326 Appendix ■ Answers
9 7. B. The annualized rate of occurrence is the number of times that risk analysts expect a
risk to happen in any given year. In this case, the analysts expect tornados once every 200
years, or 0.005 times per year.- A. The annualized loss expectancy is calculated by multiplying the single loss expectancy
(SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000,
and the ARO is 0.005. Multiplying these numbers together gives you the ALE of
$25,000. - C. Information disclosure attacks rely upon the revelation of private, confidential,
or controlled information. Programming comments embedded in HTML code are an
example of this type of attack. - B. Nondisclosure agreements (NDAs) protect the confidentiality of sensitive information
by requiring that employees and affiliates not share confidential information with third
parties. NDAs normally remain in force after an employee leaves the company. - A. Supply chain management can help ensure the security of hardware, software, and
services that an organization acquires. Chris should focus on each step that his laptops
take from the original equipment manufacturer to delivery. - C. STRIDE, Process for Attack Simulation and Threat Analysis (PASTA), and Visual,
Agile, and Simple Threat (VAST) modeling are all threat modeling methodologies.
STRIDE was designed for applications and operating systems (but can be used more
broadly), PASTA is a risk-centric modeling system, and VAST is a threat modeling concept
based on Agile project management and programming techniques. - C. Change management is a critical control process that involves systematically managing
change. Without it, Lisa might simply deploy her code to production without oversight,
documentation, or testing. Regression testing focuses on testing to ensure that new code
doesn’t bring back old flaws, while fuzz testing feeds unexpected input to code. Code
review reviews the source code itself and may be involved in the change management
process but isn’t what is described here. - A. Charles is tracking a key performance indicator (KPI). A KPI is used to measure
performance (and success). Without a definition of success, this would simply be a metric,
but Charles is working toward a known goal and can measure against it. There is not a
return investment calculation in this problem, and the measure is not a control. - D. A fitness evaluation is not a typical part of a hiring process. Drug tests, background
checks, and social media checks are all common parts of current hiring practices. - B. The (ISC)^2 code of ethics also includes “Act honorably, honestly, justly, responsibly,
and legally” but does not specifically require credential holders to disclose all breaches of
privacy, trust, or ethics. - B. In general, companies should be aware of the breach laws in any location where they
do business. US states have a diverse collection of breach laws and requirements, meaning
that in this case, Greg’s company may need to review many different breach laws to
determine which they may need to comply with if they conduct business in the state or
with the state’s residents.