MIS 416 Study Guide
A threat event where loss materializes and/or where liability increases. A. loss event B. risk event C. liability event
A
A(n) ___________________ is performed to identify the most serious risks, help you manage risks, and identify the best methods to control risks. A. RA B. POAM C. CBA D. SOX
A
According to Talabis, what is the most rigorous and most encompassing activity in the information security risk assessment process? A. Data Collection B. Interviewing Personnel C. Scoping a Project D. Testing Controls E. Creating Valid Risk Profiles
A
Another term for risk mitigation is __________. A. risk reduction B. risk assessment C. risk management D. risk evaluation
A
Business impact analyses identify an impact that can result from ____________. A. disruptions in a business B. uncontrolled vulnerabilities C. threats to the IT infrastructure D. failure of a DMZ
A
Choose the answer that correctly lists the seven steps of a business impact analysis. A. identify the environment; identify stakeholders; identify critical business functions; create contingency strategies; develop an information system contingency plan; ensure plan testing, training, and exercises; and ensure plan maintenance B. identify the environment; identify stakeholders; identify critical business functions; identify critical resources; identify the maximum downtime; identify recovery priorities; and develop the BIA report C. develop the contingency planning policy statement; conduct the business impact analysis; identify preventive controls; create contingency strategies; develop an information system contingency plan; ensure plan testing, training, and exercises; and ensure plan maintenance D. develop the contingency planning policy statement; conduct the business impact analysis; identify preventive controls; identify critical resources; identify the maximum downtime; identify recovery priorities; and develop the BIA report
A
Hardening the server refers to ____________. A. the combination of all the steps that it takes to protect a vulnerable system and make it more secure than the default installation B. a type of attack that deletes vital data from a server C. a mitigation technique that is a step towards protecting a vulnerable system D. a type of attack that removes the authorization to access a company's systems from high-level employees in a corporation
A
Identify the true statement. A. Exploited vulnerabilities result in losses. B. The method used to take advantage of a vulnerability is known as a threat. C. Vulnerability is a synonym for loss. D. All vulnerabilities result in losses.
A
Low recovery time objectives are ____ but ____. A. achievable, costly B. un-achievebale, ideal C. elusive, maintainable D> risky, high-yield
A
Objectives during the interview phase of the RIIOT technique include all the following except: A. Confirmation of managerial involvement in risk assessment process B. confirmation of security procedure execution C. Identification of vulnerabilities in the area of the interviewee's expertise D. Measurement of security awareness among staff E. Confirmation of threat identification, asset valuation and critical systems identification
A
Once the Risk Assessment is complete, the next step is what? A. Conduct a postmortem to look for opportunities to improve the process B. Follow up on detailed recommendations to ensure they are implemented C. Ensure buy-in from all key stakeholders D. Properly file the work product before moving on the next project
A
Risk Likelihood Calculation = which of the following? A. Threat x Vulnerability B. vulnerability + exploit C. exploit - threat D. threat/vulnerability
A
Security policies and procedures are the __________ of information security and the most important element of the security program for any organization. A. cornerstone B. only concern C. downfall D. subterfuge
A
Threat ___________ is a process used to identify possible threats on a system. A. modeling B. analysis C. profile D. system
A
What are often the weakest links in information security? A. people B. environmental threats C. physical security D. passwords
A
What are the two primary methods used to create a risk assessment? A. quantitative and qualitative B. inductive and deductive C. written or verbally D. empirically and emotionally
A
What is NOT a direct cost? A. penalty costs for nonrepudiation issues B. remote backup costs C. equipment replacement costs D. building replacement costs
A
What is NOT a type of control? A. private B. technical C. procedural D. physical
A
What is the first element to be considered when conducting a Risk Assessment? A. what are the organization's assets B. what vulnerabilities does the organization have C. what are the possible threats and threat agents facing the organization D. what controls has the organization already implemented
A
What is the key resulting element of an information security risk assessment? A. Security Risk B. Threat Agent C. Threat D. Vulnerabiliity E. Asset
A
When should you perform a risk assessment? A. periodically B. yearly C. daily D. whenever
A
Which 3 assessment methods does NIST SP 800-53A r4 define? A.examine, test, interview B. observe, scan, inspect C. review, redo, implement
A
Which of the following is NOT one of the most common categories of impact that should be included in a security risk profile? A. economic B. reputation C. legal D. financial
A
You run a bank and wish to update your physical security at each branch of your bank and to update the technological security of the bank's private financial data. What is the best way to determine whether physical security or technological security has a higher priority of protection? A. RAs B. CVEs C. CBAs D. POAMs
A
A(n) __________ is a common type of attack to deny service on Internet-facing servers. A. SQL injection B. DDOS C. DMZ D. database server
B
A(n) ____________________ is a potential weakness in an asset or its defensive control(s). A. asset B. vulnerability C. threat D. risk
B
By multiplying the asset value by the exposure factor, you can calculate which of the following? A. annualized cost of the safeguard B. single loss expectancy C. value to adversaries D. annualized loss expectancy
B
If you know a single loss expectancy is $100 and the associated annualized rate of occurrence is 5, then what is the annual loss expectancy? A. 20 months B. $500 C. $105 D. $20
B
Qualitative Risk Analysis determine the level of risk based on the __________ and _________ of risk. A. threat, probability B. probability, impact C. threat, dollar value D. impact, threat
B
The RIIOT approach to Data Gathering has all the following benefits except? A. Project Management B. Simplicity C. Coverage D. Organization
B
What is an indirect objective of a business impact analysis? A. to calculate MAOs B. to justify funding C. to identify an impact that can result from disruptions in a business D. to evaluate the effectiveness of controls
B
What is the key principal element of an information security risk assessment? A. threat agent B. asset C. vulnerability D. Threat
B
When a threat exploits a vulnerability, it results in a(n) __________. A. crime B. breach C. liability D. countermeasure
B
When identifying mission-critical business functions and processes, who or what possess(es) the key information? A. department-heads B. experts C. stakeholders D. c-level employees
B
Which of the following can be calculated using the values from an annualized rate of occurrence multiplied by the values from a single loss expectancy? A.operational feasibility B. annualized loss expectancy C. asset valuation D. cost benefit analysis
B
Which of the following would not be a common category for asking risk sensitivity questions? A. reputation B. skills C. regulatory D. financial E. legal
B
Which of these is NOT true? A. Multiple threats can map to a single vulnerability B. Every threat must map to at least one vulnerability C. A Threat can match to multiple vulnerabilities D. Some threats will not map to vulnerabilities
B
Why might you need to verify risk elements if a substantial amount of time has passed since you performed a risk assessment? A. to maximize the cost-effectiveness of your mitigation plan B. to make sure that the threats or vulnerabilities you want to mitigate still exist C. to ensure compliance with regulations and laws that affect your organization D. to protect servers and databases
B
_____________ is the likelihood that a threat will exploit a vulnerability. A. assessment B. probability C. risk D. impact
B
According to FAIR, gathering insight into forms of loss from _____, increases the quality of the overall analysis. A. the internet B. similar companies C. subject-matter experts D. trade magazines
C
According to Landoll, which of the following is NOT a type of security test? A. Information Accuracy Testing B. Vulnerability Testing C. Threat Testing D. Penetration Testing
C
An asset has a value of 50 and 1 vulnerability. The vulnerability has a probability of 1.0. There are no controls. It is estimated this information is 90% accurate. What is the risk rating? A. 90 B. 12 C. 55 D. 45
C
Data collection mechanisms are divided into what two categories? A. primary and secondary B. Vulnerability and Sensitivity C. Collectors and Containers D. Procurers and Providers E. Threat and Asset
C
Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another? A. Cost of identification B. Cost of detection C. Cost of prevention D. Cost of litigation
C
Formulas for quantitative risk assessments usually look at a period of ____. A. one day B. one hour C. one year
C
How do you start a risk assessment? A. by generally defining controls B. by mitigating risks C. by clearly defining what you will assess D. by identifying countermeasures
C
Organizations that accept risk are generally in a ________ mode whereas larger, more well-established organizations are typically more ____________ to risk taking. A. non-growth, acceptable B. mature, averse C. growth, averse D. growth, acceptable
C
The formula for Single Loss Expectancy or SLE is? A. SV * EF B. AV * ARO C. AV * EF D. SV * ARO
C
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process? A. Documenting and reporting the findings of risk identification and assessment B. Calculating the severity of risks to which assets are exposed in their current setting C. Inventory and categorize assets D. Determining the likelihood that vulnerable systems will be attacked by specific threats
C
What are the elements of the security triad? A. confidence, intelligence, and assessment B. coordination, implementation, and authorization C. confidentiality, integrity, and availability D. cooperation, installation, and acquisition
C
What is NOT a benefit of a quantitative Risk analysis? A. uses expert opinions B. easily understandable wording C. data is easier to gather D. provides a CBA
C
What is NOT an indirect cost? A. costs to regain market share B. lost opportunities during recovery C. costs to re-create or recover data D. loss of goodwill
C
What is a major type of vulnerability for users? A. firmware B. database relations C. social engineering D. natural disasters
C
What type of sampling technique is the following - "This sampling technique selects clusters of sample units from the population to create a representative sample." A. simple sampling B. interval sampling C. cluster sampling D. stratified sampling E. systematic sampling
C
Which of the following is a Risk Severity calculation? A. vulnerability / threat B. threat x impact C. threat x vulnerability x impact D. threat/vulnerability x uncertainty
C
____________ assessments are objective, while ___________ assessments are subjective. A. Risk, threat B. Qualitative, quantitative C. Quantitative, qualitative D. Threat, risk
C
A relative measurement of a resource's tolerance for risk exposure is: A. Threat landscape B. Risk aversion C. Vulnerability score D. Risk sensitivity
D
A security risk assessment which is technically accurate is still a failure if it what? A. doesn't include an assignment of blame for specific security failings B. Fails to provide detailed mitigation strategies C. Includes un-actionable positive findings D. Alienates those who receive the information
D
According to Talabis, what is the function of a BIA? A. To evaluate what threats are specific to each business organization unit in a company and how these threats will specifically impact the business unit. B. To determine which business processes cannot be modified regardless of recommendations from the risk assessment team. C. To identify what business processes are going to be most impacted by a specific threat. D. To assess and identify critical and non-critical organizational functions and activities.
D
According to the CIA triad, which of the following is a desirable characteristic for computer security? A. decoupling B. transparency C. accountability D.availability
D
All of the following are reasons to perform risk assessments except? A. It enables us to determine a proper security budget B. It enables us to determine what controls or safeguards should be in place C. It enables us to determine what assets need protection D. It enables us to determine which risk assessment framework we should be using E. It enables us to determine what assets are high-risk assets
D
Companies use risk management techniques to differentiate ___________ from _________? A. costs, benefits B. vulnerabilities, weaknesses C. vulnerabilities, threats D. severe risks, minor risks
D
Factors to consider when gathering information about resources include everything but? A. Reputational Damages B. Regulatory Constraints C. Financial Damages D. Social Concerns E. Legal Damages
D
If there are three possible outcomes to an event, one of which has a probability of 40% and will cost you $4000 and one of which has a probability of 30% and which will cost you $1500, and another with a probability of 30% that will cost you $2500, what is your expected loss? A. 2350 B. 1600 C. 2050 D. 2800 E. 8000 F. 4000 G. 1200
D
If you expect an event to happen 3 times a year to each of 4 assets, and the single loss expectancy is $2000, what is your expected total annual impact? A. $6,000 B. $12,000 C. $8,000 D. $24,000
D
In the RIIOT technique, documents should be reviewed for all the following except: A. content B. completeness C. Clarity D. Conciseness E. Correctness
D
Sampling can be an excellent technique for gathering _________ security test data about a large number of network components. A. known B. irrelevant C. non-representative D. representative
D
The risk value of an asset is directly proportional to the ____ and ____ of a particular threat exploiting a vulnerability after considering the controls in place that re protecting the asset. A. Impact, Severity B. Force, Popularity C. Popularity, Damage D. Impact, Likelihood E. Likelihood, Popularity
D
Total risk = _______________ A. benefit - cost B. (benefit - cost) x asset value C. threat x vulnerability D. ((Threat x Vulnerability) x value of asset) - %risk mitigated by controls + uncertainty
D
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process? A. Classifying and organizing information assets into meaningful groups B. Creating an inventory of information assets C. Assigning a value to each information asset D. Calculating the severity of risks to which assets are exposed in their current setting
D
Typical data collectors include everything but, ____. A. interviews B. workshops C. Surveys D. Retreats E. Document Request Lists
D
What is NOT a benefit of a qualitative Risk Analysis? A. uses the opinions of the experts B. is easy to complete C. uses words that are easy to express and understand D. includes a CBA
D
What is NOT a classification of data? A. private B. proprietary C. public D. risk
D
What is a benefit of a quantitative Risk Analysis? A. uses expert opinions B. easily understandable wording C. data is easier to gather D. provides a CBA
D
When we need to sample because we can't gather information from the entire population, and our population consists of a few clusters which had characteristics very similar to each other but not necessarily other groups, we can use what type of sampling? A. Systematic sampling B. Simple sampling C. Cluster Sampling D. Stratified sampling
D
Which of the following is NOT an example of what type of document a risk assessor could request during a risk assessment? A. Asset Inventories B. Current Security Policies, Standards and Procedures C. Copy of the BIA D. Previously considered IT Security Recommendations E. Previous Information Security Risk Assessments
D
___________ is the negative result if the risk occurs. A. risk B. probability C. value D. impact
D
Data is often an organization's most valuable information asset, sensitive data needs to be protected in which states? A. Data in Binary B. Data in Transit C. Data in Process D. Data at Rest E. Data in transit, in process, and at rest
E
Risk = ___________ X _____________ X ____________ A. Cost of asset, Likelihood, Threat B. Likelihood, Threat factor, Asset C. Impact, Threat Agent, Vulnerability D. Impact, Likelihood, Asset E. Asset, Threat, Vulnerability
E
This will often map out critical process within an organization and if done properly will also identify specific systems supporting those processes. A. FAIR B. DMZ C. CBA D. DRP E. BIA
E
A BIA typically identifies the customers & how the organization plans to serve them. True False
False
A Risk Assessment team should focus both on critical areas and on what management might consider important. True False
False
A business impact analysis is concerned with identifying and implementing recovery methods. True False
False
A business impact analysis is intended to include all IT functions. True False
False
A risk assessment is the same as a risk management program. True False
False
All IT services and servers are equally critical. True False
False
All vulnerabilities result in loss. True False
False
An IT asset inventory is a list of IT assets that are vulnerable to a specific threat that is under assessment. True False
False
An organization should implement as many controls as possible. True False
False
Any and all challenges you face when completing an RA depend on whether you are completing a quantitative or qualitative Risk Analysis. True False
False
Asset valuation is NOT a major priority of risk management. True False
False
Balanced security satisfies everyone True False
False
CBA stands for Cost Benefit Authorization True False
False
Companies in growth mode are typically more risk averse than large complex companies. True False
False
Compensating controls are controls in place that do not effectively reduce expoitability. True False
False
Every threat must map to at least one vulnerability True False
False
In a qualitative Risk Analysis it is important to define value according to the standard scale. True False
False
It is easier to identify indirect costs than direct costs. True False
False
It is essential that risk management be driven by the potential for worst-case scenarios. True False
False
Making a system more secure often makes it easier to use True False
False
More data always improves the risk analysis. True False
False
Productivity and replacement costs occur mostly as secondary loss. True False
False
Questionnaires, forms, and surveys are the standard way to collect data for a BIA. True False
False
RAs are simpler to complete than risk management plans, because risk management plans are continuous processes while RAs are simple point-in-time documents that can easily be completed in a single sitting. True False
False
Risk assessment and risk analysis are the same thing. True False
False
Stratified Sampling is "based on a systematic approach to selecting sample units from a population." True False
False
Stratified Sampling is "based on a systematic approach to selecting sample units from a population." True False
False
The intangible value of an asset is NOT relevant to managing risks because there is no way to quantify its value in terms of monetary value during a risk assessment. True False
False
The internal LAN is always considered a trusted zone. True False
False
The objective of the "inspect security controls" approach in the RIIOT technique is to present alternative methods of potentially reducing risks to an organization. True False
False
There are complete and set guidelines for how to perform personnel observations during the RIIOT technique. True False
False
There is one formula for risk that is used by all organizations globally so as to keep consistency. True False
False
When using the RIIOT method for data gathering, it is essential to inspect security controls prior to interviewing key personnel in order to understand the systems that employees are operating and potentially putting at risk. True False
False
Place the 5 different approaches of the RIIOT method in order:
Review Interview Inspect Observe Test
A Security Scan and a Risk Assessment are the same. True False
True
All systems have vulnerabilities. True False
True
CBA stands for cost-benefit analysis. True False
True
Critical business functions include elements necessary to perform the mission of an organization. True False
True
Exploited vulnerabilities result in losses. True False
True
For a business impact analysis, the step of "identifying the environment" means having a good understanding of the business function. True False
True
Hardening a server makes the server more secure. True False
True
Hardening the server to the combination of all steps that it takes to protect a vulnerable system and make it more secure than the default installation. True False
True
Inherent risk is the value of the unmitigated risk exposure. True False
True
It is often useful to categorize an organization's environments by risk sensitivity and then go deeper into the specific sensitive resources in each environment. True False
True
Malignant Threats are threats that are always present. True False
True
Performing Risk Assessment separately for each division makes implementing recommendations easier. True False
True
Residual risk = Total Risk - Controls True False
True
Risk analysis is part of the risk assessment process. True False
True
Risk management choices are made in a top-down fashion affecting the sensitivity of risk throughout the organization. True False
True
Risk tolerance levels reflect an organization's culture and disposition of upper management. True False
True
Safeguards are also known as controls. True False
True
Sampling is also known as "representative testing." True False
True
Some recovery point objectives require you to recover data up to a moment in time. True False
True
The 2 primary steps you need to complete before progressing with an RA are defining the assessment and reviewing previous findings. True False
True
The RIIOT technique can be used with any set of security document requirements, standards or guidelines. True False
True
The first part of a qualitative Risk Rating attempts to prioritize risk. The remaining parts the qualitative Risk Rating evaluates the effectiveness of controls as related to the risk. True False
True
The first section of a qualitative Risk analysis attempts to prioritize risk. The second section of Qualitative Risk Analysis evaluates the effectiveness of controls. True False
True
The more data you store, the more valuable that collection of data becomes. True False
True
The two primary terms related to recovery requirements are recovery time objective and recovery point objective. True False
True
The ultimate goal in risk management is to protect the organization. True False
True
The value of an assessment is only as valuable as the expertise of the experts. True False
True
Uncertainty level indicates how valid data is. True False
True
You should include a CBA to support your recommendations. True False
True
The goal of InfoSec is NOT to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.
appetite
A(n) ____________________ is an act against an asset that could result in a loss.
attack
What is NOT a step in risk management?
eliminating all risks
Risk ________ is the practice of identifying, assessing, controlling, and mitigating risks.
management
