Chapter 8
Which of the following attributes does NOT apply to software information assets?
Physical location
The identification and assessment of levels of risk in an organization describes which of the following?
Risk analysis
the prioritized list of threats is placed along the vertical axis
TVA worksheet
Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
cost of prevention
Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.
likelihood
Which of the following is an example of a technological obsolescence threat?
outdated servers
As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.
relative
Asset classification schemes should categorize information assets based on which of the following?
sensitivity and security needs
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
threats-vulnerabilities-assets worksheet
What is defined as specific avenues that threat agents can exploit to attack an information asset?
vulnerabilities
Classification categories must be ____________________ and mutually exclusive.
comprehensive
Classification categories must be mutually exclusive and which of the following?
comprehensive
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
Assigning a value to each information asset
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
Calculating the risks to which assets are exposed in their current setting
Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
Executive management must develop corporate-wide policies
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
IP address
(T/F) Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
True
(T/F) The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.
True
occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises
field change order
must be comprehensive and mutually exclusive
classification categories
(T/F) Having an established risk management program means that an organization's assets are completely protected.
False
(T/F) MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.
False
Which of the following is a network device attribute that is tied to the network interface?
MAC address
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
Manufacturer's part number
(T/F) The InfoSec community often takes on the leadership role in addressing risk
True
As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.
factor analysis
What is the final step in the risk identification process?
listing assets in order of importance
Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
management
What should you be armed with to adequately assess potential weaknesses in each information asset?
properly classified inventory
performed using categories instead of specific values to determine risk
qualitative risk assessment
columns include asset impact, vulnerability, and risk-rating factor
ranked vulnerability risk worksheet
Once an information asset is identified, categorized, and classified, what must also be assigned to it?
relative value
remains even after the existing control has been applied
residual risk
identification and assessment of levels of risk in the organization
risk analysis
The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability is the definition of which of the following?
risk assessment factors
process of discovering the risks to an organization's operations
risk identification
process that identifies vulnerabilities in an organization's information system
risk management
assessment of potential weaknesses in each information asset
threat identification
An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
uncertainty
Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
uncertainty percentage