Читаем CISSP Practice полностью

74. What should the information security manager do when the residual risk has not been reduced to an acceptable level?

a. Repeat the risk management cycle.

b. Develop new policies and procedures.

c. Implement new security technologies.

d. Establish a specific schedule for assessing risk.

74. a. If the residual risk has not been reduced to an acceptable level, the information security manager must repeat the risk management cycle to identify a way of lowering the residual risk to an acceptable level. The other three choices are not strong enough actions to reduce the residual risk to an acceptable level.

75. The level of protection for an IT system is determined by an evaluation of which of the following elements?

1. Availability

2. Integrity

3. Sensitivity

4. Criticality

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

75. c. All IT systems and applications require some level of protection to ensure confidentiality, integrity, and availability, which is determined by an evaluation of the sensitivity and criticality of the information processed, the relation of the system to the organization mission, and the economic value of the system components. Sensitivity and criticality are a part of the confidentiality goal.

76. Which of the following IT metrics types measure the results of security services delivery?

1. Implementation metrics

2. Effectiveness metrics

3. Efficiency metrics

4. Impact metrics

a. 1 and 2

b. 2 and 3

c. 1 and 4

d. 3 and 4

76. b. Implementation metrics measures the implementation of security policy. Effectiveness and efficiency metrics measures the results of security services delivery. Impact metrics measures the business or mission impact of security events.

77. Which of the following factors affects the trustworthiness of an information system?

1. Security functionality

2. Security categorization

3. Security certification

4. Security assurance

a. 1 and 2

b. 1 and 4

c. 3 and 4

d. 1, 2, 3, and 4

77. b. Two factors affecting the trustworthiness of an information system include security functionality (i.e., security features employed within the system) and security assurance (i.e., the grounds for confidence that the security functionality is effective in its application).

Security categorization and security certification are not relevant here because security categorization classifies systems according to security levels, and security certification deals with approving a new system prior to its operation.

78. When engaging information system services from an external service provider, which of the following is needed to mitigate security risk?

a. Chain-of-custody

b. Chain-of-command

c. Chain-of-documents

d. Chain-of-trust

78. d. A chain-of-trust requires that an internal organization establish and retain a level of confidence that each external service provider consider adequate security protection for the services rendered to the internal organization.

Chain-of-custody refers to preserving evidence, and it may include chain-of-documents. Chain-of-command is a management principle, which follows job hierarchy in giving orders to subordinate employees by a supervising employee.

79. From a security viewpoint, which of the following is the most important document prepared by an external information system service provider?

a. Service provider security role

b. End user security role

c. Memorandum of agreement

d. Service-level agreement

79. d. The external information system services documentation must include the service provider security role, end user security role, signed contract, memorandum of agreement before the signed contract, and service-level agreement (most important). The service-level agreement (SLA) defines the expectations of performance for each required security control, describes measurable outcomes, and identifies remedies and response requirements for any identified instance of noncompliance.

80. The results of information-security program assessment reviews can be used to do which of the following?

1. To support the certification and accreditation process

2. To support the continuing monitoring requirement

3. To prepare for audits