PSCS 2103

You are creating objectives for your risk management plan. What do you NOT include at this stage? A) POAM B) list of threats C) cost-benefit analysis D) one or more reports

A) POAM

A(n) ___________________ is performed to identify the most serious risks, help you manage risks, and identify the best methods to control risks. A) RA B) CBA C) POAM D) SOX

A) RA

What is a security policy? a) a principle of least privilege b) an access control c) a high-level overview of security goals d) a principle of need to know

A) a high-level overview of security goals

At what point should you describe the procedures and schedules for accomplishment? A) after the project has started b) as early as possible c) before each workday d) figure it out as you go

A) after the project has started

A ___________ plan can help ensure that mission-critical systems continue to function after a disaster. A) business continuity B) disaster recovery C) risk management D) risk prevention

A) business continuity

People use term Big Data when talking about large _____________. A) databases B) data files C) data mining D) data warehousing

A) databases

All of the following are major components of RAs, EXCEPT: A) identifying stakeholders b) identifying scope c) identifying critical areas d) identifying team members

A) identifying stakeholders

___________ is the negative result if the risk occurs. A) Impact b) Probability c) Risk d) Value

A) impact

What is NOT true about Operation Aurora? a) It attacked several private citizens b) it originated in China c) it attack several private companies d) it is an example of an APT attack

A) it attacked several private citizens

What is NOT something to consider when determining the value of an asset? A) management recommendations B) system functions C) personnel assets D) facilities and supplies

A) management recommendation

The _____________ define(s) what the system does. A) mission of the system b) RA C) operational characteristics D) previous findings

A) mission of the system

A _____________ policy governs how patches are understood, tested, and rolled out to systems and clients. a) patch mitigation b) patch management c) version control d) configuration management

A) patch management

You recently changed jobs. HIPPA helps you _____________________ a) protect your health information b) control medical costs c) share your medical history with your new employee d) sign up for Medicaid

A) protect your health information

____________ assessments are objective, while ___________ assessments are subjective. a) Quantitative, qualitative b) Risk, threat c) Qualitative, quantitative d) Threat, risk

A) quantitative, qualitative

An operating system is an example of a(n) ___________. A) software asset b) malware threat c) hardware asset d) personnel asset

A) software asset

What can you control about threat/vulnerability pairs? A) the vulnerability b) the threat c) the loss d) the cost

A) the vulnerability

What is NOT a benefit of a quantitative RA? A)uses expert opinions B) easy to complete C) provides a CBA D) easily understandable wording

A) uses expert opinions

A New company starts up but does not have a lot of revenue for the first year. Installing anti-virus software for all the company's computers would be very costly, so the owners decide to forgo purchasing anti-virus software for the first year of the business typical IT infrastructure is vulnerability created? A) workstation domain B) malware domain C) LAN domain D) WAN domain

A) workstation domain

A cold site is _________________. A) a Web site with an expired domain that has been taken over by ads b) a building with electricity and running water but little else c) the most expensive kind of site d) a compromise with a hot site

B) a building with electricity and running water but little else

When companies are expected to adhere to the laws that they are affected by, this is commonly known as a) SOX b) compliance c) risk management d) regulation

B) compliance

Most organizations use __________ to track hardware assets. A) hardware B) databases C) software D) written processes

B) databases

The Health Insurance Portability and Accountability ACT (HIPPA) applies only to the health care industry a) True b) False

B) false

The organization known as Gay, Lesbian, and Bisexual Americans (GBLA) is responsible for sponsoring important legislation regarding protecting the privacy of employee's sexual orientation in the workplace a) True b) False

B) false

__________ refer(s) to when users or customers need a system or service. A) The C-I-A triad b) Five nines c) System access and availability d) Failover cluster

B) five nines

When a threat exploits a vulnerability, it results in a(n) __________. A) impact B) loss C) crime D) liability

B) loss

__________ define(s) how the system operates in your environment. A) The mission of the system b) Operational characteristics c) RAs d) Previous findings

B) operational characteristics

An exploit assessment is also known as a(n) ___________. A) exploit list B) penetration test C) vulnerability assessment D) threat survey

B) penetration test

When the FTC was created in 1914, its primary goal was to a) stop the illegal sale of alcohol b) prevent unfair methods of competition c) promote consumer protection d) protect fair trade and ensure ethical treatment of workers

B) prevent unfair methods of competition

Qualitative RAs determine the level of risk based on the __________ and _________ of risk. A) impact, threat b) probability, impact c) threat, probability D) threat, dollar value

B) probability, impact

Data warehousing is a(n) __________, and data mining is a(n) ____________. A) database, process b) process, group of techniques c) group of techniques, database d) group of techniques, process

B) process, group of techniques

Most organization use ______________ as gateways to access the Internet A) ISPs B) Proxy servers c) firewalls d) Private servers

B) proxy servers

What is one source of risk reduction? A) eliminating the threats B) reducing the impact of the loss C) increasing the rate of occurrence d) eliminating the threat/vulnerability pair

B) reducing the impact

What is NOT a category of data and information assets? A) organization b) IP c) SP d) data mining

C) SP

What is a hardware lock? A) A type of firewall B) A type of antivirus software C) A type of RA D) A type of metal cable

C) a type of RA

How do you start a risk assessment? a) by identifying countermeasures b) by generally defining controls c) by clearly defining what you will assess d) by mitigating risks

C) by clearly defining what you will assess

What is NOT a way that you can measure the value of a system when determining if the system requires five nines? A) indirect revenue b) direct revenue c) confidentiality d) productivity

C) confidentiality

What is the relevance of state AGs to IT issues? A) AGs are appointed by the DHS b) AGs are laws that regulate secure information within American government agencies c) In some states, AGs are tasked with preventing identity theft d) AGs are grants given to companies that store sensitive data

C) in some states, AGs are tasked with preventing identity theft

Addresses ______________ are automatically marked as spam. A) on a white list b) from a DMZ C) on a blacklist D) in an address book

C) on a blacklist

What is an example of a Group Policy? A) end user license agreement b) privacy policy c) password policy d) nondisclosure agreement

C) password policy

When should you perform a risk assessment? A) when mitigating a threat b) when eliminating a threat c) periodically D) continuously

C) periodically

You use ________________ to communicate a risk and the resulting impact. A) risk management plans B) CBAs C) risk statements D) POAMs

C) risk statements

FERPA applies all of the following. EXCEPT______________ a) Washington State Community College b) Arizona State University c) Saint Mary's Private Elementary School for Girls d) Public School 119 of New York City

C) saint Mary's private elementary school for girls

A teenager learning about computers and programming for the first time writes a simple program meant to disrupt the function of his sister's computer. While she's hanging out with friends at the mall, he enters his sister's IP address, launches the program, and waits to see what will happen. The teenager is an example of a ___________. A) hacker B) Dos attacker C) script kiddie D) DDos attacker

C) script kiddie

After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this? A) to avoid several time-consuming presentations about each individual recommendation B) to inform management of the progress of the risk management task C) to help management decide which recommendations to use D) to help management asses how much of the risk was mitigated by the proposed solution

C) to help Management decide which recommendation to use

What is the purpose of a POAM? A) assigning risk response procedures to stakeholders B) creating deadlines for risk response c) tracking risk response actions d) identifying vulnerabilities

C) tracking risk response actions

Choose the most accurate statement with respect to creating a risk management plan. A) A risk management plan is simpler and more effective than a cost-benefit analysis. B) A risk management plan is an important document legally required to run an online business. C) A risk management plan eliminates threats to your business. D) A risk management plan can help ensure your business is in compliance with important regulations.

D) A risk management plan can help ensure your business is in compliance with important regulation

A(n) _____________ is a process used to determine how to manage risk. A) POAM b) cause and effect diagram c) Ishikawa diagram d) CBA

D) CBA

As a top-level executive at your own company, you are worried that your employees may steal confidential data too easily by downloading and taking home data onto thumb drives. What is the best way to prevent this from happening? A) Install a technical control to prevent the use of thumb drives. B) Instruct higher level employees to inform their employees that the use of a thumb drive is a fireable offense. C) Hold a seminar that explains to employees why the use of thumb drives in the workplace is a security hazard. D) Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives.

D) Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives.

How can you determine the importance of a system? A) by when the system was last updated b) by why the system functions c) by what the organization does d) by how the system is used

D) by how the system is used

When a fiduciary does not excessive due diligence, it can be considered ____________ a) reasonable doubt b) attorney-client privilege c) power of attorney d) negligence

D) negligence

Formulas for quantitative risk assessments usually look at a period of _____________. A) five years B) one quarter C) six months D) one year

D) one year

POAM stands for __________ a) process of accountable management b) plan of accurate mitigation c) procedures of accident management d) plan of action and milestones

D) plan of action and milestones

A technician in a large corporation fixes a printer that wasn't receiving an IP address automatically by manually assigning it an address. The address was assigned to the server that other technicians were repairing. When the server was repaired and brought online, it no longer worked properly. How could this problem have been avoided? A) proper risk assessment B) proper configuration management C) proper description of operational characteristics D) proper change management

D) proper change management

What is NOT a way that you can determine the value of an asset? A) replacement value b) what the asset provides to the organization c) cost to recover the asset d) qualitative valuation

D) qualitative valuations

When you bank or credit card company sends you a notification of changes in how it collects or shares data, it is sending that notification in compliance with _______________ a) HIPPA b) the safeguards rule c) FERPA d) the financial privacy rule

D) the financial privacy rule

A(n) ______________ is a computer joined to a botnet. A) robot b) virus c) access control d) zombie

D) zombie

What is NOT an example of an intangible value? : A) future lost revenue B) cost of gaining a consumer C) customer influence D) data

Data

Identify the TRUE statement. A) Exploited vulnerabilities result in losses. B) All vulnerabilities result in losses. C) Vulnerability is a synonym for loss. D) The method used to take advantage of a vulnerability is known as a threat.

Exploited vulnerabilities result in losses.

The intangible value of an asset is not relevant to managing risks because there is no way to quantify its value in terms of monetary value during a risk assessment. true false

False

With proper security measures, a company can eliminate threats. True False

False

What is NOT an example of unintentional threat?

Malware written and run by a "script kiddie" just to destroy

A _________ is the likelihood that a loss will occur. a) threat b) risk c) vulnerability d) assessment

Risk

A risk management PM is also sometimes called a(n) ________________. risk management coordinator key stakeholder scope maintenance manager

Risk management coordinator

What is a major type of vulnerability for the user domain? A) zombies B) malware C) social engineering D) natural disasters

Social engineering

The internal LAN is generally considered a trusted zone. True False

True

When would someone ask, "Would a reasonable person be expected to manage a risk?" A) when performing a risk assessment B) when applying a reasonableness test C) when applying the reasonable person standard D) when performing a cost/benefit analysis

When applying a reasonable test

Rogue ware tricks users into installing bogus antivirus software a) True b) False

a) True

What are the steps of a BCP? A) defining scope, identifying objectives, identifying mission-critical business functions and processes, and mapping business functions and processes to it systems b) general planning, professional planning, and productive planning c) identifying scope, identifying key business areas, identifying critical functions, identifying dependencies between key business areas and critical functions, determining acceptable downtime, and creating a plan to maintain operations d) notification/activation, recovery, and reconstitution

c) identifying scope, identifying key business areas, identifying critical functions, identifying dependencies between key business areas and critical functions, determining acceptable downtime, and creating a plan to maintain operations

A (n) __________ is a common type of attack on Internet-facing servers. A) firewall B) DMZ C) database server D) SQL injection

d) SQL injection

All of the following terms have the same meaning EXCEPT: A) cause and effect diagram b) Ishikawa diagram c) fishbone diagram d) affinity diagram

d) affinity diagram