Читаем CISSP Practice полностью

10. a. Corporate financial reporting requires integrity of information so that it is protected against unauthorized modification. The scope of financial reporting includes presenting balance sheet, income statement, cash flows, and the annual report with footnotes and disclosures.

Confidentiality is required to protect personnel (employees) data such as medical records, trade secrets, or intellectual property rights (e.g., copyrights) and business data such as shipping, billing, and inventory information.

11. The relative priority given to confidentiality, integrity, and availability goals varies according to which of the following?

1. Type of information system

2. Cost of information system

3. Data within the information system

4. Business context of use

a. 1 and 2

b. 2 and 3

c. 1 and 4

d. 3 and 4

11. d. The relative priority and significance given to confidentiality, integrity, and availability goals vary according to the data within the information system and the business context in which they are used. Cost and the type of information systems used are important but not that relevant to these goals.

12. Effective information security governance requires which of the following?

1. Corporate executive management endorsement

2. IT executive management endorsement

3. Board member endorsement

4. IT security officer endorsement

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

12. b. Corporate executive management must be conducive to effective information security governance. When corporate senior management follows the policies, it sends a positive signal to the rest of the organization. All the board members should endorse the information security governance policies. Note that the corporate executive management and the board members approve and endorse the security policies while the IT executive management and the IT security officer implements such policies.

13. Which of the following is the major purpose of self-assessment of information security for improving the security?

a. Establish future targets

b. Understand the current status

c. Find out the industry average

d. Analyze the current target

13. a. Information security self-assessment results can be used to establish targets for future development, based on where the organization wants to reach (major purpose) and how to improve security. The other three choices (minor purposes) can help in establishing future targets.

14. What does risk analysis in the contingency planning process not include?

a. Prioritization of applications

b. Development of test procedures

c. Assessment of threat impact on the organization

d. Development of recovery scenarios

14. b. Test procedures are detailed instructions that usually are not considered during a risk analysis exercise. Risk analysis is the initial phase of the contingency planning process, whereas testing comes after developing and documenting the plan. Application prioritization, assessment of impact on the organization (exposures and implications), and recovery scenarios are part of the risk analysis exercise. Risk analysis is a prerequisite to a complete and meaningful disaster recovery–planning program. It is the assessment of threats to resources and the determination of the amount of protection necessary to adequately safeguard them.

15. Which of the following is not a key activity that facilitates the integration of information security governance components?

a. Operational planning

b. Organizational structure

c. Roles and responsibilities

d. Enterprise architecture

15. a. The key activities that facilitate integration of information security governance components include strategic planning, organizational structure (design and development), roles and responsibilities, enterprise architecture, and security objectives. Operational planning is derived from strategic planning.

16. Which of the following is not an example of protected communications controls that are part of technical preventive controls?

a. Cryptographic technologies

b. Data encryption methods

c. Discretionary access controls

d. Escrowed encryption algorithms