Which of the following questions is less likely to help in assessing controls over hardware and software maintenance?
Correct Answer: B
Hardware and software maintenance access controls are used to monitor the installation of, and updates to, hardware and software to ensure that the system functions as expected and that a historical record of changes is maintained. Integrity verification programs are more integrity controls than software maintenance controls. Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self- Assessment Guide for Information Technology Systems, November 2001 (Pages A-30 to A-32).
Question 942
Which of the following item would best help an organization to gain a common understanding of functions that are critical to its survival?
Correct Answer: D
A Business Impact Analysis (BIA) is an assessment of an organization's business functions to develop an understanding of their criticality, recovery time objectives, and resources needed. By going through a Business Impact Analysis, the organization will gain a common understanding of functions that are critical to its survival. A risk assessment is an evaluation of the exposures present in an organization's external and internal environments. A Business Assessment generally include Business Analysis as a discipline and it has heavy overlap with requirements analysis sometimes also called requirements engineering, but focuses on identifying the changes to an organization that are required for it to achieve strategic goals. These changes include changes to strategies, structures, policies, processes, and information systems. A disaster recovery plan is the comprehensive statement of consistent actions to be taken before, during and after a disruptive event that causes a significant loss of information systems resources. Source: BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley & Sons, 2001 (page 57).
Question 943
Which answer below is the BEST description of a Single Loss Expectancy (SLE)?
Correct Answer: C
The correct answer is "An algorithm used to determine the monetary impact of each occurrence of a threat". The Single Loss Expectancy (or Exposure) figure may be created as a result of a Business Impact Assessment (BIA). The SLE represents only the estimated monetary loss of a single occurrence of a specified threat event. The SLE is determined by multiplying the value of the asset by its exposure factor. This gives the expected loss the threat will cause for one occurrence. Answer a describes the Exposure Factor (EF). The EF is expressed as a percentile of the expected value or functionality of the asset to be lost due to the realized threat event. This figure is used to calculate the SLE, above. Answer "An algorithm that expresses the annual frequency with which a threat is expected to occur" describes the Annualized Rate of Occurrence (ARO). This is an estimate of how often a given threat event may occur annually. For example, a threat expected to occur weekly would have an ARO of 52. A threat expected to occur once every five years has an ARO of 1/5 or .2. This figure is used to determine the ALE. Answer d describes the Annualized Loss Expectancy (ALE). The ALE is derived by multiplying the SLE by its ARO. This value represents the expected risk factor of an annual threat event. This figure is then integrated into the risk management process.
Question 944
Which of the following can be used to raise awareness of the importance of security and risk? Select best two.
Correct Answer: B,D
Awareness and the importance of security and risk can not be improved or awareness be increased with only money. Awareness is produced by providing employees with education and training. Reference the Training and Education Triad. Exam Cram 2 CISSP Page
Question 945
Which of the following are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server?
