Latihan 2
Latihan 2
Latihan 2
NIM :
1. Which choice below is the role of an Information System Security Officer (ISSO)?
A. The ISSO establishes the overall goals of the organization’s computer security
program.
B. The ISSO is responsible for a day-to-day security administration.
C. The ISSO is responsible for examining systems to see whether they are
meeting stated security requirements.
D. The ISSO is responsible for following security procedures and reporting
security problems.
3. Who has the ultimate responsibility for information security within an organization?
A. IT Security Officer
B. Project Managers
C. Department Directors
D. Senior Management
4. The following term is used to represent the likelihood of a threat source taking
advantage of a vulnerability:
A. Vulnerability
B. Threat
C. Risk
D. Exposure
5. The following term is used to represent an instance of being exposed to losses:
A. Vulnerably
B. Threat
C. Risk
D. Exposure
12. Risk analysis helps you accomplish all of the followings except:
A. Identify risks
B. Identify individual attackers
C. Justify security safeguards
D. Budget appropriately for risks
17. The estimated frequency a threat will occur within a year is known as the:
A. Single loss expectancy (SLE)
B. Annualized rate of occurrence (ARO)
C. Exposure factor (EF)
D. Asses value (AV)
18. The percentage of loss a realized threat could have on a certain asset is known as the:
A. Single loss expectancy (SLE)
B. Annualized rate of occurrence (ARO)
C. Exposure factor (EF)
D. Asset value (AV)
23. Any risk left over after implementing safeguards is known as:
A. Leftover risk
B. Residual risk
C. Remaining risk
D. Totally leftover risk
29. Which of the following terms describes activities that make sure protection
mechanisms are maintained and operational?
A. Due care
B. Due diligence
C. Due care but not due diligence
D. Due care and due diligence
30. Which of the following is not true regarding data classification?
A. It helps determine the level of confidentiality required
B. It helps determine the level of integrity required
C. It helps determine the level of authentication required
D. It ensures data is protected in the most cost-effective manner
32. When there is a “separation of duties”, parts of tasks are assigned to different people
so that:
A. Collusion is required to perform an unauthorized act
B. Better planning is required to break into systems
C. Defense-in-depth is achieved by creating multiple layers an attacker must
circumvent
D. The weakest link, people, are not easily flipped
33. Which of the following organization placement is ideal for IT Security function?
A. Security as function within the Information Technology Organization.
B. Security reporting to a specialized business unit such as legal, corporate
security or insurance.
C. Chief Security Officer reporting directly to the CEO.
D. None of the above.
36. Which choice below is not a generally accepted benefit of security awareness,
training and education?
A. A security awareness program can help operators understand the value of the
information.
B. A security education program can help system administrators recognize
unauthorized intrusion attempts.
C. A security awareness and training program will help prevent natural
disasters from occurring.
D. A security awareness and training program can help an organization reduce
the number and severity of errors and omissions.
39. Which choice below would not be considered an element of proper user
account management?
A. Users should never be rotated out of their current duties.
41. Which of the following is the best reason for the use of an automated risk
analysis tool?
A. Much of the data gathered during the review cannot be reused for subsequent
analysis.
B. Automated methodologies require minimal training and knowledge of
risk analysis.
C. Most software tools have user interfaces that are easy to use.
D. Minimal information gathering is required due to the amount of
information built into the tool.
42. Which must bear the primary responsibility for determining the level of protection
needed for information systems resources?
A. Data Owner
B. Senior Management
C. System Administrator
D. Project Manager
43. What is the inverse of the confidentiality integrity and availability (CIA) triad in risk
management?
A. Misuse, exposure, and destruction.
B. Authorization, non-repudiation, and integrity.
C. Disclosure, alteration, and destruction.
D. Confidentiality, integrity, and availability.
44. What would be the Annualized Rate of Occurrence (ARO) where a company
employs 100 data entry clerks each of whom averages one input error per month?
A. 100
B. 120
C. 1,000
D. 1,200
46. What is the difference between quantitative and qualitative risk analysis?
A. Qualitative analysis uses mathematical formulas and while quantitative
analysis does not.
B. Purely qualitative analysis is not possible, while purely quantitative
is possible.
C. Quantitative analysis provides formal cost/benefit information while
qualitative analysis does not.
D. There is no difference between qualitative and quantitative analysis.
48. If risk is defined as “the potential that a given threat will exploit vulnerabilities of
an asset or group of assets to cause loss or damage to the assets” the risk has all of
the following elements except?
A. An impact of assets based on threats and vulnerabilities.
B. Controls addressing the threats.
C. Threats to and vulnerabilities of processes and/or assets.
D. Probabilities of the threats.
49. Which of the following should not be a role of the security administrator?
A. Authorizing access rights.
B. Implementing security rules.
C. Insuring that local policies have been authorized by management.
D. Allocating access rights.
50. Which of the following is not accurate regarding the process of risk management?
A. The likelihood of a threat must be determined as an element of the risk
assessment.
B. The level of impact of a threat must be determined as an element of the risk
assessment.
C. Risk assessment is the first process in the risk management methodology.
D. Risk assessment is the final result of the risk management methodology.
51. Which choice below most accurately reflects the goals of risk mitigation?
A. Defining the acceptable level of risk the organization can tolerate, and
reducing risk to that level.
B. Analyzing and removing all vulnerabilities and threats to security within the
organization.
C. Defining the acceptable level of risk the organization can tolerate, and
assigning any costs associated with loss or disruption to a third party such as
an insurance carrier.
D. Analyzing the effects of a business disruption and preparing the company’s
response.
52. Which answer below is the best description of Single Loss Expectancy (SLE)?
A. An algorithm that represents the magnitude of a loss to an asset from a threat.
B. An algorithm that expresses the annual frequency with which a threat
is expected to occur.
C. An algorithm used to determine the monetary impact of each occurrence for
a threat.
D. An algorithm that determines the expected annual loss to an organization from
a threat.
54. Which choice below is not an example of appropriate security management practice?
A. Reviewing access logs for unauthorized behavior.
B. Monitoring employee performance in the workplace.
C. Researching information on a new intrusion exploits.
D. Promoting and implementing security awareness programs.
55. Which choice below is not an accurate description of an information policy?
A. Information policy is senior management’s directive to create a
computer security program.
B. An information policy could be a decision pertaining to use of
the organization’s fax.
C. Information policy is a documentation of computer security decisions.
D. Information policies are created after the system’s infrastructure has been
designed and built.