Mike Chapple - (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

9 You have performed a risk assessment and determined the threats that represent the most significant concern to your organization. When evaluating safeguards, what is the rule that should be followed in most cases?The expected annual cost of asset loss should not exceed the annual costs of safeguards.The annual costs of safeguards should equal the value of the asset.The annual costs of safeguards should not exceed the expected annual cost of asset value loss.The annual costs of safeguards should not exceed 10 percent of the security budget.

10 During a risk management project, an evaluation of several controls determines that none are cost-effective in reducing the risk related to a specific important asset. What risk response is being exhibited by this situation?MitigationIgnoringAcceptanceAssignment

11 During the annual review of the company's deployed security infrastructure, you have been reevaluating each security control selection. How is the value of a safeguard to a company calculated?ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguardALE before safeguard * ARO of safeguardALE after implementing safeguard + annual cost of safeguard – controls gapTotal risk – controls gap

12 Which of the following are valid definitions for risk? (Choose all that apply.)An assessment of probability, possibility, or chanceAnything that removes a vulnerability or protects against one or more specific threatsRisk = threat * vulnerabilityEvery instance of exposureThe presence of a vulnerability when a related threat exists

13 A new web application was installed onto the company's public web server last week. Over the weekend a malicious hacker was able to exploit the new code and gained access to data files hosted on the system. This is an example of what issue?Inherent riskRisk matrixQualitative assessmentResidual risk

14 Your organization is courting a new business partner. During the negotiations the other party defines several requirements of your organization's security that must be met prior to the signing of the SLA and business partners agreement (BPA). One of the requirements is that your organization demonstrate their level of achievement on the Risk Maturity Model (RMM). The requirement is specifically that a common or standardized risk framework is adopted organization-wide. Which of the five possible levels of RMM is being required of your organization?PreliminaryIntegratedDefinedOptimized

15 The Risk Management Framework (RMF) provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF has seven steps or phases. Which phase of the RMF focuses on determining whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation are reasonable?CategorizeAuthorizeAssessMonitor

16 Company proprietary data are discovered on a public social media posting by the CEO. While investigating, a significant number of similar emails were discovered to have been sent to employees, which included links to malicious sites. Some employees report that they had received similar messages to their personal email accounts as well. What improvements should the company implement to address this issue? (Choose two.)Deploy a web application firewall.Block access to personal email from the company network.Update the company email server.Implement multifactor authentication (MFA) on the company email server.Perform an access review of all company files.Prohibit access to social networks on company equipment.

17 What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions?EducationAwarenessTrainingTermination

18 Which of the following could be classified as a form of social engineering attack? (Choose all that apply.)A user logs in to their workstation and then decides to get a soda from the vending machine in the stairwell. As soon as the user walks away from their workstation, another person sits down at their desk and copies all the files from a local folder onto a network share.You receive an email warning about a dangerous new virus spreading across the internet. The message tells you to look for a specific file on your hard drive and delete it, since it indicates the presence of the virus.A website claims to offer free temporary access to their products and services but requires that you alter the configuration of your web browser and/or firewall in order to download the access software.A secretary receives a phone call from a person claiming to be a client who is running late to meet the CEO. The caller asks for the CEO's private cell phone number so that they can call them.

19 Often a _____________ is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group's work activities. _____________ are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors.CISO(s)Security champion(s)Security auditor(s)Custodian(s)

20 The CSO has expressed concern that after years of security training and awareness programs, the level of minor security violations has actually increased. A new security team member reviews the training materials and notices that it was crafted four years ago. They suggest that the materials be revised to be more engaging and to include elements that allow for the ability to earn recognition, team up with coworkers, and strive toward a common goal. They claim these efforts will improve security compliance and foster security behavior change. What is the approach that is being recommended?Program effectiveness evaluationOnboardingCompliance enforcementGamification

THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

Domain 1.0: Security and Risk Management1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements1.8.1 Business Impact Analysis (BIA)1.8.2 Develop and document scope and plan

Domain 7.0: Security Operations7.13 Participate in Business Continuity (BC) planning and exercises

Despite our best intentions, disasters of one form or another eventually strike every organization. Whether it's a natural disaster such as a hurricane, earthquake, or pandemic, or a person-made calamity such as a building fire, burst water pipe, or economic crisis, every organization will encounter events that threaten their operations or even their very existence.

Resilient organizations have plans and procedures in place to help mitigate the effects a disaster has on their continuing operations and to speed the return to normal operations. Recognizing the importance of planning for business continuity (BC) and disaster recovery (DR), the International Information System Security Certification Consortium (ISC) 2included these two processes in the objectives for the CISSP program. Knowledge of these fundamental topics will help you prepare for the exam and help you prepare your organization for the unexpected.

In this chapter, we'll explore the concepts behind business continuity planning (BCP). Chapter 18, “Disaster Recovery Planning,” will continue the discussion and delve into the specifics of the technical controls that organizations can put in place to restore operations as quickly as possible after disaster strikes.