MIS 516 Exam 2

XYZ Co. has decided that the loss event of a single incident on RESOURCE-A is $300,000 and it would result in 40% exposure factor. They also feel that this event could happen 3 times a year. What is the annual loss expectancy (ALE)? $360,000 $120,000 $900,000 $50,000

$360,000

What portion of the risk assessment report is actually essential in ANY report? A Good Executive Summary Supporting Appendices Methodology A Good Conclusion

A Good Executive Summary

What portion of the risk assessment report is actually essential in ANY report? Supporting Appendicies A Good Conclusion A Good Executive Summary Methodology

A Good Executive Summary

The final summary of risks, impacts, rationales, and treatments is called what? A Risk Register A Risk Index A Threat-Control-Vulnerability-Impact Catalog A Risk Catalog

A Risk Register

SLE is AV x EF AV - EF AV + ALE AV / EF

AV x EF

The final phase of the security risk assessment is to create a(n) ________ that addresses all security risks identified in the ___________. Risk report, risk assessment Final report, risk assessment Final report, Action plan Action plan, final report Action plan, data gathering phase

Action plan, final report

_____ monitoring results gives organizations the capability to maintain awareness of the risk being incurred, highlight the need to revisit other steps in the risk management process, and initiate process improvement activities as needed.

Analyzing

Many firms and regulators refer to one or more Cybersecurity and/or risk assessment frameworks. However, firms sometimes create their own custom frameworks. Using a predefined framework has all of the following benefits except what? - The framework is defensible if your process is called into question by others - The framework can be easier to implement for your specific organization - The framework unlikely to miss important key concepts - The framework has less initial work to set up and understand

The framework can be easier to implement for your specific organization

A risk assessment ends with a report. True False

True

A risk assessment provides a point-in-time report. True False

True

A threshold KPI is significant when an index falls into a set range. True False

True

Access controls testing verifies user rights and permissions. True False

True

Action plans are a necessary output of the risk assessment process so that recommendations can be acted upon quickly once the assessment is approved. True False

True

Change management is a process that ensures that changes are made only after a review process. True False

True

Continuous monitoring is necessary because security work is never done. True False

True

Good risk reporting should include tables and figures to visually convey information to the audience. True False

True

In addition to deciding on appropriate monitoring activities across the risk management tiers, organizations also decide how monitoring is to be conducted (e.g., automated or manual approaches) and the frequency of monitoring activities. True False

True

KRIs measure how risky an activity is. True False

True

Key Risk Indicators should be tied to one or more Key Performance Indexes. True False

True

One of the ways to identify controls is to identify critical business functions and critical business operations. True False

True

One or more KPIs can be included in a key performance index. True False

True

Organizations can implement risk monitoring at any of the risk management tiers with different objectives and utility of information produced. True False

True

The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. True False

True

The Information Technology Infrastructure Library (ITIL) defines the organizational structure and skill requirements of an IT organization and a set of standard operational procedures and practices that allow the organization to manage an IT operation and associated infrastructure. True False

True

The first step of becoming ISO 27002 certified involves implementing best practices. True False

True

Which of the following is NOT a purpose of ISO/IEC 27001:2005? Use within an organization to formulate security requirements and objectives Implementation of business-enabling information security Use within an organization to ensure compliance with laws and regulations Use to form information technology governance

Use to form information technology governance

Select all of the following that risk monitoring allows organizations to do: Avoid performing risk assessments Verify compliance Determine the ongoing effectiveness of risk response measures Evaluate the costs and benefits of different security controls Identify risk-impacting changes to organization information systems

Verify compliance Determine the ongoing effectiveness of risk response measures Identify risk-impacting changes to organization information systems

Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident? asset valuation cost avoidance cost-benefit analysis feasibility analysis

cost avoidance

Which of the following represents the basic structure of a risk assessment report? base report and appendices base report, BIA, executive summary vulnerability analysis, appendices executive summary, base report, appendices

executive summary, base report, appendices

What information should you include in your report for management when you present your recommendations? - stakeholders, key stakeholders, and C-level stakeholders - findings, recommendation cost and time frame, and cost-benefit analysis - recommendation, justification, and procedure - affinity diagram, POAM, and CBA

findings, recommendation cost and time frame, and cost-benefit analysis

Another term for data range and reasonableness checks is ______________. input checks reasonableness range input validation data validation

input validation

Which of the following affects the cost of a control? CBA report asset resale liability insurance maintenance

maintenance

Which of the following orders is consistent with the KPI, KPx and KRI formation? metrics, KPx, KPR, KPI, Dashboard metrics, KPI, KPR, KPx, Dashboard metrics, KPR, KPI, KPx, Dashboard metrics, KPI, KPx, KRI, Dashboard

metrics, KPI, KPx, KRI, Dashboard * P comes before R

Insurance, background checks, and security plans are all categories of ____________. procedural controls policies procedures policy controls

procedural controls

What does FAIR's BRAG rely on to build the risk management framework that is unlike many other risk management frameworks? risk analysis estimates qualitative assessment of many risk components quantitative valuation of safeguards subjective prioritization of controls

quantitative valuation of safeguards

Purchasing insurance is the primary way to ______ or _______ risk. transfer, accept mitigate, share mitigate, accept share, transfer

share, transfer

What are the two primary goals when implementing a risk mitigation plan? staying on schedule and in budget increasing security and maintaining easy access being thorough and cautious avoiding surprises and staying on budget

staying on schedule and in budget

The actual methods used to protect against data loss are __________ controls, but the program that identifies which data to protect is a ___________ control. procedural, technical manual, technical technical, procedural mechanical, procedural

technical, procedural

After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this? - to help management assess how much of the risk was mitigated by the proposed solution - to help management decide which recommendations to use - to avoid several time-consuming presentations about each individual recommendation - to inform management of the progress of the risk management task

to help management decide which recommendations to use

After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this? - to inform management of the progress of the risk management task - to help management assess how much of the risk was mitigated by the proposed solution - to help management decide which recommendations to use - to avoid several time-consuming presentations about each individual recommendation

to help management decide which recommendations to use

What is the purpose of a risk mitigation plan? to ensure compliance to bolster a risk assessment to implement approved countermeasures to reduce threats

to implement approved countermeasures

Clear and effective security risk assessment reporting requires that the contents of the report be perceived as (check all that apply) unambiguous actionable accurate nonthreatening relevant

unambiguous accurate nonthreatening relevant

Risk monitoring provides organizations the means to (click all that apply): verify compliance determine the ongoing effectiveness of risk response measures identify risk-impacting changes to organizational information systems and environments of operation assess risk

verify compliance determine the ongoing effectiveness of risk response measures identify risk-impacting changes to organizational information systems and environments of operation * monitoring does not assess risk

In addition to the data captured in your risk assessment template, exceptions and mitigation plans need to include the following information EXCEPT: Policy exceptions/risk acceptance approval and time frame Budget Process Business justification for the risk Mitigation action items, long- and short-term

Budget Process

Order the following for measuring and incorporating metrics. ____Business case ____Mature measurements ____Design and select metric system ____Manage measurements ____Develop metrics ____Launch metrics ____Determine requirement ____Test metrics

Determine requirement Business case Design and select metric system Develop metrics Test metrics Launch metrics Manage measurements Mature measurements

The risk control strategy were the organization is willing to accept the current level of risk and makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy. True False

False

There is only one way to format and organize a risk assessment report. True False

False

Which of the following is NOT risk evaluation step? Identify the key components Determine risk exposure (including risk sensitivity) Determine likelihood of threat/vulnerability Determine severity of threat/vulnerability Determine residual risk level

Identify the key components

All of the following are risk treatments in different frameworks except? Mitigate Transfer Defer Avoid Ignore Accept

Ignore

What is the first step in applying the RMF? Assess the security controls using appropriate assessment procedures Categorize the information system and the information processed Select an initial set of baseline security controls Authorize information system operation based on risk determination

Categorize the information system and the information processed

All of the following are risk treatments in different frameworks except? Mitigate Defer Control Accept Avoid Transfer

Control

____________ mitigate(s) risk. Management Databases Assessments Controls

Controls

You have created a risk assessment, and management has approved it. What do you do next? Gather the stakeholders for a progress meeting. Start assessing risks for a different department. Define the scope of the risk assessment. Create a risk mitigation plan.

Create a risk mitigation plan.

What is NOT an example of an intangible value? Cost of gaining a consumer Customer influence Data Future loss

Data

All of the following are KPI types except: Esoteric Qualitative Threshold Milestone

Esoteric

A KPx is a summary of one or more KRIs. True False

False

A business impact analysis (BIA) is an output of the risk assessment process. True False

False

Change management ensures that similar systems have the same, or at least similar, configurations. True False

False

Configuration management is the same as change management. True False

False

FAIR's BRAG relies uses qualitative assessment of many risk components using scales with value ranges. True False

False

In information security, a framework or security model customized to an organization, including implementation details is known as a floor plan. True False

False

In the risk management process, it is not important to identify who should be responsible for the various processes or steps. True False

False

Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. True False

False

KPIs do not necessarily need to be tied to organizational strategy. True False

False

Loss Before Countermeasure - Loss After Countermeasure = Countermeasure Value True False

False

Organizations can only implement risk monitoring at risk management tiers 1 and 2. True False

False

Risk mitigation plans help determine the numerical values for the risk formula, which is Risk = Threat x Vulnerability. True False

False

The objective in risk assessment reporting is to assign blame to those who pose risks. True False

False

The COSO framework is built on eight interrelated components. Which of the following is NOT one of them? Risk response Monitoring InfoSec Governance Risk assessment

InfoSec Governance

A risk ____ could be a simple listing of identified risks, some of which are already assessed and others of which are still in the process of being qualified Assessment Mitigation Plan Inventory

Inventory

When Calculating Safeguard Costs we must typically be sure to include which of the following? (select all that apply) Maintenance Costs Training Costs Operational Costs Installation Charges Purchase Price

Maintenance Costs Training Costs Operational Costs Installation Charges Purchase Price

The relation between Controls and Threats is best described as? One-to-Many (One Threat can have many Controls) One-to-One One-to-Many (One Control can address many Threats) Many-to-Many

Many-to-Many

Which of the following is NOT one of the components of the COSO framework? Information and communication Meeting stakeholder needs Risk assessment Communication and reporting

Meeting stakeholder needs

What does OCTAVE stand for? Operationally Critical Threat Asset and Variable Evaluation Optional Tactical Active Variable Evaluation Optional Tension After Vulnerability Excessiveness Operationally Critical Threat, Asset, and Vulnerability Evaluation

Operationally Critical Threat, Asset, and Vulnerability Evaluation

Which of the following is NOT a phase in the information security measurement system lifecycle? Mature the measurement system Remove the measurement system Launch the measurement system Prepare a business case Select security metrics

Remove the measurement system

Which of the following is NOT a way organizations can respond to risk? Risk Acceptance Risk Transfer Risk Mitigation Risk Avoidance Risk Elimination

Risk Elimination

Which of the following is NOT part of a risk report structure? Base Report Exhibits Executive-Level Report Risk Report Memorandum Appendices

Risk Report Memorandum

Which of the following can affect the state of risks? Supply Chain changes Risk levels of competitors Personnel changes Mergers

Supply Chain changes Personnel changes Mergers

OCTAVE is one of the many frameworks available. Although heavy and labor intensive, it includes innovative approaches. One of the unique aspects of OCTAVE is the pools of mitigation approaches. The pools used include everything but? Defer or Accept Mitigate Accept Mitigate or Defer Transfer

Transfer