CSIA 300 FINAL AND MIDTERM EXAM
NEWLY MODIFIED TESTED AND
APPROVED!!!
What is the minimum and customary practice of responsible protection of assets
that affects a community or societal norm? -- ANSWER--Due care
Effective security management: -- ANSWER--Reduces risk to an acceptable
level
Consideration for which type of risk assessment to perform includes all of the
following: -- ANSWER--Culture of the organization, budget, capabilities and
resources
Security awareness training includes: -- ANSWER--Security roles and
responsibilities for staff
Availability makes information accessible by protecting from: -- ANSWER--
Denial of services, fires, floods, and hurricanes and unreadable backup tapes
Page 1 of 62
,Which phrase best defines a business continuity/disaster recover plan? --
ANSWER--The adequate preparations and procedures for the continuation of all
organization functions
The Facilitated Risk Analysis Process (FRAP) -- ANSWER--makes a base
assumption that a narrow risk assessment is the most efficient way to determine
risk in a system, business segment, application or process.
Which of the following steps should be performed first in a business impact
analysis (BIA)? -- ANSWER--Identify all business units within an organization
Tactical security plans are BEST used to: -- ANSWER--Deploy new security
technology
Who is accountable for implementing information security? -- ANSWER-
Security officer
Security is likely to be most expensive when addressed in which phase? --
ANSWER--Implementation
Information systems auditors help the organization: -- ANSWER--Identify
control gaps
Page 2 of 62
,Within the realm of IT security, which of the following combinations best
defines risk? -- ANSWER--Threat coupled with a vulnerability
When determining the value of an intangible asset which is the BEST approach?
-- ANSWER--With the assistance of a finance of accounting professional
determine how much profit the asset has returned
Qualitative risk assessment is earmarked by which of the following? --
ANSWER--Ease of implementation and it can be completed by personnel with a
limited understanding of the risk assessment process
Single loss expectancy (SLE) is calculated by using: -- ANSWER--Asset value
and exposure factor
Setting clear security roles has the following benefits: -- ANSWER--Establishes
personal accountability, establishes continuous improvement and reduces turf
battles
Well-written security program policies are BEST reviewed: -- ANSWER--At
least annually or at pre-determined organization changes
Page 3 of 62
, An organization will conduct a risk assessment to evaluate -- ANSWER--threats
to its assets, vulnerabilities present in the environment, the likelihood that a
threat will be realized by taking advantage of an exposure, the impact that the
exposure being realized will have on the organization, the residual risk
A security policy which will remain relevant and meaningful over time includes
the following: -- ANSWER--Directive words such as shall, must, or will,
defined policy development process and is short in length
The ability of one person in the finance department to add vendors to the vendor
database and subsequently pay the vendor violates which concept? --
ANSWER--Separation of duties
Collusion is best mitigated by: -- ANSWER--Job rotation
Data access decisions are best made by: -- ANSWER--Data owners
Which of the following statements BEST describes the extent to which an
organization should address business continuity or disaster recovery planning? -
ANSWER--Continuity planning is a significant organizational issue and should
include all parts of functions of the company.
Page 4 of 62
NEWLY MODIFIED TESTED AND
APPROVED!!!
What is the minimum and customary practice of responsible protection of assets
that affects a community or societal norm? -- ANSWER--Due care
Effective security management: -- ANSWER--Reduces risk to an acceptable
level
Consideration for which type of risk assessment to perform includes all of the
following: -- ANSWER--Culture of the organization, budget, capabilities and
resources
Security awareness training includes: -- ANSWER--Security roles and
responsibilities for staff
Availability makes information accessible by protecting from: -- ANSWER--
Denial of services, fires, floods, and hurricanes and unreadable backup tapes
Page 1 of 62
,Which phrase best defines a business continuity/disaster recover plan? --
ANSWER--The adequate preparations and procedures for the continuation of all
organization functions
The Facilitated Risk Analysis Process (FRAP) -- ANSWER--makes a base
assumption that a narrow risk assessment is the most efficient way to determine
risk in a system, business segment, application or process.
Which of the following steps should be performed first in a business impact
analysis (BIA)? -- ANSWER--Identify all business units within an organization
Tactical security plans are BEST used to: -- ANSWER--Deploy new security
technology
Who is accountable for implementing information security? -- ANSWER-
Security officer
Security is likely to be most expensive when addressed in which phase? --
ANSWER--Implementation
Information systems auditors help the organization: -- ANSWER--Identify
control gaps
Page 2 of 62
,Within the realm of IT security, which of the following combinations best
defines risk? -- ANSWER--Threat coupled with a vulnerability
When determining the value of an intangible asset which is the BEST approach?
-- ANSWER--With the assistance of a finance of accounting professional
determine how much profit the asset has returned
Qualitative risk assessment is earmarked by which of the following? --
ANSWER--Ease of implementation and it can be completed by personnel with a
limited understanding of the risk assessment process
Single loss expectancy (SLE) is calculated by using: -- ANSWER--Asset value
and exposure factor
Setting clear security roles has the following benefits: -- ANSWER--Establishes
personal accountability, establishes continuous improvement and reduces turf
battles
Well-written security program policies are BEST reviewed: -- ANSWER--At
least annually or at pre-determined organization changes
Page 3 of 62
, An organization will conduct a risk assessment to evaluate -- ANSWER--threats
to its assets, vulnerabilities present in the environment, the likelihood that a
threat will be realized by taking advantage of an exposure, the impact that the
exposure being realized will have on the organization, the residual risk
A security policy which will remain relevant and meaningful over time includes
the following: -- ANSWER--Directive words such as shall, must, or will,
defined policy development process and is short in length
The ability of one person in the finance department to add vendors to the vendor
database and subsequently pay the vendor violates which concept? --
ANSWER--Separation of duties
Collusion is best mitigated by: -- ANSWER--Job rotation
Data access decisions are best made by: -- ANSWER--Data owners
Which of the following statements BEST describes the extent to which an
organization should address business continuity or disaster recovery planning? -
ANSWER--Continuity planning is a significant organizational issue and should
include all parts of functions of the company.
Page 4 of 62
