## CISSP - Security and Risk Management Pratice Questions

##### What is the ISO 27002 standard focused on?

Options are :

• ITSM.
• Protecting PHI.
• Risk management.
• HIPAA.

Explanation ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on how to implement security controls. It has 10 domains it uses for ITSM.

##### As part of our risk management, we are working on quantitative risk analysis. Select all the terms we would use in this phase:

Options are :

• Asset Value (AV)
• Future Growth Potential (FGP)
• Risk Analysis Matrix (RAM)
• Exposure factor (EF)
• Annualized Loss Expectancy (ALE)

Answer : Asset Value (AV) Exposure factor (EF) Annualized Loss Expectancy (ALE)

Explanation Quantitative Risk Analysis – We want exactly enough security for our needs. This is where we put a number on that. We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year. Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once? Annual Rate of Occurrence (ARO) – How often will this happen each year? Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.

##### We are in a court of law and we are presenting real evidence. What constitutes real evidence?

Options are :

• The data on our hard drives.
• Something you personally saw or witnessed.
• Tangible and physical objects.
• Logs, audit trails and other data from the time of the attack.

Answer : Tangible and physical objects.

Explanation Real Evidence is tangible and physical objects, in IT Security it is things like hard disks, USB drives and not the data on them.

##### We are using the CIA triad to, at a high level, explain IT security to our board of directors. Which of these are the 3 legs of the CIA triad?

Options are :

• Confidentiality, Integrity and Accountability.
• Confidentiality, Identity and Availability.
• Integrity, availability and confidentiality.
• Identity, accountability and confidentiality.

Answer : Integrity, availability and confidentiality.

Explanation The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality - We keep our data and secrets secret. Integrity - We ensure the data has not been altered. Availability - We ensure authorized people can access the data they need, when they need to.

##### What was the intent of the US Electronic Communications Privacy Act of 1986 (ECPA)?

Options are :

• To allow search and seizure without immediate disclosure.
• To protect electronic communication against warrantless wiretapping.
• To protect electronic communication by mandating service providers to use strong encryption.
• To allow law enforcement to use wiretaps without a warrant or oversight.

Answer : To protect electronic communication against warrantless wiretapping.

Explanation Electronic Communications Privacy Act (ECPA) was designed for protection of electronic communications against warrantless wiretapping, but it was very weakened by the Patriot Act.

##### Our organization is using least privilege in our user access management. How are our users assigned privileges?

Options are :

• The same privileges as the rest of the group has.
• More privileges than they need for their day-to-day job, so they can perform certain tasks in an emergency.
• Exactly the minimum feasible access for the user to perform their job.
• Privileges at the on the data owners discretion.

Answer : Exactly the minimum feasible access for the user to perform their job.

Explanation Least Privilege also called "Minimum necessary access", we give our users and systems exactly the access they need, no more, no less.

##### When we are performing background checks on our new employees, we would NEVER look at which of these?

Options are :

• References, degrees, criminal records, credit history.
• References, degrees, political affiliation, employment history.
• References, employment history, criminal records.
• Employment history, credit history, references.

Answer : References, degrees, political affiliation, employment history.

Explanation When we hire new staff we often do background to ensure we minimize our risks. We can check: References, Degrees, Employment, Criminal, Credit history (less common, more costly). We have new staff sigv>