Answers to Exam Prep Questions
Answer: D. The military data-classification system is widely used within the Department of Defense. This system has five levels of classification: unclassified, sensitive, confidential, secret, and top secret. Each level represents an increasing level of sensitivity.
Answer: B. The purchase of insurance to transfer a portion or all of the potential cost of a loss to third party is known as risk transference. All other answers are incorrect: Risk reduction implements a countermeasure, risk acceptance deals with it by accepting the potential cost, and risk rejection pretends it doesn't exist.
Answer: C. $25 x .4 = $10, or Single loss expectancy (SLE) 3 Annualized rate of occurrence (ARO) 5 Annualized loss expectancy (ALE).
Answer: D. The quantitative assessment process involves the following steps: Estimate potential losses (SLE), conduct a threat analysis (ARO), determine annual loss expectancy (ALE), and determine the residual risk after a countermeasure has been applied.
Answer: A. Qualitative assessment is scenario driven and does not attempt to assign dollar values to components of the risk analysis. Quantitative assessment is based on dollar amounts; both numeric mitigation and red team are distracters.
Answer: C. Technical controls can be hardware or software. They are the logical mechanisms used to control access and authenticate users, identify unusual activity, and restrict unauthorized access. Clerical is a nonexistent category, and all other answers are incorrect: Administrative controls are procedural, and physical controls include locks, guards, gates, and alarms.
Answer: B. Risk is expressed numerically as follows:
Threat x Vulnerability x Asset value = Total risk
All other answers do not properly define the formula for total risk.
Answer: B. Vulnerability is a flaw, loophole, oversight, or error that makes the organization susceptible to attack or damage. All other answers are incorrect: A risk can be defined as the potential harm that can arise from some present process or from some future event; a threat is an unwanted event that can result in harm to an asset or service; and an exploit takes advantage of a bug, glitch, or vulnerability.
Answer: A. A procedure is a detailed, in-depth, step-by-step document that lays out exactly what is to be done. It's a detailed document that is tied to specific technologies and devices. Standards are tactical documents; policies are high-level documents; and baselines are minimum levels of security that a system, network, or device must adhere to.
Answer: C. Senior management should be the ultimate owner because these individuals are responsible for the asset and must answer if a compromise occurs. Although answer C is the best possible choice, it is important to realize that, in most cases, the data owner will be a member of management but might not be the most senior position within the company. For example, the CFO would be the data owner for all financial data, the director of human resources would be the data owner for all HR data, and so on. All other answers are incorrect because end users, technical managers, and other employees are not typically the data owners.