The integrity of data is not related to which of the following? Unauthorized manipulation or changes to data The modification of data without authorization The intentional or accidental substitution of data The extraction of data to share with unauthorized entities

As head of sales, Jim is the information owner for the sales department. Which of the following is not Jim’s responsibility as information owner? Assigning information classifications Dictating how data should be protected Verifying the availability of data Determining how long to retain data

Assigning data classification levels can help with all of the following except: The grouping of classified information with hierarchical and restrictive security Ensuring that nonsensitive data is not being protected by unnecessary controls Extracting data from a database Lowering the costs of protecting data

There are several methods an intruder can use to gain access to company assets. Which of the following best describes masquerading? Changing an IP packet’s source address Elevating privileges to gain access An attempt to gain unauthorized access as another user Creating a new authorized user with hacking tools

A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset? The asset’s value in the external marketplace The level of insurance required to cover the asset The initial and outgoing costs of purchasing, licensing, and supporting the asset The asset’s value to the organization’s production operations

As his company’s CISO, George needs to demonstrate to the Board of Directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk? threats × vulnerability × asset value = residual risk SLE × frequency = ALE, which is equal to residual risk (threats × asset value × vulnerability) x control gap = residual risk (total risk - asset value) × countermeasures = residual risk

For what purpose was the COSO framework developed? To address fraudulent financial activities and reporting To help organizations install, implement, and maintain CobiT controls To serve as a guideline for IT security auditors to use when verifying compliance To address regulatory requirements related to protecting private health information

The following graphic contains a commonly used risk management scorecard. Identify the proper quadrant and its description. [*] Top-right quadrant is high impact, low probability. Top-left quadrant is high impact, medium probability. Bottom-left quadrant is low impact, high probability. Bottom-right quadrant is low impact, high probability.

The following scenario applies to questions 29, 30, and 31. Barry has just been hired as the company security officer at an international financial institution. He has reviewed the company’s data protection policies and procedures. He sees that the company stores its sensitive data within a secured database. The database is located in a network segment all by itself, which is monitored by a network-based intrusion detection system. The database is hosted on a server kept within a server room, which can only be accessed by personnel with the correct PIN value and smart card. Barry finds that the sensitive data backups are not being properly secured and requests that the company implement a secure courier service that moves backup tapes to a secured location. His management states that this option is too expensive, so Barry implements a local hierarchy storage management system that properly protects the sensitive data.

Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this? Committee of Sponsoring Organizations of the Treadway Commission The Organisation for Economic Co-operation and Development CobiT International Organization for Standardization

Which of the following is not included in a risk assessment? Discontinuing activities that introduce risk Identifying assets Identifying threats Analyzing risk in order of cost or criticality

Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company’s e-mail system. What type of approach is her company taking to handle the risk posed by the system? Risk mitigation Risk acceptance Risk avoidance Risk transference

Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is Chief Privacy Officer (CPO). What is the primary function of her new role? Ensuring the protection of partner data Ensuring the accuracy and protection of company financial information Ensuring that security policies are defined and enforced Ensuring the protection of customer, company, and employee data

What type of risk analysis approach does the following graphic provide? [*] Quantitative Qualitative Operationally Correct Operationally Critical

ISO/IEC 27000 is part of a growing family of ISO/IEC information security management systems (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization(ISO) and the International Electro-technical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards? ISO/IEC 27002 Code of practice for information security management ISO/IEC 27003 Guideline for ISMS implementation ISO/IEC 27004 Guideline for information security management measurement and metrics framework ISO/IEC 27005 Guideline for bodies providing audit and certification of information security management systems

Which of the following best describes the relationship between CobiT and ITIL? CobiT is a model for IT governance, whereas ITIL is a model for corporate governance. CobiT provides a corporate governance roadmap, whereas ITIL is a customizable framework for IT service management. CobiT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them. CobiT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals.

Jane has been charged with ensuring that clients’ personal health information is adequately protected before it is exchanged with a new European partner. What data security requirements must she adhere to? HIPAA NIST SP 800-66 Safe Harbor European Union Principles on Privacy

Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining? Security policy committee Audit committee Risk management committee Security steering committee

The integrity of data is not related to which of the following? Unauthorized manipulation or changes to data The modification of data without authorization The intentional or accidental substitution of data The extraction of data to share with unauthorized entities

Jill is establishing a companywide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database? Increase the database’s security controls and provide more granularity. Implement access controls that display each user’s permissions each time they access the database. Change the database’s classification label to a higher security status. Decrease the security so that all users can access the information as needed.

Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep? Users have a tendency to request additional permissions without asking for others to be taken away. It is a violation of “least privilege.“ It enforces the “need-to-know“ concept. It commonly occurs when users transfer to other departments or change positions.