Читаем CISSP Practice полностью

223. b. “Percentage of security incidents caused by improperly configured access controls” is an example of effectiveness metrics.

The other three choices deal with efficiency and implementation metrics. Audit records reviewed deals with efficiency metrics, whereas audit log findings and automated mechanisms deal with implementation metrics.

Effectiveness or efficiency metrics measure the results of security services delivery (i.e., monitors the results of security controls implementation).

Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts).

224. Which of the following IT security metrics focuses on impact?

a. Percentage of information system security personnel that have received security training

b. Percentage of systems compliant with the baseline configuration

c. Sum of costs of each incident within the reporting period

d. Percentage of configuration changes documented in the latest baseline configuration

224. c. “Sum of costs of each incident within the reporting period” is an example of impact metrics. The other three choices are examples of implementation metrics.

Impact metrics measure the results of business or mission impact of security activities and events (i.e., provides the most direct insight into the value of security to the firm). Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts).

225. IT security training provides which of the following levels?

a. Data

b. Information

c. Knowledge

d. Insight

225. c. IT security training provides knowledge levels, awareness provides data and information levels, and education provides insight levels.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 9.

Risk management is a major priority of the SPK Company. The following data has been collected for one asset in the company: Natural threats are realized once every five years. The total asset value is $1,000,000. Every time a threat causes damage, it cost the company an average of $100,000. The company has the choice of getting insurance for $10,000 per year or moving to a new location that will be a onetime cost of $35,000. The SPK priorities in the risk management strategy are accuracy and long-term repeatability of process.

1. What can be done with the residual risk?

a. It can be either assigned or accepted.

b. It can be either identified or evaluated.

c. It can be either reduced or calculated.

d. It can be either exposed or assessed.

1. a. Residual risk is the remaining risk after countermeasures (controls) cover the risk population. The residual risk is either assigned to a third party (e.g., insurance company) or accepted by management as part of doing business. It may not be cost-effective to further reduce residual risk.

2. Which of the following is not part of risk analysis?

a. Assets

b. Threats

c. Vulnerabilities

d. Countermeasures

2. d. Countermeasures and safeguards come after performing risk analysis. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Assets, threats, and vulnerabilities are part of risk analysis exercise.

3. Security safeguards and controls cannot do which of the following?

a. Risk reduction

b. Risk avoidance

c. Risk transfer

d. Risk analysis

3. d. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Risk analysis is a management exercise performed before deciding on specific safeguards and controls. Risk reduction, risk avoidance, and risk transfer are part of risk mitigation, which results from applying the selected safeguards and controls.

4. Selection and implementation of security controls refer to which of the following?

a. Risks analysis

b. Risk mitigation

c. Risk assessment

d. Risk management

4. b. Risk mitigation involves the selection and implementation of security controls to reduce risks to an acceptable level. Risk analysis is the same as risk assessment. Risk management includes both risk analysis and risk mitigation.

5. Which of the following is closely linked to risk acceptance?

a. Risk detection

b. Risk prevention

c. Risk tolerance