Solutions Manual for th’e textbook 1
Ch. 1
Exam Preparation
1. C) Inventorying an’d listing all existing security controls falls int’o Evaluate existing business controls
step.
2. B) Determining system values falls int’o th’e Analyzing, prioritizing an’d categorizing assets step.
3. D. A good security plan should be flexible, scalable, easy t’o use, an’d updated at least annually.
4. A) Read th’e existing security policies an’d processes is th’e first step of th’e risk assessment process.
5. A) A security policy should be reviewed at least annually.
6. D. A good password policy considers history, minimum length, th’e use of letters, numbers, an’d
punctuation.
7. D. ProSoft Training administers th’e CIW certification an’d exams.
8. D. CIA triad stands for Confidentiality, Integrity, an’d Availability.
Review
1. C) Th’e PPP triad stands for Physical Security, Privacy, an’d Marketplace perception.
2. physical security, User ID an’d rights management, network security, system security, authorized
testing, auditing procedures
3. Single Loss Expectancy (SLE) is equal t’o th’e asset’s value times th’e Exposure Factor (EF). Th’e
first component of SLE, th’e asset value, is th’e total monetary amount determined fro’m th’e TCO, th’e
internal values, an’d external values listed in th’e previous sections. Th’e second component, Exposure
Factor (EF), is th’e percentage of asset loss that is expected fro’m a particular threat.
4. Annualized Rate of Occurrence (ARO) is th’e estimated frequency that a particular threat may occur
each year. Th’e frequency is an educated guess based on a number of factors, including: How lucrative
a target th’e information poses t’o outsiders, Th’e level of difficulty of performing a particular attack.
For example, are ready-made tools built that can perform th’e attack automatically? Does an attack
require intimate knowledge of th’e network configuration? Th’e security defenses deployed within th’e
environment, Th’e number of abusers who can potentially cause damage
5. Fals’e. EF is th’e percentage of loss that is expected fro’m a particular threat.
6. C) Th’e password policy is usually contained within th’e body of th’e security policy.
7. User ID an’d rights management – access controls should cover th’e expected data access.
8. Th’e Systems section should list specific security controls for th’e platforms used within th’e
environment.
9. ISC2 administers both th’e CISSP an’d SSCP exams.
10. www.cert.org, www.sans.org
11. Tru’e, part of a physical security control may be t’o restrict access t’o th’e floppy drives of your critical
systems.
12. Tru’e, part of th’e security tools section should name those groups or individuals who are authorized t’o
perform testing.
13. In th’e rush t’o protect data fro’m theft or mischief, organizations often trample on th’e rights of
individuals t’o keep their own data private. For example, customers may not want a company t’o use
their names an’d addresses for marketing purposes. An’d customers certainly do not want their financial
information released t’o unknown organizations. A comprehensive security strategy should take int’o
account th’e privacy of employees, customers, an’d other organizations.
, Solutions Manual for th’e textbook 2
14. Yes, it is important t’o have th’e tools an’d processes in place t’o check that these policies are followed.
15. B) Vulnerability testing methodology is not a covered domain on th’e CISSP exam.
Ch. 2
Exam Preparation
1. C) Fixing th’e issue, mitigating th’e exposure or accepting th’e risk are all outcomes of th’e Security
Issue Management process.
2. A) Fixing th’e issue, mitigating th’e exposure or accepting th’e risk are all outcomes of th’e Security
Issue Management process.
3. D. Qualitative an’d Quantitative are th’e two major types of risk assessment methods.
4. B) Staying calm in th’e face of a security incident cannot be overstated. Consider this step one of th’e
plan.
5. A) Th’e C&C team’s main function is t’o coordinate incident response activities.
6. D. Host IDS software is recommended for High risk systems.
7. D. All listed security controls are recommended for High risk systems.
8. D. Th’e banner should serve as a “no trespassing” sign an’d should not give away details about th’e
server.
9. B) Interviewing suspects should be left t’o law enforcement agencies.
10. C) Th’e evidence should generally only be numbered, signed, an’d dated t’o record only relevant facts.
Review
1. First, it allows an organization t’o mobilize all employees in th’e fight against abusers. Second,
effective education informs employees on where t’o find th’e corporate security policies. Third,
education clearly defines employees’ responsibilities in adhering t’o security guidelines. An’d finally,
an’d most importantly, an effective education plan outlines th’e security guidelines that relate t’o an
employee’s joB)
2. A) Th’e categories of security controls are: preventive, detective, an’d corrective
3. Th’e five steps in th’e vulnerability management process are:
a. Receive th’e necessary advisories in a timely manner. Once a software problem is announced t’o
th’e general public, it is only a matter of time before attackers start building automated tools t’o
exploit th’e bug.
b. Assess th’e advisory an’d determine whether th’e publicized problem poses a threat t’o th’e
organization. If th’e organization does not use th’e software or does not have th’e particular
versions installed, disregard an’d archive th’e advisory for future reference.
c. Using predefined criteria documented within th’e security policy, assess how quickly th’e
patch(es) must be installed on affected systems. For example, systems connected t’o th’e
Internet should be addressed much more quickly than those on an intranet, an’d business-critical
systems should be fixed sooner than noncritical systems. These deadlines should be documented
an’d applied consistently throughout th’e environment. In basic terms, th’e higher th’e threat or
possible loss fro’m th’e exploit, th’e quicker fixes should be implemented.
