420 Appendix ■ Answers
2 0. C. The blacklist approach to application control blocks certain prohibited packages but
allows the installation of other software on systems. The whitelist approach uses the
reverse philosophy and only allows approved software. Antivirus software would only
detect the installation of malicious software after the fact. Heuristic detection is a variant
of antivirus software.- B. The exposure factor is the percentage of the facility that risk managers expect will be
damaged if a risk materializes. It is calculated by dividing the amount of damage by the
asset value. In this case, that is $20 million in damage divided by the $100 million facility
value, or 20%. - B. The annualized rate of occurrence is the number of times each year that risk analysts
expect a risk to happen in any given year. In this case, the analysts expect floods once
every 200 years, or 0.005 times per year. - B. The annualized loss expectancy is calculated by multiplying the single loss expectancy
(SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $20 million and
the ARO is 0.005. Multiplying these numbers together gives you the ALE of $100,000. - B. The most frequent target of account management reviews are highly privileged
accounts, as they create the greatest risk. Random samples are the second most likely
choice. Accounts that have existed for a longer period of time are more likely to have a
problem due to privilege creep than recently created accounts, but neither of these choices
is likely unless there is a specific organizational reason to choose them. - The cloud service offerings in order from the case where the customer bears the least
responsibility to where the customer bears the most responsibility are
B. SaaS
C. PaaS
A. IaaS
In an infrastructure as a service (IaaS) cloud computing model, the customer retains
responsibility for managing operating system and application security while the
vendor manages security at the hypervisor level and below. In a platform as a service
(PaaS) environment, the vendor takes on responsibility for the operating system, but
the customer writes and configures any applications. In a software as a service (SaaS)
environment, the vendor takes on responsibility for the development and implementa-
tion of the application while the customer merely configures security settings within the
application. TaaS is not a cloud service model. - A. Type 1 errors occur when a valid subject is not authenticated. Type 2 errors occur
when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not
associated with biometric authentication. - B. The Company ID is a field used to identify the corresponding record in another table.
This makes it a foreign key. Each customer may place more than one order, making
Company ID unsuitable for use as a primary or candidate key in this table. Referential
keys are not a type of database key.