ch. 9
The __________ level and an asset's value should be a major factor in the risk control strategy selection.
Threat
Application of training and education is a common method of which risk control strategy? a. acceptance b. transferal c. mitigation d. defense
d
The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations
transferal
Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. True False
true
The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. True False
true
The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
true
Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. True False
true
The NIST risk management approach includes all but which of the following elements? a. inform b. frame c. assess d. respond
a
In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result? a. Delphi b. OCTAVE c. Hybrid Measures d. FAIR
a
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them? a. InfoSec community analysis b. implementing controls c. measuring program effectiveness d. conducting decision support
a infosec
The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.
appetite
By multiplying the asset value by the exposure factor, you can calculate which of the following? a. annualized cost of the safeguard b. single loss expectancy c. annualized loss expectancy d. value to adversaries
b
Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster? a. acceptance b. mitigation c. transference d. avoidance
b. mitigation
Which of the following is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk, and how much risk exists for the asset. a. valuation b. benefit c. feasibility d. cost
benefit
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? a. subjective prioritization of controls b. quantitative valuation of safeguards c. qualitative assessment of many risk components d. risk analysis estimates
c
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy? a. single loss expectancy b. annualized rate of occurrence c. cost-benefit analysis d. exposure factor
c
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. risk assurance b. residual risk c. risk appetite d. risk termination
c
Which of the following is a step in Stage 2 - Evaluate Loss Event Frequency of the FAIR risk management framework? a. identify the asset at risk b. estimate probable loss c. estimate control strength d. derive and articulate risk
c estimate control strength
Strategies to limit losses before and during a disaster is covered by which of the following plans in the mitigation control approach? a. business continuity plan b. damage control plan c. incident response plan d. disaster recovery plan
d
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following? a. risk assessment b. risk communication c. risk treatment d. risk determination
d
What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed? a. probability calculation b. cost-benefit analysis c. risk acceptance plan d. documented control strategy
d
Which of the following is NOT a valid rule of thumb on risk control strategy selection? a. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. b. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. c. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. d. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
d
When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.
exploited
Which of the following affects the cost of a control? a. CBA report b. asset resale c. liability insurance d. maintenance
maintennace
The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ____________________ .
mitigation