Real Deal
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range is called the __________.
loss frequency
The first phase of risk management is ______
risk identification
The dominant architecture used to secure network access today is the ______ firewall
screened subnet
A _______ assigns a status level to employees to designate the maximum level of classified data they may access
security clearance scheme
The ______ control strategy attempts to shift risk to other assets, other processes, or other organizations
transference
A qualitative assessment is based on characteristics that do not use numerical measures (true/false)
true
Exposurefactor is the expected percentage of loss that would occur from a particular attack (true/false)
true
If the acceptance strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activites and may portray an apathetic approach to security in general (true/false)
true
Risk control is the application of controls that reduce the risks to an organizations information assets to an acceptable level (true/false)
true
Risk control is the application of controls to reduce the risks to an organization's information asses to an acceptable level (true/false)
true
Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices (true/false)
true
Sometimes a risk assessment report is prepared for a specific IT project at the request of the project manager, either because it is required by organizational policy or because it is good project management practice (true/false)
true
The mitigation control strategy attempts to reduce the impact of a successful attack through planning and preparation (true/false)
true
The most common example of a mitigation procedure is a contingency plan (true/false)
true
The primary disadvantage of stateful packet inspection firewalls is the additional processing required to manage and verify packets against the state table (true/false)
true
The threats-vulnerability-assets (TVA) worksheet is a document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings (true/false)
true
The upper management of an organization must structure the IT and information security functions to defend the organizations information assets (true/false)
true
The value of information to the organizations competition should influence the assets valuation (true/false)
true
To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited (true/false)
true
When determining the relative importance of each asset, refer to the organizations mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts (true/false)
true
When it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the value incurred from the cost of protecting the information (true/false)
true
You should adopt naming standards that do not convey information to potential system attackers (true/false)
true
A ______ private network is a secure network connection between systems that uses the data communication capability of an unsecured and public network
virtual
In a ______, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores
weighted factor analysis
Telnet protocol packets usually go to TCP port _____, wheras SMTP packets go to port ______
23, 25
_______ is simply how often you expect a specific type of attack to occur
ARO
____ traffic from the trusted network is allowed out
All
The restrictions most commonly implemented in packet_filtering firewalls are based on ______
All of the above (TCP or UDP source and destination port requests, IP source and destination address, Direction (inbound or outbound))
Management of classified data includes its storage and ____.
All of the above (destruction, portability, distribution)
The formal decision-making process used when considering the economic feasibility of implementing information security control and safeguards is called a ______
CBA
The ____ is the intermediate area between a trusted network and an untrusted network
DMZ
______ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the flood waters recede
DR
The ______ plan specifies the actions an organization can and should take while an adverse event is in progress. An adverse event could result in loss of an information asset or assets, but it does not currently threaten the viability of the entire organization
IR
The _____ authetication system is named after the three-headed dog of Greek mythology that guards the gates to the underworld
Kerberos
______ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders.
Operational
______ firewalls examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information
Packet-Filtering
Some information security experts argue that it is virtually impossible to determine the true value of information and information-bearing assets (true/false)
True
The ______ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation
acceptance
SMTP data are ____ to pass through the firewall
allowed
Risk ____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.
appetite
The ______ filter is a software filter-technically not a firewall-that allows administrators to restrict access to content from within a network
content
Risk _____ is the application of security mechanisms to reduce the risks to an organizations data and information systems
control
A ______ is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it
data classification scheme
The ______ control strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards
defense
The proxy server is an unsecured area of the network or is placed in the _____ zone
demilitarized
The proxy server is often placed in an unsecured area of the network or is placed in the ____ zone
demilitarized
ICMP data are _____ to pass through the firewall
denied
Telnet access to internal servers should be _____
denied
Some people search trash and recycling bins- a practice known as _____ - to retrieve information that could embarrass a company or compromise information security
dumpster diving
A _____ filtering firewall can react to an emergent event and update or create rules to deal with the event
dynamic
A best practice proposed for a small to medium-sized business will be similar to one used to help design control strategies for a large multinational company (true/false)
false
Cost-benefit analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended (true/false)
false
Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets (true/false)
false
Risk control is the enumeration and documentation of risks to an organizations information assets (true/false)
false
Risk mitigation is the process of assigning a risk rating or score to each information asset (true/false)
false
You cannot use qualitative measures to rank information asset values (true/false)
false
The _____ describes the number of legitimate users who are denied access because of a failure in the biometric device. This failure is known as a Type I error.
false rejection rate
A _____ is a combination of hardware and software that filters or prevents specific information from moving between the outside world and the inside world
firewall
When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in a similar circumstances. This is referred to as _____
Standards of due care
______ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures
Qualitative assessment
______ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty
Risk
