Qualitative loss resulting from the business interruption does NOT usually include:
Correct Answer: A
Section: Risk, Response and Recovery Explanation/Reference: This question is testing your ability to evaluate whether items on the list are Qualitative or Quantitative. All of the items listed were Qualitative except Lost of Revenue which is Quantitative. Those are mainly two approaches to risk analysis, see a description of each below: A quantitative risk analysis is used to assign monetary and numeric values to all elements of the risk analysis process. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quantified and entered into equations to determine total and residual risks. It is more of a scientific or mathematical approach to risk analysis compared to qualitative. A qualitative risk analysis uses a "softer" approach to the data elements of a risk analysis . It does not quantify that data, which means that it does not assign numeric values to the data so that they can be used in equations. Qualitative and quantitative impact information should be gathered and then properly analyzed and interpreted. The goal is to see exactly how a business will be affected by different threats. The effects can be economical, operational, or both. Upon completion of the data analysis, it should be reviewed with the most knowledgeable people within the company to ensure that the findings are appropriate and that it describes the real risks and impacts the organization faces. This will help flush out any additional data points not originally obtained and will give a fuller understanding of all the possible business impacts. Loss criteria must be applied to the individual threats that were identified. The criteria may include the following: Loss in reputation and public confidence Loss of competitive advantages Increase in operational expenses Violations of contract agreements Violations of legal and regulatory requirements Delayed income costs Loss in revenue Loss in productivity Reference used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 909). McGraw-Hill. Kindle Edition.
Question 648
Who is responsible for providing reports to the senior management on the effectiveness of the security controls?
Correct Answer: D
IT auditors determine whether systems are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction and other requirements" and "provide top company management with an independent view of the controls that have been designed and their effectiveness." "Information systems security professionals" is incorrect. Security professionals develop the security policies and supporting baselines, etc. "Data owners" is incorrect. Data owners have overall responsibility for information assets and assign the appropriate classification for the asset as well as ensure that the asset is protected with the proper controls. "Data custodians" is incorrect. Data custodians care for an information asset on behalf of the data owner. References: CBK, pp. 38 - 42. AIO3. pp. 99 - 104
Question 649
In what type of attack does an attacker try, from several encrypted messages, to figure out the key used in the encryption process?
Correct Answer: B
In a ciphertext-only attack, the attacker has the ciphertext of several messages encrypted with the same encryption algorithm. Its goal is to discover the plaintext of the messages by figuring out the key used in the encryption process. In a known-plaintext attack, the attacker has the plaintext and the ciphertext of one or more messages. In a chosen-ciphertext attack, the attacker can chose the ciphertext to be decrypted and has access to the resulting plaintext. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 8: Cryptography (page 578).
Question 650
A Wide Area Network (WAN) is basically everything outside of:
Correct Answer: A
Explanation/Reference: A WAN is basically everything outside of a LAN. Source: KRUTZ, Ronald L & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 99.
Question 651
Which type of control is concerned with restoring controls?
Correct Answer: B
Corrective controls are concerned with remedying circumstances and restoring controls. Detective controls are concerned with investigating what happen after the fact such as logs and video surveillance tapes for example. Compensating controls are alternative controls, used to compensate weaknesses in other controls. Preventive controls are concerned with avoiding occurrences of risks. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.