Q1: Which of these statements are used to determine the value of information assets?
a. Which information asset is the most expensive to protect?
b. Which information asset is the most expensive to protect?
c. Which information asset generates the highest profitability?
d. Which information asset is the most critical to the success of the organization?
Solution: Which information asset is the most critical to the success of the organization?
Which information asset is the most expensive to protect?
Which information asset generates the highest profitability?
Which information asset is the most expensive to protect?
Q2: The final step in the risk identification process is to list the assets in order of importance. Which tool is used to achieve this goal?
a. weighted factor analysis
b. Cost Benefit Analysis
c. Thread vulnerabilities assessment
d. Quality Risk Analysis
Solution: weighted factor analysis
Q3: Which of these define Mitigation Risk control strategies
a. Applying safeguards that eliminate or reduce the remaining uncontrolled risk
b. Reducing the impact if the vulnerability is exploited
c. Understanding the consequences of and accepting the risk without control
d. Shifting risks to other areas or to outside entities
Solution: Reducing the impact if the vulnerability is exploited
Q4: Which of the Risk Control Strategy selection should be chosen when we manage risk -to limit the extent of the attack
a. When the attacker’s potential gain is greater than the costs of an attack
b. When potential loss is large
c. When a vulnerability can be exploited
d. When a vulnerability exists
Solution: When potential loss is large
Q5: Which of this statement define Single loss expectancy
a. is based on the value of the asset and the expected percentage of loss that would occur from a particular attack
b. Evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised
c. is the process of comparing the projected or estimated costs and benefits
d. the probability of a threat occurring is the probability of loss from an attack within a given time frame
Solution: is based on the value of the asset and the expected percentage of loss that would occur from a particular attack
Q6: Which of the following is NOT a task in Work Breakdown Structure (WBS)
a. estimated capital and noncapital expenses
b. Identify risk
c. identification of dependencies between/among tasks
d. start and end dates
Solution: Identify risk
Q7: Which of these define the goals of project wrap-up?
You may select more than one answer.
a. draw conclusions about how to improve process
b. resolve any pending issues
c. Patching
d. critique overall project effort
Solution: resolve any pending issues,
critique overall project effort,
draw conclusions about how to improve process
Q8: Which of the following is NOT TRUE about the Chief Information Security Officer (CISO or CSO)
a. Drafts or approves information security policies
b. Works with the CIO on strategic plans
c. Manages the overall information security program
d. Accountable for day-to-day operation of information security program
Solution: Accountable for day-to-day operation of information security program
Q9: The ISO management model is a five-layer approach that provides structure to the administration and management of networks and systems. The core ISO model addresses management and operation through five topics:
• Fault management
• Configuration and name management
• Accounting management
• Performance management
• Security management
Which of these statements define the Fault management
a. involves the physical and logical assessment of the vulnerabilities present in information systems. This is most often accomplished with penetration testing.
b. is process of reviewing use of a system, not to check performance, but to determine misuse or malfeasance; automated tools can assist
c. is the administration of the configuration of the components of the security program.
d. the process of identifying, tracking, diagnosing, and resolving faults in the system.
Solution: the process of identifying, tracking, diagnosing, and resolving faults in the system.
Q10: Which of these statements is NOT a primary deliverable of the Monitoring Process?
a. Building and maintaining an inventory of network devices and channels, IT infrastructure and applications, and information security infrastructure elements
b. Detailed intelligence on highest risk warnings
c. Periodic summaries of external information
d. Specific warning bulletins issued when developing threats and specific attacks pose measurable risk to organization
Solution: Building and maintaining an inventory of network devices and channels, IT infrastructure and applications, and information security infrastructure elements
Q11: Most audit reports contain at least three broad sections: findings, recommendation, and follow-up. Explain each section in the audit reports.
Solution: - Findings are organised according to how closely they correspond to the standard benchmark.
- Recommendations: Make recommendations on how to mitigate the risks that have been identified.
• Implementation timeline, amount of risk, and management reaction are all important considerations.
When it is essential, auditors should plan a follow-up to confirm that suggestions have been implemented by the company.
Q12: An organization needs clearly documented personnel security policies and procedures in order to facilitate the use and protection of information. For example, the organization should conduct background checks and formal termination procedures.
(a) Describe TWO (2) reasons why background checks and verifying application information for all potential employees and contractors are important.
(b) Formal termination procedures should be implemented to help protect the organization from potential lawsuits, property theft, and destruction, unauthorized access, or workplace violence. Explain THREE (3) termination procedures that should be considered by the organization.
Solution: a. Background checks may assist in reducing the likelihood of engaging in criminal activity such as assault, abuse, and theft. They may also check the facts included in an applicant's résumé or job application, and they can aid your business in determining whether or not a certain individual is the best candidate for the position.
b. 1. All logical and keycard access is cancelled before the employee is even aware of it.
2. The employee gathers all of his or her personal things and returns all keys, keycards, and other business property to the office.
3. The employee is then escorted out of the building.
Q13: List FOUR (4) essential security testing tips and explain why it is crucial to an organization's security consideration.
Solution: 1-Choose the right tool: As if you dont use the correct tool the results might be different and misleading sometimes
2-Tools make mistake : Sometimes the tools give false positives as well
3-Protect your system: The system should be updated and must be using antivirus to protect against attacks
4-Tests should be as “real” as possible , Real Attacks: The real should be as real so that the real environment can be mimicked
Q14: (a) Calculate the risk assessment weighted score for each of the information assets.
Table 1: Information Asset Risk Assessment
Information Asset
Criterion l:
Impact on Revenue Criterion 2:
Impact on profitability
Criterion 3:
Impact on Public Image Weighted Score
Criterion weight 50 20 30
Alpha 0.8 0.9 0.5
Beta 0.8 0.9 0.6
Omega 0.4 0.5 0.3
Delta 1 0.6 0.4
Gamma 0.4 0.4 0.9
Solution: Alpha = (50 * 0.8) + (20*0.9) + (30 *0.5) = 40 + 18 + 15 = 73
Beta = (50 * 0.8) + (20*0.9 + (30 *0.6) = 40 + 18 + 18 = 76
Omega = (50 * 0.4) + (20*0.5) + (30 *0.3) = 20 + 10 + 9 = 39
Delta = (50 * 1) + (20*0.6) + (30 *0,4) = 50 + 12 + 12 = 74
Gamma = (50 * 0.4) + (20*0.4) + (30 *0.9) =20 + 8 + 27 =55
