Читаем CISSP Practice полностью

136. a. The term risk management is commonly used to define the process of determining risk, applying controls to reduce the risk, and then determining if the residual risk is acceptable. Risk management supports two goals: measuring risk (risk assessment) and selecting appropriate controls that can reduce risk to an acceptable level (risk mitigation). Therefore, measuring risk is part of risk assessment.

The other three choices are incorrect because they are elements of risk mitigation. Risk mitigation involves three steps: determining those areas where risk is unacceptable; selecting effective safeguards and evaluating the controls; and determining if the residual risk is acceptable.

137. The value of information is measured by its:

a. Negative value

b. Value to the owner

c. Value to others

d. Value of immediate access

137. c. The value of information is measured by what others want from the owner. Negative value comes into play when there is a safety, security, or quality problem with a product. For example, the negative value of a product affects customers, manufacturers, vendors, and hackers, where the latter party can exploit an unsafe or unsecure product. Value of immediate access is situational and personal.

138. Risk is the possibility of something adverse happening to an organization. Which of the following steps is the most difficult one to accomplish in a risk management process?

a. Risk profile

b. Risk assessment

c. Risk mitigation

d. Risk maintenance

138. b. Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk. Risk management includes two primary and one underlying activities. Risk assessment and risk mitigation are the primary activities, and uncertainty analysis is the underlying one.

Risk assessment, the process of analyzing and interpreting risk, is composed of three basic activities: (i) determining the assessment’s scope and methodology, (ii) collecting and synthesizing data, and (iii) interpreting the risk. A risk assessment can focus on many different areas of controls (including management, technical, and operational). These controls can designed into a new application and incorporated into all areas of an organization’s functions and operations (including telecommunication data centers, and business units). Because of the nature of the scope and the extent of risk assessment, it is the most difficult one to accomplish.

Risk profile and risk maintenance are not the most difficult to accomplish because they are the by-products of the risk assessment process. Risk profile for a computer system or facility involves identifying threats and developing controls and policies in order to manage risks.

Risk mitigation involves the selection and implementation of cost-effective security controls to reduce risk to a level acceptable to management, within applicable constraints. Again, risk mitigation comes after the completion of the risk assessment process.

139. The focus of risk management is that risk must be:

a. Eliminated

b. Prevented

c. Avoided

d. Managed

139. d. Risk must be managed because it cannot be completely eliminated or avoided. Some risks cannot be prevented in a cost-effective manner.

140. What is a risk event that is an identifiable uncertainty called?

a. Known-unknown

b. Unknown-unknown

c. Known-known

d. Unknown-known

140. a. Known-unknown is an identifiable uncertainty. Unknown-unknown is a risk event whose existence cannot be imagined. There is no risk in known-known because there is no uncertainty. Unknown-known is not relevant here.

141. Which of the following is an optional requirement for organizations?

a. Policies

b. Procedures

c. Standards

d. Guidelines

141. d. Guidelines assist users, systems personnel, and others in effectively securing their systems. Guidelines are suggestive and are not compulsory within an organization.

142. Which of the following is the least sensitive data classification scheme?

a. Unclassified

b. Unclassified but sensitive

c. Secret

d. Confidential

142. a. Data that is not sensitive or classified is unclassified. This is the least sensitive category, whereas secret is the most sensitive category.

143. Which of the following is not an example of a trade secret?

a. Customer lists

b. Supplier names

c. Technical specifications

d. Employee names