CISSP Guide to Security Essentials, 2nd Edition
Chapter 1 Solutions
Review Questions
1. An organization that needs to understand vulnerabilities and threats needs to perform a:
a. Penetration test
b. Threat analysis
c. Qualitative risk assessment
d. Quantitative risk assessment
2. A risk manager has performed a risk analysis on a server that is worth $120,000. The
risk manager has determined that the single loss expectancy is $100,000. The exposure
factor is:
a. 83%
b. 1.2
c. 80%
d. 120%
,3. A risk manager has performed a risk analysis on a server that is worth $120,000. The
single loss expectancy (SLE) is $100,000, and the annual loss expectancy (ALE) is
$8,000. The annual rate of occurrence (ARO) is:
a. 12.5
b. 92%
c. 8
d. 8%
4. A risk manager needs to implement countermeasures on a critical server. What factors
should be considered when analyzing different solutions?
a. Original annualized loss expectancy (ALE)
b. Annualized loss expectancy (ALE) that results from the implementation of the
countermeasure
c. Original exposure factor (EF)
d. Original single loss expectancy (SLE)
5. The general approaches to risk treatment are:
a. Risk acceptance, risk avoidance, and risk reduction
b. Risk acceptance, risk reduction, and risk transfer
c. Risk acceptance, risk avoidance, risk reduction, and risk transfer
, d. Risk analysis, risk acceptance, risk reduction, and risk transfer
6. CIA refers to:
a. Confidence, integrity, and audit of information and systems
b. Confidentiality, integrity, and assessment of information and systems
c. Confidentiality, integrity, and availability of information and systems
d. Cryptography, integrity, and audit of information and systems
7. A recent failure in a firewall resulted in all incoming packets being blocked. This type
of failure is known as:
a. Fail open
b. Access failure
c. Circuit closed
d. Fail closed
8. The definition of PII:
a. Is name, date of birth, and home address
b. Is name, date of birth, home address, and home telephone number
c. Is name, date of birth, and social insurance number
d. Varies by jurisdiction and regulation
, 9. The statement, “All financial transactions are to be encrypted using 3DES” is an
example of a:
a. Procedure
b. Guideline
c. Standard
d. Policy
10. The purpose of information classification is:
a. To establish procedures for safely disposing of information
b. To establish procedures for the protection of information
c. To establish procedures for information labeling
d. To establish sensitivity levels for information
11. An organization is concerned that its employees will reveal its secrets to other parties.
The organization should implement:
a. Document marking
b. Non-disclosure agreements
c. Logon banners
d. Security awareness training
12. The purpose of a background verification is to:
Chapter 1 Solutions
Review Questions
1. An organization that needs to understand vulnerabilities and threats needs to perform a:
a. Penetration test
b. Threat analysis
c. Qualitative risk assessment
d. Quantitative risk assessment
2. A risk manager has performed a risk analysis on a server that is worth $120,000. The
risk manager has determined that the single loss expectancy is $100,000. The exposure
factor is:
a. 83%
b. 1.2
c. 80%
d. 120%
,3. A risk manager has performed a risk analysis on a server that is worth $120,000. The
single loss expectancy (SLE) is $100,000, and the annual loss expectancy (ALE) is
$8,000. The annual rate of occurrence (ARO) is:
a. 12.5
b. 92%
c. 8
d. 8%
4. A risk manager needs to implement countermeasures on a critical server. What factors
should be considered when analyzing different solutions?
a. Original annualized loss expectancy (ALE)
b. Annualized loss expectancy (ALE) that results from the implementation of the
countermeasure
c. Original exposure factor (EF)
d. Original single loss expectancy (SLE)
5. The general approaches to risk treatment are:
a. Risk acceptance, risk avoidance, and risk reduction
b. Risk acceptance, risk reduction, and risk transfer
c. Risk acceptance, risk avoidance, risk reduction, and risk transfer
, d. Risk analysis, risk acceptance, risk reduction, and risk transfer
6. CIA refers to:
a. Confidence, integrity, and audit of information and systems
b. Confidentiality, integrity, and assessment of information and systems
c. Confidentiality, integrity, and availability of information and systems
d. Cryptography, integrity, and audit of information and systems
7. A recent failure in a firewall resulted in all incoming packets being blocked. This type
of failure is known as:
a. Fail open
b. Access failure
c. Circuit closed
d. Fail closed
8. The definition of PII:
a. Is name, date of birth, and home address
b. Is name, date of birth, home address, and home telephone number
c. Is name, date of birth, and social insurance number
d. Varies by jurisdiction and regulation
, 9. The statement, “All financial transactions are to be encrypted using 3DES” is an
example of a:
a. Procedure
b. Guideline
c. Standard
d. Policy
10. The purpose of information classification is:
a. To establish procedures for safely disposing of information
b. To establish procedures for the protection of information
c. To establish procedures for information labeling
d. To establish sensitivity levels for information
11. An organization is concerned that its employees will reveal its secrets to other parties.
The organization should implement:
a. Document marking
b. Non-disclosure agreements
c. Logon banners
d. Security awareness training
12. The purpose of a background verification is to:
