Chapter 6 - ITS - 2545

Which of the following is an attribute of a network device is physically tied to the network interface? A) Serial number B) MAC address C) IP address D) Model number

B) MAC address

Once an information asset is identified, categorized, and classified, what must also be assigned to it? A) Asset tag B) Relative value C) Location ID D) Threat risk

B) Relative value

Which of the following attributes does NOT apply to software information assets? A) Serial number B) Controlling entity C) Manufacturer name D) Product dimensions

) Product dimensions

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another? A) Cost of prevention B) Cost of litigation C) Cost of detection D) Cost of identification

A) Cost of prevention

What should you be armed with to adequately assess potential weaknesses in each information asset? A) Properly classified inventory B) Audited accounting spreadsheet C) Intellectual property assessment D) List of known threats

A) Properly classified inventory

The identification and assessment of levels of risk in an organization describes which of the following? A) Risk analysis B) Risk identification C) Risk management D) Risk reduction

A) Risk analysis

Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet? A) Uncertainty percentage B) Asset impact C) Risk-rating factor D) Vulnerability likelihood

A) Uncertainty percentage

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____. A) Vulnerability mitigation controls B) Risk assessment estimate factors C) Exploit likelihood equation D) Attack analysis calculation

B) Risk assessment estimate factors

Data classification schemes should categorize information assets based on which of the following? A) Value and uniqueness B) Sensitivity and security needs C) Cost and replacement value D) Ease of reproduction and fragility

B) Sensitivity and security needs

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? A) Risk exposure report B) Threats-vulnerabilities-assets worksheet C) Costs-risks-prevention database D) Threat assessment catalog

B) Threats-vulnerabilities-assets worksheet

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process? A) Determining the likelihood that vulnerable systems will be attacked by specific threats B) Calculating the severity of risks to which assets are exposed in their current setting C) Assigning a value to each information asset D) Documenting and reporting the findings of risk identification and assessment

C) Assigning a value to each information asset

Classification categories must be mutually exclusive and which of the following? A) Repeatable B) Unique C) Comprehensive D) Selective

C) Comprehensive

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following? A) General management must structure the IT and InfoSec functions B) IT management must serve the IT needs of the broader organization C) Legal management must develop corporate-wide standards D) InfoSec management must lead the way with skill, professionalism, and flexibility

C) Legal management must develop corporate-wide standards

Which of the following is an example of a technological obsolescence threat? A) Hardware equipment failure B) Unauthorized access C) Outdated servers D) Malware

C) Outdated servers

What is defined as specific avenues that threat agents can exploit to attack an information asset? A) Liabilities B) Defenses C) Vulnerabilities D) Weaknesses

C) Vulnerabilities

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process? A) Creating an inventory of information assets B) Classifying and organizing information assets into meaningful groups C) Assigning a value to each information asset D) Calculating the severity of risks to which assets are exposed in their current setting

D) Calculating the severity of risks to which assets are exposed in their current setting

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult? A) Part number B) Serial number C) MAC address D) IP address

D) IP address

What is the final step in the risk identification process? A) Assessing values for information assets B) Classifying and categorizing assets C) Identifying and inventorying assets D) Listing assets in order of importance

D) Listing assets in order of importance

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components? A) Name B) MAC address C) Serial number D) Manufacturer's model or part number

D) Manufacturer's model or part number

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment? A) Risk determination B) Assessing potential loss C) Likelihood and consequences D) Uncertainty

D) Uncertainty