Читаем CISSP Practice полностью

b. Ensuring policies are available through physical bulletin boards

c. Requiring a signed statement from all users that they will abide by the policies

d. Ensuring policies are available through electronic bulletin boards

163. c. A statement is required from new users at the time access to information system resources was first provided and from all users periodically, usually once a year. Requiring a signed statement can serve as a useful technique for impressing on the users the importance of understanding organizational policies. In addition, if the user was later involved in a security violation, the statement can serve as evidence that he had been informed of organizational policies.

164. Which of the following considers the loss of security objectives (i.e., confidentiality, integrity, and availability) that could be expected to have a limited, serious, or severe adverse effect on an organization’s operations, assets, systems, or individuals and on other organizations?

a. Low-impact

b. Moderate-impact

c. Potential impact

d. High-impact

164. c. Potential impact considers all three levels of impact such as (i) a limited adverse effect representing a low impact, (ii) a serious adverse effect representing a moderate impact, and (iii) a severe or catastrophic adverse effect representing a high impact.

165. Effective information systems security measures cannot be maintained due to which of the following reasons?

a. Lack of awareness

b. Lack of a policy

c. Lack of a procedure

d. Lack of enforcement

165. d. If employees see that management is not serious about security policy enforcement, they will not pay attention to security, thus minimizing its effectiveness. In addition to the lack of enforcement, inconsistent enforcement is a problem.

166. Sensitivity criteria for a computer-based information system are not defined in terms of which of the following?

a. The value of having an application system

b. The cost of developing and maintaining an application system

c. The value of having the needed information

d. The cost of not having an application system

166. b. Sensitivity criteria are largely defined in terms of the value of having, or the cost of not having, an application system or needed information.

167. What is the first thing to do upon unfriendly termination of an employee?

a. Complete a sign-out form immediately.

b. Send employee to the accounting department for the last paycheck.

c. Remove the system access quickly.

d. Send employee to the human resource department for benefits status.

167. c. Whether the termination is friendly or unfriendly, the best security practice is to disable the system access quickly, including login to systems. Out-processing often involves a sign-out form initialed by each functional manager with an interest in the separation of the employee. The sign-out form is a type of checklist. Sending the employee to the accounting and human resource departments may be done later.

168. Which of the following have similar structures and complementary objectives?

a. Training and awareness

b. Hackers and users

c. Compliance and common sense

d. Need-to-know and threats

168. a. Training makes people learn new things and be aware of new issues and procedures. They have similar objectives—that is, to learn a new skill or knowledge. Hence, they complement each other.

A hacker is a person who attempts to compromise the security of an IT system, especially whose intention is to cause disruption or obtain unauthorized access to data. On the other hand, a user has the opposite objective, to use the system to fulfill his job duties. Hence, they conflict with each other.

Compliance means following the standards, rules, or regulations with no deviations allowed. On the other hand, common sense tells people to deviate when conditions are not practical. Hence, they conflict with each other.

Need-to-know means a need for access to information to do a job. Threats are actions or events that, if realized, can result in waste, fraud, abuse, or disruption of operations. Hence, they conflict with each other.

169. Establishing a data ownership program should be the responsibility of:

a. Functional users

b. Internal auditors

c. Data processors