Review Question and Exam Review Question Solutions
Chapter 1
Exam Prep
1. C. Inventorying and listing all existing security controls falls into Evaluate
existing business controls step.
2. B. Determining system values falls into the Analyzing, prioritizing and
categorizing assets step.
3. D. A good security plan should be flexible, scalable, easy to use, and updated at
least annually.
4. A. Read the existing security policies and processes is the first step of the risk
assessment process.
5. A. A security policy should be reviewed at least annually.
6. D. A good password policy considers history, minimum length, the use of letters,
numbers, and punctuation.
7. D. ProSoft Training administers the CIW certification and exams.
8. D. CIA triad stands for Confidentiality, Integrity, and Availability.
Review
1. C. The PPP triad stands for Physical Security, Privacy, and Marketplace
perception.
2. physical security, User ID and rights management, network security, system
security, authorized testing, auditing procedures
3. Single Loss Expectancy (SLE) is equal to the asset’s value times the Exposure
Factor (EF). The first component of SLE, the asset value, is the total monetary
amount determined from the TCO, the internal values, and external values listed
in the previous sections. The second component, Exposure Factor (EF), is the
percentage of asset loss that is expected from a particular threat.
4. Annualized Rate of Occurrence (ARO) is the estimated frequency that a
particular threat may occur each year. The frequency is an educated guess based
on a number of factors, including: How lucrative a target the information poses to
outsiders, The level of difficulty of performing a particular attack. For example,
are ready-made tools built that can perform the attack automatically? Does an
attack require intimate knowledge of the network configuration? The security
defenses deployed within the environment, The number of abusers who can
potentially cause damage
5. False. EF is the percentage of loss that is expected from a particular threat.
6. C. The password policy is usually contained within the body of the security
policy.
7. User ID and rights management – access controls should cover the expected data
access.
8. The Systems section should list specific security controls for the platforms used
within the environment.
9. ISC2 administers both the CISSP and SSCP exams.
10. www.cert.org, www.sans.org
, 11. True, part of a physical security control may be to restrict access to the floppy
drives of your critical systems.
12. True, part of the security tools section should name those groups or individuals
who are authorized to perform testing.
13. In the rush to protect data from theft or mischief, organizations often trample on
the rights of individuals to keep their own data private. For example, customers
may not want a company to use their names and addresses for marketing
purposes. And customers certainly do not want their financial information
released to unknown organizations. A comprehensive security strategy should
take into account the privacy of employees, customers, and other organizations.
14. Yes, it is important to have the tools and processes in place to check that these
policies are followed.
15. B. Vulnerability testing methodology is not a covered domain on the CISSP
exam.
Chapter 2
Exam Prep
1. C. Fixing the issue, mitigating the exposure or accepting the risk are all outcomes
of the Security Issue Management process.
2. A. Fixing the issue, mitigating the exposure or accepting the risk are all outcomes
of the Security Issue Management process.
3. D. Qualitative and Quantitative are the two major types of risk assessment
methods.
4. B. Staying calm in the face of a security incident cannot be overstated. Consider
this step one of the plan.
5. A. The C&C team’s main function is to coordinate incident response activities.
6. D. Host IDS software is recommended for High risk systems.
7. D. All listed security controls are recommended for High risk systems.
8. D. The banner should serve as a “no trespassing” sign and should not give away
details about the server.
9. B. Interviewing suspects should be left to law enforcement agencies.
10. C. The evidence should generally only be numbered, signed, and dated to record
only relevant facts.
Review
1. First, it allows an organization to mobilize all employees in the fight against
abusers. Second, effective education informs employees on where to find the
corporate security policies. Third, education clearly defines employees’
responsibilities in adhering to security guidelines. And finally, and most
importantly, an effective education plan outlines the security guidelines that relate
to an employee’s job.
2. A. The categories of security controls are: preventive, detective, and corrective
3. The five steps in the vulnerability management process are:
, a. Receive the necessary advisories in a timely manner. Once a software
problem is announced to the general public, it is only a matter of time
before attackers start building automated tools to exploit the bug.
b. Assess the advisory and determine whether the publicized problem poses a
threat to the organization. If the organization does not use the software or
does not have the particular versions installed, disregard and archive the
advisory for future reference.
c. Using predefined criteria documented within the security policy, assess
how quickly the patch(es) must be installed on affected systems. For
example, systems connected to the Internet should be addressed much
more quickly than those on an intranet, and business-critical systems
should be fixed sooner than noncritical systems. These deadlines should
be documented and applied consistently throughout the environment. In
basic terms, the higher the threat or possible loss from the exploit, the
quicker fixes should be implemented.
d. Once the impact and timelines have been assessed, assign the work and
track progress. This type of tracking should only cease once all affected
systems are addressed.
e. Once the exposure has been closed with the appropriate patch from the
manufacturer, periodically check systems to ensure the process is followed
and the latest patches are installed on systems. (Chapter 12 supplies more
guidance on security testing to ensure fixes are applied.)
4. B. The fourth step missing is Deployment of the released patches.
5. Issue management can track the following:
a. Exposures uncovered by the security advisory process: the software
vulnerabilities must be fixed on all affected systems, addressed within a
specific amount of time, and may require management to intercede to
force the installation of patches.
b. Deviations from security policy: during the course of day-to-day
operations and during security reviews or audits, deviations to security
policies may be uncovered. These items should be tracked and addressed.
c. Vulnerabilities uncovered during security testing: although the numbers
reported by some security tools may seem daunting, each system and
vulnerability should be tracked by the security issue management process.
(Read more on security testing in Chapter 12.)
d. Security incidents: incidents tend to be handled more delicately than other
security information; it may, however, be valuable to track incidents
within the security issue management process for future trending and
analysis.
6. True. High, medium, and low categories define the value of systems and
recommended controls for each.
7. Risk management provides a valuable tool in determining how much the business
is willing to spend on a security countermeasure versus the projected financial
protection the countermeasure provides.
Chapter 1
Exam Prep
1. C. Inventorying and listing all existing security controls falls into Evaluate
existing business controls step.
2. B. Determining system values falls into the Analyzing, prioritizing and
categorizing assets step.
3. D. A good security plan should be flexible, scalable, easy to use, and updated at
least annually.
4. A. Read the existing security policies and processes is the first step of the risk
assessment process.
5. A. A security policy should be reviewed at least annually.
6. D. A good password policy considers history, minimum length, the use of letters,
numbers, and punctuation.
7. D. ProSoft Training administers the CIW certification and exams.
8. D. CIA triad stands for Confidentiality, Integrity, and Availability.
Review
1. C. The PPP triad stands for Physical Security, Privacy, and Marketplace
perception.
2. physical security, User ID and rights management, network security, system
security, authorized testing, auditing procedures
3. Single Loss Expectancy (SLE) is equal to the asset’s value times the Exposure
Factor (EF). The first component of SLE, the asset value, is the total monetary
amount determined from the TCO, the internal values, and external values listed
in the previous sections. The second component, Exposure Factor (EF), is the
percentage of asset loss that is expected from a particular threat.
4. Annualized Rate of Occurrence (ARO) is the estimated frequency that a
particular threat may occur each year. The frequency is an educated guess based
on a number of factors, including: How lucrative a target the information poses to
outsiders, The level of difficulty of performing a particular attack. For example,
are ready-made tools built that can perform the attack automatically? Does an
attack require intimate knowledge of the network configuration? The security
defenses deployed within the environment, The number of abusers who can
potentially cause damage
5. False. EF is the percentage of loss that is expected from a particular threat.
6. C. The password policy is usually contained within the body of the security
policy.
7. User ID and rights management – access controls should cover the expected data
access.
8. The Systems section should list specific security controls for the platforms used
within the environment.
9. ISC2 administers both the CISSP and SSCP exams.
10. www.cert.org, www.sans.org
, 11. True, part of a physical security control may be to restrict access to the floppy
drives of your critical systems.
12. True, part of the security tools section should name those groups or individuals
who are authorized to perform testing.
13. In the rush to protect data from theft or mischief, organizations often trample on
the rights of individuals to keep their own data private. For example, customers
may not want a company to use their names and addresses for marketing
purposes. And customers certainly do not want their financial information
released to unknown organizations. A comprehensive security strategy should
take into account the privacy of employees, customers, and other organizations.
14. Yes, it is important to have the tools and processes in place to check that these
policies are followed.
15. B. Vulnerability testing methodology is not a covered domain on the CISSP
exam.
Chapter 2
Exam Prep
1. C. Fixing the issue, mitigating the exposure or accepting the risk are all outcomes
of the Security Issue Management process.
2. A. Fixing the issue, mitigating the exposure or accepting the risk are all outcomes
of the Security Issue Management process.
3. D. Qualitative and Quantitative are the two major types of risk assessment
methods.
4. B. Staying calm in the face of a security incident cannot be overstated. Consider
this step one of the plan.
5. A. The C&C team’s main function is to coordinate incident response activities.
6. D. Host IDS software is recommended for High risk systems.
7. D. All listed security controls are recommended for High risk systems.
8. D. The banner should serve as a “no trespassing” sign and should not give away
details about the server.
9. B. Interviewing suspects should be left to law enforcement agencies.
10. C. The evidence should generally only be numbered, signed, and dated to record
only relevant facts.
Review
1. First, it allows an organization to mobilize all employees in the fight against
abusers. Second, effective education informs employees on where to find the
corporate security policies. Third, education clearly defines employees’
responsibilities in adhering to security guidelines. And finally, and most
importantly, an effective education plan outlines the security guidelines that relate
to an employee’s job.
2. A. The categories of security controls are: preventive, detective, and corrective
3. The five steps in the vulnerability management process are:
, a. Receive the necessary advisories in a timely manner. Once a software
problem is announced to the general public, it is only a matter of time
before attackers start building automated tools to exploit the bug.
b. Assess the advisory and determine whether the publicized problem poses a
threat to the organization. If the organization does not use the software or
does not have the particular versions installed, disregard and archive the
advisory for future reference.
c. Using predefined criteria documented within the security policy, assess
how quickly the patch(es) must be installed on affected systems. For
example, systems connected to the Internet should be addressed much
more quickly than those on an intranet, and business-critical systems
should be fixed sooner than noncritical systems. These deadlines should
be documented and applied consistently throughout the environment. In
basic terms, the higher the threat or possible loss from the exploit, the
quicker fixes should be implemented.
d. Once the impact and timelines have been assessed, assign the work and
track progress. This type of tracking should only cease once all affected
systems are addressed.
e. Once the exposure has been closed with the appropriate patch from the
manufacturer, periodically check systems to ensure the process is followed
and the latest patches are installed on systems. (Chapter 12 supplies more
guidance on security testing to ensure fixes are applied.)
4. B. The fourth step missing is Deployment of the released patches.
5. Issue management can track the following:
a. Exposures uncovered by the security advisory process: the software
vulnerabilities must be fixed on all affected systems, addressed within a
specific amount of time, and may require management to intercede to
force the installation of patches.
b. Deviations from security policy: during the course of day-to-day
operations and during security reviews or audits, deviations to security
policies may be uncovered. These items should be tracked and addressed.
c. Vulnerabilities uncovered during security testing: although the numbers
reported by some security tools may seem daunting, each system and
vulnerability should be tracked by the security issue management process.
(Read more on security testing in Chapter 12.)
d. Security incidents: incidents tend to be handled more delicately than other
security information; it may, however, be valuable to track incidents
within the security issue management process for future trending and
analysis.
6. True. High, medium, and low categories define the value of systems and
recommended controls for each.
7. Risk management provides a valuable tool in determining how much the business
is willing to spend on a security countermeasure versus the projected financial
protection the countermeasure provides.
