Official (ISC)2® Guide to the ISSMP® CBK®

407

Appendix: Answers

to Review Questions

Chapter 1: Enterprise Security Management Practices

1. Organization mission statements

a. Are nontechnical in nature, so ISSMPs do not have to understand them

b. Are quickly put together by senior management

c. Provide everyone in the organization overall direction and focus for their

activities

d. Are very specic and provide specic goals and objectives

e correct answer is c. ISSMPs must base justications for security on the

organization’s mission. It takes management months to agree on a mission

statement. e mission statement provides an overall focus and direction

from which specic goals and objectives are developed.

2. Which types of organizations need to have a formally documented mission

statement?

a. Commercial enterprises

b. Nonprot organizations

c. Government agencies

d. All the above

e correct answer is d. All organizations need to have a formally docu-

mented mission statement if they want to be successful.

408 ◾ Appendix: Answers to Review Questions

3. Deploying Internet security solutions that are acceptable by clients requires

knowing the client’s

a. Expectations and location

b. Location and technical knowledge

c. System capabilities and expectations

d. Expectation and technical knowledge

e correct answer is c. On the Internet, solutions do not depend upon

location or technical knowledge, because you need to assume that the solu-

tion must be readily available to the client within a normal commercial PC

conguration. Forcing a client to install, wait for, or buy additional tech-

nology on its system will result in the client going to a competitor. See the

smartcard example in the External Inuences section.

4. All organizations’ security solutions are inuenced by the following:

a. Laws, employee culture, prot, and competition

b. Goals, client expectations, regulations, and prot

c. Group and client expectations and competition capabilities

d. Prot, organization objectives, client capabilities, and senior management

e correct answer is c. Government is not inuenced by prot. All the rest

of the answers are incorrect.

5. A system’s security solutions must be

a. Cost eective, risk based, and acceptable

b. Risk based and within division budget restraints

c. Practical and 95% eective

d. Acceptable by senior management and provide an ROI

e correct answer is a. Senior management accepts the risk so division bud-

get is not a restraint. ere is a standard measure of acceptable eectiveness.

ROI is not the only reason management selects a security solution. Sometimes

management makes decisions based on requirements: regulatory, end-user

acceptability, public relations, etc.

6. A specic piece of information’s level of classication is dependent on

a. Need to know

b. Cost of producing the information

c. Impact if compromised

d. Aordability of required security

e correct answer is c. Classication is dependent on the impact if the infor-

mation were to be compromised. e rest of the answers are determined after

the information is classied.

Get Official (ISC)2® Guide to the ISSMP® CBK® now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Official (ISC)2® Guide to the ISSMP® CBK® by Joseph Steinberg, Harold F. Tipton

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly