ch.8

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. True False

TRUE

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process? a. Documenting and reporting the findings of risk identification and assessment b. Assigning a value to each information asset c. Calculating the risks to which assets are exposed in their current setting d. Determining the likelihood that vulnerable systems will be attacked by specific threats

b

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another? a. cost of litigation b. cost of identification c. cost of prevention d. cost of prosecution

cost of prevention

Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.

likelihood

As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.

relative

What is defined as specific avenues that threat agents can exploit to attack an information asset? a. weaknesses b. defenses c. liabilities d. vulnerabilities

vulerabilities

Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet? a. risk-rating factor b. vulnerability likelihood c. uncertainty percentage d. asset impact

c uncertain

Classification categories must be ____________________ and mutually exclusive.

comprehensive

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult? a. IP address b. part number c. MAC address d. serial number

A

Having an established risk management program means that an organization's assets are completely protected. true or false

FALSE

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following? a. Executive management must develop corporate-wide policies b. InfoSec management must lead the way with skill, professionalism, and flexibility c. IT management must serve the IT needs of the broader organization d. General management must structure the IT and InfoSec functions

a

Which of the following attributes does NOT apply to software information assets? a. Manufacturer name b. Physical location c. Controlling entity d. Serial number

b physical location

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment? a. assessing potential loss b. uncertainty c. likelihood and consequences d. risk determination

b uncertantity

The identification and assessment of levels of risk in an organization describes which of the following? a. Risk identification b. Risk assessment c. Risk analysis d. Risk reduction

c

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability is the definition of which of the following? a. exploit likelihood equation b. attack analysis calculation c. risk assessment factors d. vulnerability mitigation controls

c

Which of the following is a network device attribute that is tied to the network interface? a. IP address b. model number c. MAC address d. serial number

c MAC address

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components? a. Serial number b. Name c. Manufacturer's part number d. MAC address

c manufacturer's part number

Classification categories must be mutually exclusive and which of the following? a. unique b. repeatable c. selective d. comprehensive

d

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process? a. Classifying and organizing information assets into meaningful groups b. Assigning a value to each information asset c. Creating an inventory of information assets d. Calculating the risks to which assets are exposed in their current setting

d calculating

Which of the following is an example of a technological obsolescence threat? a. hardware equipment failure b. unauthorized access c. malware d. outdated server

d. outdated servers

What is the final step in the risk identification process? a. identifying and inventorying assets b. assessing values for information assets c. listing assets in order of importance d. classifying and categorizing assets

C

MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof. True False

FALSE

As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.

factor analysis

Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

management

he Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack. True False

true


Ensembles d'études connexes

Physics Chapter 22, Physics Final

View Set

Ch 4: Human Digestion, Absorption and Transport

View Set

chapter 22 and 23 maternal newborn

View Set

Abeka 7th Grade History Appendix Quiz Y

View Set