You are using encryption technology in an attempt to protect a file containing customer credit card numbers from unauthorized access. What information security goal are you pursuing?
A. Confidentiality
B. Integrity
C. Disclosure
D. Availability
A. Correct: Confidentiality controls protect information against unauthorized access.Preventing intruders from accessing the credit card file is an example of a confidentialitycontrol.
You are performing a risk assessment of an organization and decide that the likelihood of a particular risk materializing is “low.” What type of risk assessment are you performing?
A. Operational
B. Quantitative
C. Technical
D. Qualitative
D. Correct: Qualitative risk assessments use subjective categories, such as “low,”“moderate,” and “high,” to describe the likelihood and impact of risks.
You are conducting a quantitative risk assessment for an organization to identify the risk of a fire in a data center. The data center is valued at $10 million and you expecta fire to occur once every 50 years that will damage three-quarters of the data center(including equipment). What is your exposure factor?
A. Correct: The exposure factor is the proportion of the asset that will be damaged inthe event of a fire. In this case, that is 75 percent.
You are conducting a quantitative risk assessment for an organization to identify the risk of a fire in a data center. The data center is valued at $10 million and you expecta fire to occur once every 50 years that will damage three-quarters of the data center(including equipment). What is your annualized loss expectancy?
A. Correct: The annualized loss expectancy is calculated as the product of the single loss expectancy and the annualized rate of occurrence. The SLE is the asset value($10 million) multiplied by the exposure factor (75 percent), or $7.5 million. The ARO is once every 50 years, or 0.02. The ALE is, therefore, $7,500,000 × 0.02 or$150,000.
You are evaluating methods to manage the risk posed to your organization by hackers and decide that you will pursue a strategy of aggressively prosecuting anyone who attempts to break into your systems. What risk management strategy are you implementing?
C. Correct: Prosecuting attackers reduces the likelihood that others will try to attackyou and is an example of risk deterrence.
You are conducting a lessons-learned session to identify gaps in your response to aninformation security incident. What phase in the incident response life cycle are youparticipating in?
C. Correct: Conducting a lessons-learned session to identify potential improvements in the incident response process is an important part of the post-incident activity phase.
