420 Appendix ■ Answers
2 0. C. The blacklist approach to application control blocks certain prohibited packages but
allows the installation of other software on systems. The whitelist approach uses the
reverse philosophy and only allows approved software. Antivirus software would only
detect the installation of malicious software after the fact. Heuristic detection is a variant
of antivirus software.- B. The exposure factor is the percentage of the facility that risk managers expect will be
 damaged if a risk materializes. It is calculated by dividing the amount of damage by the
 asset value. In this case, that is $20 million in damage divided by the $100 million facility
 value, or 20%.
- B. The annualized rate of occurrence is the number of times each year that risk analysts
 expect a risk to happen in any given year. In this case, the analysts expect floods once
 every 200 years, or 0.005 times per year.
- B. The annualized loss expectancy is calculated by multiplying the single loss expectancy
 (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $20 million and
 the ARO is 0.005. Multiplying these numbers together gives you the ALE of $100,000.
- B. The most frequent target of account management reviews are highly privileged
 accounts, as they create the greatest risk. Random samples are the second most likely
 choice. Accounts that have existed for a longer period of time are more likely to have a
 problem due to privilege creep than recently created accounts, but neither of these choices
 is likely unless there is a specific organizational reason to choose them.
- The cloud service offerings in order from the case where the customer bears the least
 responsibility to where the customer bears the most responsibility are
 B. SaaS
 C. PaaS
 A. IaaS
 In an infrastructure as a service (IaaS) cloud computing model, the customer retains
 responsibility for managing operating system and application security while the
 vendor manages security at the hypervisor level and below. In a platform as a service
 (PaaS) environment, the vendor takes on responsibility for the operating system, but
 the customer writes and configures any applications. In a software as a service (SaaS)
 environment, the vendor takes on responsibility for the development and implementa-
 tion of the application while the customer merely configures security settings within the
 application. TaaS is not a cloud service model.
- A. Type 1 errors occur when a valid subject is not authenticated. Type 2 errors occur
 when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not
 associated with biometric authentication.
- B. The Company ID is a field used to identify the corresponding record in another table.
 This makes it a foreign key. Each customer may place more than one order, making
 Company ID unsuitable for use as a primary or candidate key in this table. Referential
 keys are not a type of database key.
