Quiz 1 - 4

ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and how to set up a(n) ____________________.

(information security management systems, ISMS, information security management system (ISMS), information security management system)

Risk sharing shifts a portion of the responsibility or liability. (T/F)

True

Insurance, background checks, and security plans are all categories of ____________. - policy controls - procedural controls - policies - procedures

policies

All of the following are KPI types except: - Threshold - Qualitative - Milestone - Esoteric

Esoteric

Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed? (select all that apply) - security model - security standard - framework - SLA

Framework Security Model

Change management is a process that ensures that changes are made only after a review process. (T/F)

True

What type of control ensures that account management is secure? - account management controls - access management controls - account controls - access controls

account management controls

Which of the following is NOT a step in the FAIR risk management framework? - assess control impact - evaluate loss event frequency - identify scenario components - derive and articulate risk

assess control impact

What is an important element of following up on a risk mitigation plan? - installing a firewall - ensuring that security gaps are closed - creating a new POAM - performing test restores

ensuring that security gaps are closed

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them? - measuring program effectiveness - implementing controls - conducting decision support - evaluating alternative strategies

evaluating alternative strategies

Which of the following represents the basic structure of a risk assessment report? - base report and appendices - base report, BIA, executive summary - vulnerability analysis, appendices - executive summary, base report, appendices

executive summary, base report, appendices

Select all of the following that risk monitoring allows organizations to do: (Multiple Selection) - Avoid Performance Risk Assessments - Verify Compliance - Determine the ongoing effectiveness of risk response measures - Evaluate the costs and benefits of different security Controls - Identify risk-impacting changes to organization information systems.

- Verify Compliance - Determine the ongoing effectiveness of risk response measures - Identify risk-impacting changes to organization information systems

What portion of the risk assessment report is actually essential in ANY report? - A Good Conclusion - Methodology - A Good Executive Summary - Supporting Appendicies

A Good Executive Summary

What portion of the risk assessment report is actually essential in ANY report? - A Good Conclusion - A Good Executive Summary - Supporting Appendices - Methodology

A Good Executive Summary

The final summary of risks, impacts, rationales, and treatments is called what? - A Threat-Control-Vulnerability-Impact Catalog - A Risk Catalog - A Risk Register - A Risk Index

A Risk Register

The final phase of the security risk assessment is to create a(n) ________ that addresses all security risks identified in the ___________. - Action plan, data gathering phase - Final report, Action plan - Risk report, risk assessment - Action plan, final report - Final report, risk assessment

Action plan, final report

When Calculating Safeguard Costs we must typically be sure to include which of the following? (select all that apply): - Installation Charges - Purchase Price - Maintenance Costs - Operational Costs - Training Costs

All

_____ monitoring results gives organizations the capability to maintain awareness of the risk being incurred, highlight the need to revisit other steps in the risk management process, and initiate process improvement activities as needed.

Analyzing

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? - ISO - COBIT - COSO - NIST

COBIT

In the COSO framework, ___________ activities include those policies and procedures that support management directives.

Control

What is NOT a best practice for enabling a risk mitigation plan from your risk assessment? - Create a new POAM. - Stay within the scope. - Control the costs. - Control the schedule.

Create a new POAM.

It is important to understand that not all frameworks are created as equivalents. Let's look at the differences between FAIR and OCTAVE. Which statement is NOT true? - OCTAVE is more flexible and customizable - OCTAVE is lower level, more methodological - FAIR is more quantitative and prescriptive - FAIR addresses a wider range of security and risk assessment issues than OCTAVE

FAIR addresses a wider range of security and risk assessment issues than OCTAVE

A KPx is a summary of one or more KRIs. (T/F)

False

A business impact analysis (BIA) is an output of the risk assessment process. (T/F)

False

Change management ensures that similar systems have the same, or at least similar, configurations. (T/F)

False

Configuration management is the same as change management. (T/F)

False

How your organization starts its risk mitigation process depends entirely on the type of organization you are working in. (T/F)

False

In information security, a framework or security model customized to an organization, including implementation details is known as a floor plan. (T/F)

False

In the risk management process, it is not important to identify who should be responsible for the various processes or steps. (T/F)

False

Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. (T/F)

False

KPIs do not necessarily need to be tied to organizational strategy. (T/F)

False

Key Performance Indicators monitor risk appetite. (T/F)

False

The objective in risk assessment reporting is to assign blame to those who pose risks. (T/F)

False

The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. (T/F)

False

The risk control strategy were the organization is willing to accept the current level of risk and makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy. (T/F)

False

The standard format that must be followed when writing a vulnerability assessment report requires that the vulnerability assessment includes the following sections: table of contents, executive summary, methods, results, and recommendations. (T/F)

False

There is only one way to format and organize a risk assessment report. (T/F)

False

Which of the following is NOT risk evaluation step? - Determine risk exposure (including risk sensitivity) - Identify the key components - Determine severity of threat/vulnerability - Determine likelihood of threat/vulnerability - Determine residual risk level

Identify the key components

A risk ____ could be a simple listing of identified risks, some of which are already assessed and others of which are still in the process of being qualified - Assessment - Mitigation - Inventory - Plan

Inventory

Which of the following is NOT one of the components of the COSO framework? - Meeting stakeholder needs - Communication and reporting - Risk assessment - Information and communication

Meeting stakeholder needs

Which of the following can affect the state of risks? (Select all that apply) - Mergers - Personnel changes - Risk levels of competitors - Supply Chain changes

Mergers Personnel Changes Supply Chain Changes

Which of the following is a Tier 1 risk monitoring activity? - Vulnerability scanning - Ongoing threat assessments - Penetration Testing - Analysis of new or current technologies - Automated monitoring of standard configuration settings for IT products

Ongoing threat assessments

What does OCTAVE stand for?

Operationally Critical Threat, Asset, and Vulnerability Evaluation

PRAGMATIC is a: - Risk Assessment Approach - Threat Catalog - Government Regulation - Cyber Security Framework - Security Measurement System

Security Measurement System

To design a security program, an organization can use a(n) ____________________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.

Security Model, framework, security framework, model

Many firms and regulators refer to one or more Cybersecurity and/or risk assessment frameworks. However, firms sometimes create their own custom frameworks. - The framework unlikely to miss important key concepts - The framework has less initial work to set up and understand - The framework is defensible if your process is called into question by others - The framework can be easier to implement for your specific organization

The framework can be easier to implement for your specific organization

A CBA helps determine if you should use a safeguard. (T/F)

True

A best practice for enabling a risk mitigation plan from your risk assessment is staying within scope. (T/F)

True

A risk assessment ends with a report. (T/F)

True

A risk assessment provides a point-in-time report. (T/F)

True

A threshold KPI is significant when an index falls into a set range. (T/F)

True

Action plans are a necessary output of the risk assessment process so that recommendations can be acted upon quickly once the assessment is approved. (T/F)

True

In Information Security, KPIs measure the performance or health of Information Security. (T/F)

True

Information security is a dynamic field because the risks fluctuate in a complex and, hence, not entirely predictable manner. (T/F)

True

Key Risk Indicators should be tied to one or more Key Performance Indexes. (T/F)

True

Organizations can implement risk monitoring at any of the risk management tiers with different objectives and utility of information produced. (T/F)

True

Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. (T/F)

True

Risk monitoring provides organization with the means to verify compliance, determine the effectiveness of risk measures, and identify risk-impacting changes to organizational information systems and environments of operations. (T/F)

True

The Information Technology Infrastructure Library (ITIL) defines the organizational structure and skill requirements of an IT organization and a set of standard operational procedures and practices that allow the organization to manage an IT operation and associated infrastructure. (T/F)

True

The criterion most commonly used when evaluating a strategy to implement InfoSec controls is economic feasibility. (T/F)

True

The organizations level of security risk acceptance should be considered when selecting recommended safeguards. (T/F)

True

The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy. (T/F)

True

Which of the following is NOT a purpose of ISO/IEC 27001:2005? - Implementation of business-enabling information security - Use within an organization to ensure compliance with laws and regulations - Use within an organization to formulate security requirements and objectives - Use to form information technology governance

Use to form information technology governance

Which of the following is NOT a valid rule of thumb on risk control strategy selection? - When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls. - When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. - When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. - When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

What information should you include in your report for management when you present your recommendations? - recommendation, justification, and procedure - stakeholders, key stakeholders, and C-level stakeholders - findings, recommendation cost and time frame, and cost-benefit analysis - affinity diagram, POAM, and CBA

findings, recommendation cost and time frame, and cost-benefit analysis

Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster? - transference - mitigation - acceptance - avoidance

mitigation

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk? - monitoring and measurement - review and reapplication - evaluation and funding - analysis and adjustment

monitoring and measurement

Clear and effective security risk assessment reporting requires that the contents of the report be perceived as (check all that apply) - nonthreatening - unambiguous - actionable - accurate - relevant

nonthreatening, unambiguous, accurate, relevant

What does FAIR's BRAG rely on to build the risk management framework that is unlike many other risk management frameworks? - risk analysis estimates - subjective prioritization of controls - qualitative assessment of many risk components - quantitative valuation of safeguards

quantitative valuation of safeguards

Risk mitigation, or risk ____________ , is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred.

reduction

What are the two primary goals when implementing a risk mitigation plan? - increasing security and maintaining easy access - staying on schedule and in budget - being thorough and cautious - avoiding surprises and staying on budget

staying on schedule and in budget

After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this? - to help management assess how much of the risk was mitigated by the proposed solution - to avoid several time-consuming presentations about each individual recommendation - to inform management of the progress of the risk management task - to help management decide which recommendations to use

to help management decide which recommendations to use

What is the purpose of a risk mitigation plan? - to ensure compliance - to implement approved countermeasures - to reduce threats - to bolster a risk assessment

to implement approved countermeasures