PSCS 2103
You are creating objectives for your risk management plan. What do you NOT include at this stage? A) POAM B) list of threats C) cost-benefit analysis D) one or more reports
A) POAM
A(n) ___________________ is performed to identify the most serious risks, help you manage risks, and identify the best methods to control risks. A) RA B) CBA C) POAM D) SOX
A) RA
What is a security policy? a) a principle of least privilege b) an access control c) a high-level overview of security goals d) a principle of need to know
A) a high-level overview of security goals
At what point should you describe the procedures and schedules for accomplishment? A) after the project has started b) as early as possible c) before each workday d) figure it out as you go
A) after the project has started
A ___________ plan can help ensure that mission-critical systems continue to function after a disaster. A) business continuity B) disaster recovery C) risk management D) risk prevention
A) business continuity
People use term Big Data when talking about large _____________. A) databases B) data files C) data mining D) data warehousing
A) databases
All of the following are major components of RAs, EXCEPT: A) identifying stakeholders b) identifying scope c) identifying critical areas d) identifying team members
A) identifying stakeholders
___________ is the negative result if the risk occurs. A) Impact b) Probability c) Risk d) Value
A) impact
What is NOT true about Operation Aurora? a) It attacked several private citizens b) it originated in China c) it attack several private companies d) it is an example of an APT attack
A) it attacked several private citizens
What is NOT something to consider when determining the value of an asset? A) management recommendations B) system functions C) personnel assets D) facilities and supplies
A) management recommendation
The _____________ define(s) what the system does. A) mission of the system b) RA C) operational characteristics D) previous findings
A) mission of the system
A _____________ policy governs how patches are understood, tested, and rolled out to systems and clients. a) patch mitigation b) patch management c) version control d) configuration management
A) patch management
You recently changed jobs. HIPPA helps you _____________________ a) protect your health information b) control medical costs c) share your medical history with your new employee d) sign up for Medicaid
A) protect your health information
____________ assessments are objective, while ___________ assessments are subjective. a) Quantitative, qualitative b) Risk, threat c) Qualitative, quantitative d) Threat, risk
A) quantitative, qualitative
An operating system is an example of a(n) ___________. A) software asset b) malware threat c) hardware asset d) personnel asset
A) software asset
What can you control about threat/vulnerability pairs? A) the vulnerability b) the threat c) the loss d) the cost
A) the vulnerability
What is NOT a benefit of a quantitative RA? A)uses expert opinions B) easy to complete C) provides a CBA D) easily understandable wording
A) uses expert opinions
A New company starts up but does not have a lot of revenue for the first year. Installing anti-virus software for all the company's computers would be very costly, so the owners decide to forgo purchasing anti-virus software for the first year of the business typical IT infrastructure is vulnerability created? A) workstation domain B) malware domain C) LAN domain D) WAN domain
A) workstation domain
A cold site is _________________. A) a Web site with an expired domain that has been taken over by ads b) a building with electricity and running water but little else c) the most expensive kind of site d) a compromise with a hot site
B) a building with electricity and running water but little else
When companies are expected to adhere to the laws that they are affected by, this is commonly known as a) SOX b) compliance c) risk management d) regulation
B) compliance
Most organizations use __________ to track hardware assets. A) hardware B) databases C) software D) written processes
B) databases
The Health Insurance Portability and Accountability ACT (HIPPA) applies only to the health care industry a) True b) False
B) false
The organization known as Gay, Lesbian, and Bisexual Americans (GBLA) is responsible for sponsoring important legislation regarding protecting the privacy of employee's sexual orientation in the workplace a) True b) False
B) false
__________ refer(s) to when users or customers need a system or service. A) The C-I-A triad b) Five nines c) System access and availability d) Failover cluster
B) five nines
When a threat exploits a vulnerability, it results in a(n) __________. A) impact B) loss C) crime D) liability
B) loss
__________ define(s) how the system operates in your environment. A) The mission of the system b) Operational characteristics c) RAs d) Previous findings
B) operational characteristics
An exploit assessment is also known as a(n) ___________. A) exploit list B) penetration test C) vulnerability assessment D) threat survey
B) penetration test
When the FTC was created in 1914, its primary goal was to a) stop the illegal sale of alcohol b) prevent unfair methods of competition c) promote consumer protection d) protect fair trade and ensure ethical treatment of workers
B) prevent unfair methods of competition
Qualitative RAs determine the level of risk based on the __________ and _________ of risk. A) impact, threat b) probability, impact c) threat, probability D) threat, dollar value
B) probability, impact
Data warehousing is a(n) __________, and data mining is a(n) ____________. A) database, process b) process, group of techniques c) group of techniques, database d) group of techniques, process
B) process, group of techniques
Most organization use ______________ as gateways to access the Internet A) ISPs B) Proxy servers c) firewalls d) Private servers
B) proxy servers
What is one source of risk reduction? A) eliminating the threats B) reducing the impact of the loss C) increasing the rate of occurrence d) eliminating the threat/vulnerability pair
B) reducing the impact
What is NOT a category of data and information assets? A) organization b) IP c) SP d) data mining
C) SP
What is a hardware lock? A) A type of firewall B) A type of antivirus software C) A type of RA D) A type of metal cable
C) a type of RA
How do you start a risk assessment? a) by identifying countermeasures b) by generally defining controls c) by clearly defining what you will assess d) by mitigating risks
C) by clearly defining what you will assess
What is NOT a way that you can measure the value of a system when determining if the system requires five nines? A) indirect revenue b) direct revenue c) confidentiality d) productivity
C) confidentiality
What is the relevance of state AGs to IT issues? A) AGs are appointed by the DHS b) AGs are laws that regulate secure information within American government agencies c) In some states, AGs are tasked with preventing identity theft d) AGs are grants given to companies that store sensitive data
C) in some states, AGs are tasked with preventing identity theft
Addresses ______________ are automatically marked as spam. A) on a white list b) from a DMZ C) on a blacklist D) in an address book
C) on a blacklist
What is an example of a Group Policy? A) end user license agreement b) privacy policy c) password policy d) nondisclosure agreement
C) password policy
When should you perform a risk assessment? A) when mitigating a threat b) when eliminating a threat c) periodically D) continuously
C) periodically
You use ________________ to communicate a risk and the resulting impact. A) risk management plans B) CBAs C) risk statements D) POAMs
C) risk statements
FERPA applies all of the following. EXCEPT______________ a) Washington State Community College b) Arizona State University c) Saint Mary's Private Elementary School for Girls d) Public School 119 of New York City
C) saint Mary's private elementary school for girls
A teenager learning about computers and programming for the first time writes a simple program meant to disrupt the function of his sister's computer. While she's hanging out with friends at the mall, he enters his sister's IP address, launches the program, and waits to see what will happen. The teenager is an example of a ___________. A) hacker B) Dos attacker C) script kiddie D) DDos attacker
C) script kiddie
After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this? A) to avoid several time-consuming presentations about each individual recommendation B) to inform management of the progress of the risk management task C) to help management decide which recommendations to use D) to help management asses how much of the risk was mitigated by the proposed solution
C) to help Management decide which recommendation to use
What is the purpose of a POAM? A) assigning risk response procedures to stakeholders B) creating deadlines for risk response c) tracking risk response actions d) identifying vulnerabilities
C) tracking risk response actions
Choose the most accurate statement with respect to creating a risk management plan. A) A risk management plan is simpler and more effective than a cost-benefit analysis. B) A risk management plan is an important document legally required to run an online business. C) A risk management plan eliminates threats to your business. D) A risk management plan can help ensure your business is in compliance with important regulations.
D) A risk management plan can help ensure your business is in compliance with important regulation
A(n) _____________ is a process used to determine how to manage risk. A) POAM b) cause and effect diagram c) Ishikawa diagram d) CBA
D) CBA
As a top-level executive at your own company, you are worried that your employees may steal confidential data too easily by downloading and taking home data onto thumb drives. What is the best way to prevent this from happening? A) Install a technical control to prevent the use of thumb drives. B) Instruct higher level employees to inform their employees that the use of a thumb drive is a fireable offense. C) Hold a seminar that explains to employees why the use of thumb drives in the workplace is a security hazard. D) Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives.
D) Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives.
How can you determine the importance of a system? A) by when the system was last updated b) by why the system functions c) by what the organization does d) by how the system is used
D) by how the system is used
When a fiduciary does not excessive due diligence, it can be considered ____________ a) reasonable doubt b) attorney-client privilege c) power of attorney d) negligence
D) negligence
Formulas for quantitative risk assessments usually look at a period of _____________. A) five years B) one quarter C) six months D) one year
D) one year
POAM stands for __________ a) process of accountable management b) plan of accurate mitigation c) procedures of accident management d) plan of action and milestones
D) plan of action and milestones
A technician in a large corporation fixes a printer that wasn't receiving an IP address automatically by manually assigning it an address. The address was assigned to the server that other technicians were repairing. When the server was repaired and brought online, it no longer worked properly. How could this problem have been avoided? A) proper risk assessment B) proper configuration management C) proper description of operational characteristics D) proper change management
D) proper change management
What is NOT a way that you can determine the value of an asset? A) replacement value b) what the asset provides to the organization c) cost to recover the asset d) qualitative valuation
D) qualitative valuations
When you bank or credit card company sends you a notification of changes in how it collects or shares data, it is sending that notification in compliance with _______________ a) HIPPA b) the safeguards rule c) FERPA d) the financial privacy rule
D) the financial privacy rule
A(n) ______________ is a computer joined to a botnet. A) robot b) virus c) access control d) zombie
D) zombie
What is NOT an example of an intangible value? : A) future lost revenue B) cost of gaining a consumer C) customer influence D) data
Data
Identify the TRUE statement. A) Exploited vulnerabilities result in losses. B) All vulnerabilities result in losses. C) Vulnerability is a synonym for loss. D) The method used to take advantage of a vulnerability is known as a threat.
Exploited vulnerabilities result in losses.
The intangible value of an asset is not relevant to managing risks because there is no way to quantify its value in terms of monetary value during a risk assessment. true false
False
With proper security measures, a company can eliminate threats. True False
False
What is NOT an example of unintentional threat?
Malware written and run by a "script kiddie" just to destroy
A _________ is the likelihood that a loss will occur. a) threat b) risk c) vulnerability d) assessment
Risk
A risk management PM is also sometimes called a(n) ________________. risk management coordinator key stakeholder scope maintenance manager
Risk management coordinator
What is a major type of vulnerability for the user domain? A) zombies B) malware C) social engineering D) natural disasters
Social engineering
The internal LAN is generally considered a trusted zone. True False
True
When would someone ask, "Would a reasonable person be expected to manage a risk?" A) when performing a risk assessment B) when applying a reasonableness test C) when applying the reasonable person standard D) when performing a cost/benefit analysis
When applying a reasonable test
Rogue ware tricks users into installing bogus antivirus software a) True b) False
a) True
What are the steps of a BCP? A) defining scope, identifying objectives, identifying mission-critical business functions and processes, and mapping business functions and processes to it systems b) general planning, professional planning, and productive planning c) identifying scope, identifying key business areas, identifying critical functions, identifying dependencies between key business areas and critical functions, determining acceptable downtime, and creating a plan to maintain operations d) notification/activation, recovery, and reconstitution
c) identifying scope, identifying key business areas, identifying critical functions, identifying dependencies between key business areas and critical functions, determining acceptable downtime, and creating a plan to maintain operations
A (n) __________ is a common type of attack on Internet-facing servers. A) firewall B) DMZ C) database server D) SQL injection
d) SQL injection
All of the following terms have the same meaning EXCEPT: A) cause and effect diagram b) Ishikawa diagram c) fishbone diagram d) affinity diagram
d) affinity diagram