Читаем CISSP Practice полностью

Effectiveness/efficiency metrics measure the results of security services delivery (i.e., monitors the results of security controls implementation). Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts).

213. Which of the following is a prerequisite to IT security training?

a. Security basics

b. Awareness

c. Security literacy

d. Education

213. b. Awareness programs act as a prerequisite to IT security training. Awareness programs set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure.

214. The security objective or principle of integrity does not deal with which of the following?

a. Accuracy

b. Privacy

c. Non-repudiation

d. Accountability

214. b. Privacy is a part of a confidentiality objective or principle, whereas the other three choices are part of the integrity objective or principle. Privacy protection is the establishment of controls to ensure the security and confidentiality of data records and restricting access to such records. Confidentiality is preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Hence, privacy and confidentiality are related to each other.

Integrity is the property that protected and sensitive data has not been modified or deleted in an unauthorized and undetected manner. Accuracy is a qualitative assessment of correctness of data or freedom from error (i.e., data needs integrity). Non-repudiation is a service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party. Accountability generates the requirements for actions of an individual to be traced uniquely to that individual (i.e., supports prevention, detection, fault isolation, and non-repudiation). Hence, accuracy, accountability, and non-repudiation all require that data and information must have integrity. If data that an individual is handling is not accurate and if an individual can deny sending or receiving a message, how can that individual be held accountable for his actions? Note that the terms integrity, accuracy, non-repudiation, and accountability have different definitions and meanings depending on the context of use.

215. Which of the following verifies that the other three security principles have been adequately met by a specific implementation?

a. Assurance

b. Integrity

c. Confidentiality

d. Availability

215. a. Assurance verifies that the security principles such as integrity, availability, confidentiality, and accountability have been adequately met by a specific implementation.

216. Regarding information security governance, which of the following should take place for noncompliance?

a. Change in policies

b. Change in procedures

c. Change in practices

d. Periodic assessments

216. d. Periodic assessments and reports on activities can be a valuable means of identifying areas of noncompliance. The other three choices can result from the periodic assessments.

217. Which of the following must be considered when the system boundaries are drawn and when establishing a control baseline?

a. Confidentiality

b. Impact levels

c. Integrity

d. Availability

217. b. The impact levels (i.e., low, moderate, or high) must be considered when the system boundaries are drawn and when selecting the initial set of security controls (i.e., control baseline). Confidentiality, integrity, and availability are security objectives for which potential impact is assessed.

218. Which of the following is not an element of information quality?

a. Reproducibility

b. Utility

c. Integrity

d. Objectivity

218. a. Information quality is an encompassing term composed of utility integrity and objectivity. Reproducibility means that the information can be substantially reproduced, subject to an acceptable degree of imprecision.