security controls can mitigate risk by (i) eliminating some of the system’s vulnerabilities (flaws and weaknesses) thereby reducing the number of possible threat-source/vulnerability pairs, (ii) adding a targeted control to reduce the capacity and motivation of a threat-source, and (iii) reducing the magnitude of the adverse impact by limiting the extent of a vulnerability.

19. Which of the following ongoing security monitoring activities are more valuable in determining the effectiveness of security policies and procedures implementation?

a. Plans of action and milestones

b. Configuration management

c. Incident statistics

d. Network monitoring

19. c. All four choices are examples of ongoing security monitoring activities. Incident and event statistics are more valuable in determining the effectiveness of security policies and procedures implementation. These statistics provide security managers with further insight into the status of security programs under their control and responsibility.

20. Which of the following pairs of security objectives, rules, principles, and laws are in conflict with each other?

a. All-or-nothing access principle and the security perimeter rule

b. Least privilege principle and employee empowerment

c. File protection rules and access granularity principle

d. Trans-border data flows and data privacy laws

20. b. Least privilege is a security principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage resulting from an accident, error, or unauthorized use. This is in great conflict with employee empowerment in which employees are given freedom to do a wide variety of tasks in a given time period. Much discretion is left to each employee to achieve the stated goals.

The all-or-nothing access principle means access is either to all objects or none at all. The security perimeter rule uses increasingly strong defenses as one approach the core information or resources sought. Both strengthen the security practices.

File protection rules are designed to inhibit unauthorized access, modification, and deletion of a file. The access granularity principle states that protection at the data file level is considered coarse granularity, whereas protection at the data field level is considered to be of a finer granularity. Both strengthen the security practices.

The objectives of trans-border data flows and data privacy laws are to protect personal data from unauthorized disclosure, modification, and destruction. Trans-border data flow is the transfer of data across national borders. Privacy refers to the social balance between an individual’s right to keep information confidential and the societal benefit derived from sharing information. Both strengthen the security practices.

21. Which of the following is not the major purpose of information system security plans?

a. Describe major application systems.

b. Define the security requirements.

c. Describe the security controls.

d. Delineate the roles and responsibilities.

21. a. The information security plan should reflect inputs from various managers with responsibilities concerning the system. Major applications are described when defining security boundaries of a system, meaning boundaries are established within and around application systems.

The major purposes of the information system security plan are to (i) provide an overview of the security requirements of the system, (ii) describe the security controls in place or planned for meeting those requirements, (iii) delineate the roles and responsibilities, and (iv) define the expected behavior of all individuals who access the system.

22. The information system security plan is an important deliverable in which of the following processes?

a. Configuration management

b. System development life cycle

c. Network monitoring

d. Continuous assessment

22. b. The information system security plan is an important deliverable in the system development life cycle (SDLC) process. Those responsible for implementing and managing information systems must participate in addressing security controls to be applied to their systems. The other three choices are examples of ongoing information security program monitoring activities.

23. Which of the following approves the system security plan prior to the security certification and accreditation process?

a. Information system owner

b. Program manager

c. Information system security officer

d. Business owner

23. c. Prior to the security certification and accreditation process, the information system security officer (the authorizing official, independent from the system owner) typically approves the security plan. In addition, some systems may contain sensitive information after the storage media is removed. If there is a doubt whether sensitive information remains on a system, the information system security officer should be consulted before disposing of the system because the officer deals with technical aspects of a system. The information system owner is also referred to as the program manager and business owner.

24. Which of the following is the key factor in the development of the security assessment and authorization policy?

a. Risk management

b. Continuous monitoring

c. Testing the system

d. Evaluating the system

24. a. An organization’s risk management strategy is the key factor in the development of the security assessment and authorization policy. The other three choices are part of the purpose of assessing the security controls in an information system.

25. Which of the following is a prerequisite for developing an information system security plan?

1. Security categorization of a system

2. Analysis of impacts