30 Questions
What is the main purpose of the (ISC)² Code of Professional Ethics?
To protect society and the common good
When conflicting laws from different jurisdictions apply in a project, what should a CISSP prioritize?
Local jurisdiction where services are performed
What should a CISSP avoid doing to adhere to the ethics code?
Pretending to be an expert in unfamiliar areas
Which of the following accurately describes the attitude towards training for a CISSP?
Maintain and expand skills to provide competent services
What is a key aspect of providing competent services according to the professional ethics code?
Maintaining integrity and honesty
How should a CISSP handle conflicting laws in different countries or jurisdictions?
Prioritize the laws of the country where services are performed
What is the goal of a secure supply chain?
To ensure that the finished product meets quality standards and security requirements
What does Supply Chain Risk Management (SCRM) aim to ensure about vendors in the supply chain?
Are reliable, trustworthy, and accountable to the next link in the chain
What can be a threat vector in the context of the supply chain?
Obtaining materials from trusted sources with a compromised supply chain
What is the significance of an on-site assessment before conducting business with another company?
To assess physical security and operational aspects of the company
Why is it important for each link in the supply chain to be responsible and accountable?
To prevent any unauthorized or malicious manipulation or sabotage
What is the role of third-party assessments in ensuring a secure supply chain?
To gather information and perform due diligence before engaging in business
What is a threat vector?
The path or means by which an attack or attacker can gain access to a target
Which factor is derived from the concept of exposure in quantitative risk analysis?
Risk
How is risk calculated in the context of threat, vulnerability, and severity of harm?
Risk = Threat * Vulnerability
What is the relationship between threats, vulnerabilities, and risk mitigation?
Threat mitigation results in reducing risk by directly addressing threats, threat agents, or vulnerabilities
What must upper management decide about risks in organizations?
Decide which risks are acceptable and which are not
What is the relationship between exposure, risk, and safeguards?
Exposure leads to risk, and risk is mitigated by safeguards
What is the primary difference between Quantitative Risk Analysis and Qualitative Risk Analysis?
Quantitative Risk Analysis assigns real dollar figures to asset loss, while Qualitative Risk Analysis uses subjective and intangible values.
Why do most organizations employ a hybrid of both risk assessment methodologies?
To account for both subjective and tangible aspects of risk
What is the purpose of risk response in the risk assessment process?
To determine best defenses for identified risks
Which of the following is NOT a possible response to risk according to the text?
Approval
What does countermeasure selection aim to achieve in the context of risk management?
Reduce risk by implementing controls or safeguards
Why is it important to understand how risk assessment concepts are integrated into your environment for exam preparation?
To apply theoretical knowledge to practical scenarios
What is one way gamification has enhanced employee training?
Enabling people to earn rewards based on scores
Why is it important to update training materials and security testing methods?
To ensure effectiveness and relevance
What is one drawback of using the same phishing test campaign repeatedly?
It becomes ineffective over time
Why is it suggested to use internal social media tools for security training?
To make training more engaging and interactive
What is a key metric that should be tracked to evaluate security awareness and training?
% of employees who click on fake phishing campaign email links
How can organizations improve the effectiveness of employee training?
By incorporating gamification and interactive elements
Test your knowledge on the two primary risk-assessment methodologies: Quantitative Risk Analysis and Qualitative Risk Analysis. Learn about the differences between assigning real dollar figures and subjective values to asset loss, and how organizations often use a combination of both approaches.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free