Chapter 6

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

27. Once an information asset is identified categorized, and classified, what must also be assigned to it? a. Asset tag b. Relative value c. Location ID d. Threat risk

, ANSWER: b

14. A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet​. ____________

ANSWER: False - vulnerabilities

2. The InfoSec community often takes on the leadership role in addressing risk. a. True b. False

ANSWER: True

8. Some threats can manifest in multiple ways yielding multiple exploits for an asset-threat pair.​

____________ ​, ANSWER: False - vulnerabilities

38. Classification categories must be ____________________ and mutually exclusive. ANSWER:

comprehensive

4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack. a. True b. False

ANSWER: True

5. Some threats can manifest in multiple ways yielding multiple vulnerabilities for an asset-threat pair. a. True b. False,

ANSWER: True

17. The identification and assessment of levels of risk in an organization describes which of the following? a. Risk analysis b. Risk identification c. Risk management d. Risk reduction

ANSWER: a

28. What should you be armed with to adequately assess potential weaknesses in each information asset? a. Properly classified inventory b. Audited accounting spreadsheet c. Intellectual property assessment d. List of known threats

ANSWER: a

35. Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet? a. Uncertainty percentage b. Asset impact c. Risk-rating factor d. Vulnerability likelihood

ANSWER: a

21. Which of the following is an attribute of a network device is physically tied to the network interface? a. Serial number b. MAC address c. IP address d. Model number

ANSWER: b

24. Data classification schemes should categorize information assets based on which of the following? a. Value and uniqueness b. Sensitivity and security needs c. Cost and replacement value d. Ease of reproduction and fragility

ANSWER: b

32. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? a. Risk exposure report b. Threats-vulnerabilities-assets worksheet c. Costs-risks-prevention database d. Threat assessment catalog

ANSWER: b

33. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____. a. Vulnerability mitigation controls b. Risk assessment estimate factors c. Exploit likelihood equation d. Attack analysis calculation

ANSWER: b

19. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process? a. Determining the likelihood that vulnerable systems will be attacked by specific threats b. Calculating the severity of risks to which assets are exposed in their current setting c. Assigning a value to each information asset d. Documenting and reporting the findings of risk identification and assessment

ANSWER: c

25. Classification categories must be mutually exclusive and which of the following? a. Repeatable b. Unique c. Comprehensive d. Selective

ANSWER: c

29. Which of the following is an example of a technological obsolescence threat? a. Hardware equipment failure b. Unauthorized access c. Outdated servers d. Malware

ANSWER: c

31. What is defined as specific avenues that threat agents can exploit to attack an information asset? a. Liabilities b. Defenses c. Vulnerabilities d. Weaknesses

ANSWER: c

18. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process? a. Creating an inventory of information assets b. Classifying and organizing information assets into meaningful groups c. Assigning a value to each information asset d. Calculating the severity of risks to which assets are exposed in their current setting

ANSWER: d

22. Which of the following attributes does NOT apply to software information assets? a. Serial number b. Controlling entity c. Manufacturer name d. Product dimensions

ANSWER: d

23. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components? a. Name b. MAC address c. Serial number d. Manufacturer's model or part number

ANSWER: d

26. What is the final step in the risk identification process? a. Assessing values for information assets b. Classifying and categorizing assets c. Identifying and inventorying assets d. Listing assets in order of importance

ANSWER: d

34. An estimate made by the manager using good judgement and experience can account for which factor of risk assessment? a. Risk determination b. Assessing potential loss c. Likelihood and consequences d. Uncertainty

ANSWER: d

40. As part of the risk identification processlisting the assets in order of importance can be achieved by using a weighted ____________________ worksheet.,

ANSWER: factor analysis factor table analysis table

36. Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

ANSWER: management

7. An approach to combining risk identification risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________

ANSWER: , False - analysis

39. As each information asset is identified categorized, and classified, a ________ value must also be assigned to it.

ANSWER: , relative

6. ​The secretarial community often takes on the leadership role in addressing risk. ____________

ANSWER: False - InfoSec, infosec, Information Security, information security

15. ​An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________

ANSWER: False - qualitative

10. An evaluation of the threats to information assets including a determination of their potential to endanger the organization is known as exploit assessment. ____________,

ANSWER: False - threat

9. The recognition enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________

​ ANSWER: False - identification

30. Determining the cost of recovery from an attack is one calculation that must be made to identify risk what is another? a. Cost of prevention b. Cost of litigation c. Cost of detection d. Cost of identification

, ANSWER: a

16. Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest which includes all but which of the following? a. General management must structure the IT and InfoSec functions b. IT management must serve the IT needs of the broader organization c. Legal management must develop corporate-wide standards d. InfoSec management must lead the way with skill, professionalism, and flexibility

, ANSWER: c

20. Which of the following is a network device attribute that may be used in conjunction with DHCP making asset-identification using this attribute difficult? a. Part number b. Serial number c. MAC address d. IP address

, ANSWER: d

37. Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.

ANSWER: likelihood probability

1. Having an established risk management program means that an organization's assets are completely protected. a. True b. False

ANSWER: False

11. A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________

ANSWER: False - classification

13. The information technology management community of interest often takes on the leadership role in addressing risk.​ ____________

ANSWER: False - infosec, information security

12. ​The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ____________

ANSWER: False - likelihood

3. MAC addresses are considered a reliable identifier for devices with network interfaces

since they are essentially foolproof. a. True b. False, ANSWER: False


Kaugnay na mga set ng pag-aaral

maternity chapter 26, 27, 28 & 29

View Set

Chapter 20: Nursing Management of the Pregnancy at Risk: Selected Health Conditions and Vulnerable Populations

View Set

Ancient Greece: The Persian Empire

View Set

Basic Medical Terms To Describe Disease Conditions

View Set

Real Estate Principals Practice Exam

View Set

Chapter 4 The Art of Communication

View Set