Chapter 6
Likelihood is the overall rating of the probability that a specific vulnerability will be exploited or attacked. T/F
True
The Risk Management Framework includes executive governance and support. T/F
True
Remains even after the current control has been applied.
Residual risk
The quantity and nature of risk that organizations are willing to accept.
Risk appetite
An approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.
Risk assessment
The recognition, enumeration, and documentation of risks to an organization's information assets.
Risk identification
A prioritized list of assets and threats can be combined with vulnerabilities information into a specialized report known as a TVA worksheet. T/F
True
Assessing risks includes determining the __________ that vulnerable systems will be attacked by specific threats.
likelihood
As each information asset is identified, categorized, and classified, a __________ value must also be assigned to it.
relative
Risk __________ is an approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.
assessment
The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk __________.
identification
Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. T/F
True
The Risk Management Framework includes framework design and continuous improvement. T/F
True
When operating any kind of organization, a certain amount of risk is always involved. T/F
True
. Classification categories must be mutually exclusive and which of the following? a. repeatable b. documentable c. comprehensive d. selective
c
Factors that affect the external context and impact the RM process, its goals, and its objectives include the __, __, and __ environments.
legal, business, threat
A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a __ __ __
Data classification scheme
Having an established risk management program means that an organization's assets are completely protected. T/F
False
An understanding of the potential consequences of a successful attack on an information asset by a threat is known as __________. a. impact b. likelihood c. uncertainty d. tolerance
a
The __ __ management community of interest often takes on the leadership role in addressing risk.
Information Security
The probability that a specific vulnerability within an organization will be the target of an attack is known as __
Likelihood
Risk __________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
management
. __________ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization. a. information asset value weighted table analysis b. risk ranking worksheet c. threat severity weighted table analysis d. TVA controls worksheet
a
A well-defined risk appetite should have the following characteristics EXCEPT: a. It is not limited by stakeholder expectations. b. It acknowledges a willingness and capacity to take on risk. c. It is documented as a formal risk appetite statement. d. It is reflective of all key aspects of the business.
a
In the area of risk management, process communications is the necessary information flow within and between all of the following EXCEPT: a. the corporate change control officer b. the governance group c. the RM framework team d. the RM process team during implementation
a
Once the members of the RM framework team have been identified, the governance group should communicate all of the following for the overall RM program EXCEPT: a. its personnel structure b. its desired outcomes c. its priorities d. its intent
a
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited availability is known as risk __________.
appetite
An evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack, is known as threat __________.
assessment
Data classification schemes should categorize information assets based on which of the following? a. value and uniqueness b. sensitivity and security needs c. cost and replacement value d. ease of reproduction and fragility
b
Once an information asset is identified, categorized, and classified, what must also be assigned to it? a. asset tag b. relative value c. location ID d. threat risk
b
The probability that a specific vulnerability within an organization will be attacked by a threat is known as __________. a. impact b. likelihood c. uncertainty d. tolerance
b
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________. a. residual risk b. risk appetite c. risk acceptance d. risk avoidance
b
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? a. risk exposure report b. threats-vulnerabilities-assets worksheet c. costs-risks-prevention database d. threat assessment catalog
b
Which of the following is an attribute of a network device built into the network interface? a. serial number b. MAC address c. IP address d. model number
b
__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty. a. information asset value weighted table analysis b. risk ranking worksheet c. threat severity weighted table analysis d. TVA controls worksheet
b
The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization. a. information asset value weighted table analysis b. risk ranking worksheet c. threat severity weighted table analysis d. TVA controls worksheet
c
The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes, is known as __________. a. impact b. likelihood c. uncertainty d. tolerance
c
What is defined as specific avenues that threat agents can exploit to attack an information asset? a. liabilities b. defenses c. vulnerabilities d. obsolescence
c
What is the assessment of the amount of risk an organization is willing to accept for a particular information asset? a. residual risk b. risk appetite c. risk tolerance d. risk avoidance
c
Which of the following activities is part of the risk identification process? a. determining the likelihood that vulnerable systems will be attacked by specific threats b. calculating the severity of risks to which assets are exposed in their current setting c. assigning a value to each information asset d. documenting and reporting the findings of risk analysis
c
Which of the following is an example of a technological obsolescence threat? a. hardware equipment failure b. unauthorized access c. outdated servers d. malware
c
Which of the following is not a role of managers within the communities of interest in controlling risk? a. general management must structure the IT and InfoSec functions b. IT management must serve the IT needs of the broader organization c. legal management must develop corporate-wide standards d. InfoSec management must lead the way with skill, professionalism, and flexibility
c
Classification categories must be __________ and mutually exclusive.
comprehensive
46. An estimate made by the manager using good judgment and experience can account for which factor of risk assessment? a. risk determination b. assessing potential loss c. likelihood and consequences d. uncertainty
d
Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT: a. The organization's governance structure b. The organization's culture c. The maturity of the organization's information security program d. The threat environment—threats, known vulnerabilities, attack vectors
d
What is the final step in the risk identification process? a. assessing values for information assets b. classifying and categorizing assets c. identifying and inventorying assets d. ranking assets in order of importance
d
Which of the following activities is part of the risk evaluation process? a. creating an inventory of information assets b. classifying and organizing information assets into meaningful groups c. assigning a value to each information asset d. calculating the severity of risks to which assets are exposed in their current setting
d
Which of the following attributes does NOT apply to software information assets? a. serial number b. controlling entity c. manufacturer name d. product dimensions
d
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components? a. name b. MAC address c. serial number d. manufacturer's model or part number
d
Risk identification, risk analysis, and risk evaluation are part of a single function known as risk __
Assessment
The evaluation and reaction to risk to the entire organization is known as __________.
enterprise risk management (ERM)
As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted __________ worksheet.
table analysis
The assessment of the amount of risk an organization is willing to accept for a particular information asset is known as risk __________.
tolerance
The identification, analysis, and evaluation of risk in an organization describes which of the following? a. risk assessment b. risk determination c. risk management d. risk reduction
a
Labels that must be comprehensive and mutually exclusive.
Classification categories
For an organization to manage its InfoSec risk properly, managers should understand how information is __, __ , and __
Collected, processed, transmitted
The degree to which a current control can reduce risk is also subject to __ error.
Estimation
MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof. T/F
False
The IT community often takes on the leadership role in addressing risk. T/F
False
The Risk Management Framework includes process contingency planning. T/F
False
Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.
Field change order
The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk __
Identification
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.
Qualitative assessment
What denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts?
RM framework
What denotes the identification, analysis, evaluation, and treatment of risk to information assets?
RM process
The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.
Risk management
Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.
Risk rating worksheet
An evaluation of the threats to information assets, including a determination of their potential to endanger the organization, is known as __ assessment.
Threat
An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization.
Threat assessment
Some threats can manifest in multiple ways, yielding multiple __ for an asset-threat pair.
Vulnerabilities
Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________. a. create a subjective ranking based on anticipated recovery costs b. estimate cost from past experience c. leave the value empty until later in the process d. use a consultant to calculate an exact value
a
The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts. a. risk management policy b. enterprise information security policy c. risk control implementation policy d. risk management board directive
a
The organization can perform risk determination using certain risk elements, including all but which of the following? a. legacy cost of recovery b. impact (consequence) c. likelihood of threat event (attack) d. element of uncertainty
a
What is the risk to information assets that remains even after current controls have been applied? a. residual risk b. risk appetite c. risk tolerance d. risk avoidance
a
What should you be armed with to adequately assess potential weaknesses in each information asset? a. properly classified inventory b. audited accounting spreadsheet c. intellectual property assessment d. list of known threats
a
Which of the following is NOT among the typical columns in the risk rating worksheet? a. uncertainty percentage b. impact c. risk-rating factor d. likelihood
a
Which of the following is NOT a task performed by the governance group during the framework design phase, in cooperation with the framework team? a. ensuring compliance with all legal and regulatory statutes and mandates b. guiding the development of, and formally approving, the RM policy c. recommending performance measures for the RM effort and ensuring that they are compatible with other performance measures in the organization d. specifying who will supervise and perform the RM process
d
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset identification using this attribute difficult? a. part number b. serial number c. MAC address d. IP address
d
The document designed to regulate organizational efforts related to the identification, assessment, and treatment of risk to information assets is known as the RM __________.
policy