CIST 1602 Module 3 Chapters 5 and 6
Uncertainty
An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
Cost of prevention
Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
Legal management must develop corporate-wide standards
Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.
False
3. Threats from insiders are more likely in a small organization than in a large one.
False
4. The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks.
False
6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.
False
8. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.
False
Having an established risk management program means that an organization's assets are completely protected.
False
MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.
False
The IT community often takes on the leadership role in addressing risk.
False
The information technology management community of interest often takes on the leadership role in addressing risk. __________
False - InfoSec
Risk identification, risk analysis, and risk evaluation are part of a single function known as risk protection. __________
False - assessment
33. Which of the following is true about a company's InfoSec awareness Web site?
# d it should be tested with multiple browsers
False
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________
5. On-the-job training can result in substandard work performance while the trainee gets up to speed.
True
7. Planners need to estimate the effort required to complete each task, subtask, or action step.
True
A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. __________
False - classification
6. When operating any kind of organization, a certain amount of debt is always involved. __________
False - risk
49. What are the four areas into which it is recommended to separate the functions of security?
Functions performed by nontechnology business units outside the IT area of management control Functions performed by IT groups outside the InfoSec area of management control Functions performed within the InfoSec department as a customer service to the organization and its external partners Functions performed within the InfoSec department as a compliance enforcement obligation
What strategic role do the InfoSec and IT communities play in risk management? Explain.
InfoSec - Because members of the InfoSec community best understand the threats and attacks that introduce risk, they often take a leadership role in addressing risk. IT - This group must help to build secure systems and ensure their safe operation. For example, IT builds and operates information systems that are mindful of operational risks and have proper controls implemented to reduce risk.
40. A(n) ____________________ is a specific point in the project plan when a task that has a noticeable impact on plan's the progress is complete.
Milestone
Relative value
Once an information asset is identified, categorized, and classified, what must also be assigned to it?
What does it mean to "know the enemy" with respect to risk management?
Once an organization becomes aware of its weaknesses, managers can take up Sun Tzu's second dictum: Know the enemy. This means identifying, examining, and understanding the threats facing the organization's information assets. Managers must be fully prepared to identify those threats that pose risks to the organization and the security of its information assets.
The probability that a specific vulnerability within an organization will be attacked by a threat is known as __________.
b likelihood
Once an information asset is identified, categorized, and classified, what must also be assigned to it?
b relative value
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________.
b risk appetite
__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty.
b risk ranking worksheet
Data classification schemes should categorize information assets based on which of the following?
b sensitivity and security needs
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
b threats-vulnerabilities-assets worksheet
An approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.
b. risk assessment
19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
a Security Technician
16. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
a Systems Testing
29. Which of the following is an advantage of the user support group form of training?
a Usually conducted in an informal social setting
The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization.
c threat severity weighted table analysis
The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes, is known as __________.
c uncertainty
What is defined as specific avenues that threat agents can exploit to attack an information asset?
c vulnerabilities
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.
h. qualitative assessment
Remains even after the current control has been applied.
i. residual risk
The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk __________.
identification
Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.
j. risk rating worksheet
Assessing risks includes determining the __________ that vulnerable systems will be attacked by specific threats.
likelihood probability
Risk __________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
management
The document designed to regulate organizational efforts related to the identification, assessment, and treatment of risk to information assets is known as the RM __________.
policy
The quantity and nature of risk that organizations are willing to accept.
g. risk appetite
What are the included tasks in the identification of risks?
- Creating an inventory of information assets - Classifying and organizing those assets meaningfully - Assigning a value to each information asset - Identifying threats to the cataloged assets - Pinpointing vulnerable assets by tying specific threats to specific assets
False
A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________
54. What is the purpose of a security awareness program? What advantage does an awareness program have for the InfoSec program?
A security awareness program keeps InfoSec at the forefront of users' minds on a daily basis. Awareness serves to instill a sense of responsibility and purpose in employees who handle and manage information, and it leads employees to care more about their work environment.
48. What are some of the variables that determine how a given organization chooses to construct its InfoSec program?
Among the variables that determine how a given organization chooses to structure its information security (InfoSec) program are organizational culture, size, security personnel budget, and security capital budget.
False
An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________
53. What is the role of help desk personnel in the InfoSec team?
An important part of the InfoSec team is the help desk, which enhances the security team's ability to identify potential problems. When a user calls the help desk with a complaint about his or her computer, the network, or an Internet connection, the user's problem may turn out to be related to a bigger problem, such as a hacker, a DoS attack, or a virus. Because help desk technicians perform a specialized role in InfoSec, they need specialized training. These staff members must be prepared to identify and diagnose both traditional technical problems and threats to InfoSec. Their ability to do so may cut precious hours off of an incident response.
Why is threat identification so important in the process of risk management?
Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end. At every step, the manager is called on to exercise good judgment and draw on experience to make the process function smoothly.
relative
As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.
factor analysis
As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.
likelihood
Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats
51. What are the components of the security program element described as preparing for contingencies and disasters?
Business plan, identify resources, develop scenarios, develop strategies, test and revise plan.
Comprehensive
Classification categories must be mutually exclusive and which of the following?
The degree to which a current control can reduce risk is also subject to calculation error. __________
False - estimation
The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk control. __________
False - identification
The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ___________
False - likelihood
12. Most information security projects require a trained project developer. _________________________
False - manager
11. In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________
False - milestones
An evaluation of the threats to information assets, including a determination of their potential to endanger the organization, is known as exploit assessment. __________
False - threat
A prioritized list of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. __________
False - vulnerabilities
Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. __________
False - vulnerabilities
44. ____________________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.
Projectitis
management
Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
For the purposes of relative risk assessment, how is risk calculated?
Risk equals likelihood of vulnerability occurrence multiplied by value (or impact), minus percentage risk already controlled, plus an element of uncertainty.
50. Which security functions are normally performed by IT groups outside the InfoSec area of management control?
Systems security administration Network security administration Centralized authentication
45. Explain the conflict between the goals and objectives of the CIO and the CISO.
The CIO, as the executive in charge of the organization's technology, manages the efficiency in the processing and accessing of the organization's information. Anything that limits access or slows information processing directly contradicts the CIO's mission. On the other hand, the CISO functions more like an internal auditor, with the information security department examining existing systems to discover information security faults and flaws in technology, software, and employees' activities and processes. At times, these activities may disrupt the processing and accessing of the organization's information.
52. What is the Chief Information Security Office primarily responsible for?
The CISO is primarily responsible for the assessment, management, and implementation of the program that secures the organization's information.
Risk analysis
The identification and assessment of levels of risk in an organization describes which of the following?
False
The information technology management community of interest often takes on the leadership role in addressing risk. ____________
How should the initial inventory be used when classifying and categorizing assets?
The inventory should reflect the sensitivity and security priority assigned to each information asset. A classification scheme should be developed (or reviewed, if already in place) that categorizes these information assets based on their sensitivity and security needs.
Risk assessment estimate factors
The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.
46. What is the security education, training, and awareness program? Describe how the program aims to enhance security.
The security education, training, and awareness (SETA) program is designed to reduce the occurence of accidental security breaches by members of the organization. The program aims to enhance security in three ways: - By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems - By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely - By improving awareness of the need to protect system resources
47. List the steps of the seven-step methodology for implementing training.
The seven-step methodology for implementing training is as follows: Step 1: Identify program scope, goals, and objectives. Step 2: Identify training staff. Step 3: Identify target audiences. Step 4: Motivate management and employees. Step 5: Administer the program. Step 6: Maintain the program. Step 7: Evaluate the program.
Describe the use of an IP address when deciding which attributes to track for each information asset.
This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a relational database and track software instances on specific servers or networking devices. Many larger organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification process very difficult.
1. Small organizations spend more per user on security than medium- and large-sized organizations.
True
10. Each organization has to determine its own project management methodology for IT and information security projects.
True
9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________
True
Likelihood is the overall rating of the probability that a specific vulnerability will be exploited or attacked.
True
Small organizations spend more per user on security than medium- and large-sized organizations.
True
Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
True
Calculating the severity of risks to which assets are exposed in their current setting
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
Assigning a value to each information asset
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
Vulnerabilities
What is defined as specific avenues that threat agents can exploit to attack an information asset?
Listing assets in order of importance
What is the final step in the risk identification process?
Threats-vulnerabilities-assets worksheet
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
Product dimensions
Which of the following attributes does NOT apply to software information assets?
Manufacturer's model or part number
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
IP address
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
MAC address
Which of the following is an attribute of a network device is physically tied to the network interface?
Outdated servers
Which of the following is an example of a technological obsolescence threat?
A well-defined risk appetite should have the following characteristics EXCEPT:
a It is not limited by stakeholder expectations.
Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts?
a RM framework
Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________.
a create a subjective ranking based on anticipated recovery costs
An understanding of the potential consequences of a successful attack on an information asset by a threat is known as __________.
a impact
. __________ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization.
a information asset value weighted table analysis
Once the members of the RM framework team have been identified, the governance group should communicate all of the following for the overall RM program EXCEPT:
a its personnel structure
The organization can perform risk determination using certain risk elements, including all but which of the following?
a legacy cost of recovery
What should you be armed with to adequately assess potential weaknesses in each information asset?
a properly classified inventory
What is the risk to information assets that remains even after current controls have been applied?
a residual risk
The identification, analysis, and evaluation of risk in an organization describes which of the following?
a risk assessment
The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts.
a risk management policy
In the area of risk management, process communications is the necessary information flow within and between all of the following EXCEPT:
a the corporate change control officer
Factors that affect the external context and impact the RM process, its goals, and its objectives include the following EXCEPT:
a the organization's governance structure
Which of the following is NOT among the typical columns in the risk rating worksheet?
a uncertainty percentage
The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.
a. risk management
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited availability is known as risk __________.
appetite
35. An organization carries out a risk ____________________ function to evaluate risks present in IT initiatives and/or systems.
assessment
An evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack, is known as threat __________.
assessment
Risk __________ is an approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.
assessment
34. An organization's information security program refers to the entire set of activities, resources, personnel, and technologies used by an organization to manage the risks to the information _______ of the organization.
assets
43. The goal of a security ____________________ program is to keep information security at the forefront of users' minds on a daily basis.
awareness
Which of the following is an attribute of a network device built into the network interface?
b MAC address
Which of these denotes the identification, analysis, evaluation, and treatment of risk to information assets?
b RM process
15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
b Risk Assessment
31. __________ is a simple project management planning tool.
b WBS
23. The purpose of SETA is to enhance security in all but which of the following ways?
b by adding barriers
18. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
b centralized authentication
30. Which of the following is NOT a step in the process of implementing training?
b hire expert consultants
36. A study of information security positions found that positions can be classified into one of three types: ____________________ are the real technical types, who create and install security solutions.
builders
24. Advanced technical training can be selected or developed based on which of the following?
c technology product
26. Which of the following is an advantage of the one-on-one method of training?
c Customized
25. Which of the following is the first step in the process of implementing training?
c Identify program scope, goals and objectives
Which of the following activities is part of the risk identification process?
c assigning a value to each information asset
. Classification categories must be mutually exclusive and which of the following?
c comprehensive
Which of the following is not a role of managers within the communities of interest in controlling risk?
c legal management must develop corporate-wide standards
Which of the following is an example of a technological obsolescence threat?
c outdated servers
20. GGG security is commonly used to describe which aspect of security?
c physical
17. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
c planning
The Risk Management Framework includes all of the following EXCEPT:
c process contingency planning
21. What is the SETA program designed to do?
c reduce the occurence of accidental security breaches
What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?
c risk tolerance
22. A SETA program consists of three elements: security education, security training, and which of the following?.
c security awareness
Labels that must be comprehensive and mutually exclusive.
c. classification categories
Classification categories must be __________ and mutually exclusive.
comprehensive
37. The information security ____________________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program.
consultant
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset identification using this attribute difficult?
d IP address
28. Which of the following is an advantage of the formal class method of training?
d Interaction with trainer is possible
13. Which of the following variables is the most influential in determining how to structure an information security program? a. Security capital budget b. Organizational size c. Security personnel budget d. Organizational culture
d Organizational Culture
27. Which of the following is a disadvantage of the one-on-one training method?
d Resource intensive, to the point of being inefficient
Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT:
d The threat environment—threats, known vulnerabilities, attack vectors
For an organization to manage its InfoSec risk properly, managers should understand how information is __________.
d all of these are needed
Which of the following activities is part of the risk evaluation process?
d calculating the severity of risks to which assets are exposed in their current setting
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
d manufacturer's model or part number
Which of the following attributes does NOT apply to software information assets?
d product dimensions
What is the final step in the risk identification process?
d ranking assets in order of importance
32. Which of the following is the most cost-effective method for disseminating security information and news to employees?
d security newsletter
Which of the following is NOT a task performed by the governance group during the framework design phase, in cooperation with the framework team?
d specifying who will supervise and perform the RM process
14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
d they have larger information security needs than a small organization
46. An estimate made by the manager using good judgment and experience can account for which factor of risk assessment?
d uncertainty
The recognition, enumeration, and documentation of risks to an organization's information assets.
d. risk identification
Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.
e. field change order
The evaluation and reaction to risk to the entire organization is known as __________.
enterprise risk management (ERM)
An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization.
f. threat assessment
As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted __________ worksheet.
factor analysis table analysis
As each information asset is identified, categorized, and classified, a __________ value must also be assigned to it.
relative
41. The project planner should describe the skills or personnel needed for a task, often referred to as a(n) ____________________, needed to accomplish a task.
resource
39. Project ____________________ is a description of a project's features, capabilities, functions, and quality level, used as the basis of a project plan.
scope
38. The ____________________ program is designed to reduce the occurrence of accidental security breaches by members of the organization.
security education, training, and awareness SETA
42. The three methods for selecting or developing advanced technical training are by job category, by job function, and by ____________________.
technology product
The assessment of the amount of risk an organization is willing to accept for a particular information asset is known as risk __________.
tolerance