Security Management Practices Prep Test

1.	The three elements of the C-I-A triad include Confidentiality, Integrity, Authentication Confidentiality, Integrity, Availability Confidentiality, Integrity, Authorization Confidentiality, Integrity, Accountability
2.	Which of the following government data classification levels describes information that, if compromised, could cause serious damage to national security? Top Secret Secret Confidential Sensitive but Unclassified
3.	The practice of regularly transferring personnel into different positions or departments within an organization is Separation of duties Reassignment Lateral transfers Job rotations
4.	The individual responsible for assigning information classification levels for assigned information assets is Management Owner Custodian User
5.	Most security policies are categorized as Informative Regulatory Mandatory Advisory
6.	A baseline is a type of Policy Guideline Procedure Standard
7.	ALE is calculated by using the following formula: SLE x ARO x EF = ALE SLE x ARO = ALE SLE + ARO = ALE SLE – ARO = ALE
8.	Which of the following is not considered a general remedy for risk management? Risk reduction Risk acceptance Risk assignment Risk avoidance
9.	Failure to implement a safeguard may result in legal liability if The cost to implement the safeguard is less than the cost of the associated loss. The cost to implement the safeguard is more than the cost of the associated loss. An alternate but equally effective and less expensive safeguard is implemented. An alternate but equally effective and more expensive safeguard is implemented.
10.	A cost-benefit analysis is useful in safeguard selection for determining Safeguard effectiveness Technical feasibility Cost-effectiveness Operational impact

Answers

1.	B. Confidentiality, Integrity, Availability. Confidentiality, integrity, and availability are the three elements of the C-I-A triad. Authentication, authorization, and accountability are access control concepts. Review “Information Security Management Concepts and Principles.”
2.	B. Secret.Top Secret information leaks could cause grave damage. Confidential information breaches could cause damage. Sensitive but Unclassified information doesn’t have a direct impact on national security. Review “Government data classification.”
3.	D. Job rotations. Separation of duties is related to job rotations but is distinctly different. Reassignment and lateral transfers are functionally equivalent to job rotations but aren’t necessarily done for the same reasons and aren’t considered security employment practices. Review “Job rotations.”
4.	B. Owner. Although an information owner may be in a management position and is also considered a user, the information owner role has the responsibility for assigning information classification levels. An information custodian is responsible for day-to-day security tasks. Review “Security roles and responsibilities.”
5.	D. Advisory. Although not mandatory, advisory policies are highly recommended and may provide penalties for failure to comply. Review “Policies.”
6.	D. Standard. A baseline takes into account system-specific parameters to help an organization identify appropriate standards. Review “Standards (and baselines).”
7.	B. SLE x ARO = ALE. SLE x ARO = ALE is the correct formula for calculating ALE, where SLE is the Single Loss Expectancy, ARO is the Annualized Rate of Occurrence, and ALE is the Annualized Loss Expectancy expressed in dollars. Review “Risk analysis.”
8.	D. Risk avoidance. Although risk avoidance is a valid concept, it’s impossible to achieve and therefore not considered a general remedy for risk management. Review “Risk control.”
9.	A. The cost to implement the safeguard is less than the cost of the associated loss.This basic legal liability test determines whether the cost of the safeguard is less than the cost of the associated loss if a threat is realized. Review “Legal liability.”
10.	C. Cost-effectiveness. A cost-benefit analysis won’t help an organization determine the effectiveness of a safeguard, its technical feasibility, or its operational impact. Review “Cost-effectiveness.”