CSC 388 Chapter 4

__________ tests interrupt the primary data center and transfer processing capability to an alternate site.

Full-interruption

What is meant by annual rate of occurrence (ARO)?

The annual probability that a stated threat will be realized.

How often should an organization perform a risk management plan?

annually

What is meant by risk register?

A list of identified risks that results from the risk-identification process.

Which of the following best describes quantitative risk analysis?

A risk-analysis method that uses mathematical formulas and numbers to assist in ranking risk severity.

Which of the following is the definition of business drivers?

The collection of components, including people, information, and conditions, that support business objectives.

A___________ primarily addresses the processes, resources, equipment, and devices needed to continue conducting critical business activities when an interruption occurs that affects the business's viability.

business continuity plan (BCP)

A ___________ is a formal analysis of an organization's functions and activities that classifies them as critical or noncritical.

business impact analysis (BIA)

A___________ will help identify not only which functions are critical, but also how quickly essential business functions must return to full operation following a major interruption.

business impact analysis (BIA)

Information security activities directly support several common business drivers, including ________ and efforts to protect intellectual property.

compliance

What name is given to a comparison of security controls in place and the controls that are needed to address all identified threats?

gap analysis

What name is given to a risk-analysis method that uses relative ranking to provide further definition of the identified risks in order to determine responses to them?

qualitative risk analysis

The goal of ____________ is to quantify possible outcomes of risks, determine probabilities of outcomes, identify high-impact risks, and develop plans based on risks.

quantitative risk analysis

What name is given to any risk that exists but has a defined response?

residual risk

Any organization that is serious about security will view ___________ as an ongoing process.

risk management

A parallel test evaluates the effectiveness of the ________ by enabling full processing capability at an alternate data center without interrupting the primary data center.

DRP

When you accept a __________, you take no further steps to resolve.

negative risk