23FA - ISYS 231 Quiz 4
The _____ treatment strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
mitigation
When deciding which information assets to track, consider the following asset attributes: people, _____, data, software, and hardware.
procedures
The first phase of the risk management process is _____.
risk identification
After identifying and performing the preliminary classification of an organization's information assets, the analysis phase moves on to an examination of the _____ facing the organization.
threats
The _____ risk treatment strategy attempts to shift risk to other assets, other processes, or other organizations.
transference
Risk _____ is the application of security mechanisms to reduce the risks to an organization's data and information systems.
treatment
Once the inventory and value assessment are complete, you can prioritize each asset using a straightforward process known as _____ analysis.
weighted factor
In a _____, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores.
weighted table analysis
A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them.
False
Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization, which is known as a threat prioritization. _____
False
The computed value of the ALE compares the costs and benefits of a particular control alternative to determine whether the control is worth its cost. _____
False
What is the difference between intrinsic value and acquired value?
In summary, intrinsic value is the fundamental, objective value of an asset or investment, while acquired value is the price or cost at which the asset or investment was purchased. These values may or may not be the same, as market conditions and the purchase terms influence the earned value. In contrast, intrinsic value is based on analyzing the asset's characteristics and potential.
If the acceptance risk treatment strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and may portray an apathetic approach to security in general.
True
Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack. _____
True
Risk acceptance defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. _____
True
Risk control, also known as risk treatment, is the application of controls that reduce the risks to an organization's information assets to an acceptable level.
True
The mitigation risk treatment strategy applies controls and safeguards that eliminate or reduce the remaining uncontrolled risk. _____
True
When it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the value incurred from the cost of protecting the information.
True
The threats-vulnerabilities-assets (TVA) worksheet is a document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings.
True
The _____ risk treatment strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
acceptance
Risk _____ is a determination of the extent to which an organization's information assets are exposed to risk.
analysis
Risk _____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
appetite
A threat _____ is an evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack.
assessment
Cost _____ is the process of preventing the financial impact of an incident by implementing a control.
avoidance
A(n) _____ scheme is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.
data classification
A single loss _____ is the calculation of the value associated with the most likely loss from an attack.
expectancy
_____ involves four major undertakings: risk identification, risk analysis, risk evaluation, and risk treatment/control.
Risk Management
