CIST 1602 Module 3 Chapters 5 and 6

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Uncertainty

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?

Cost of prevention

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?

Legal management must develop corporate-wide standards

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?

2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.

False

3. Threats from insiders are more likely in a small organization than in a large one.

False

4. The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks.

False

6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.

False

8. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.

False

Having an established risk management program means that an organization's assets are completely protected.

False

MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.

False

The IT community often takes on the leadership role in addressing risk.

False

The information technology management community of interest often takes on the leadership role in addressing risk. __________

False - InfoSec

Risk identification, risk analysis, and risk evaluation are part of a single function known as risk protection. __________

False - assessment

33. Which of the following is true about a company's InfoSec awareness Web site?

# d it should be tested with multiple browsers

False

An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________

5. On-the-job training can result in substandard work performance while the trainee gets up to speed.

True

7. Planners need to estimate the effort required to complete each task, subtask, or action step.

True

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. __________

False - classification

6. When operating any kind of organization, a certain amount of debt is always involved. __________

False - risk

49. What are the four areas into which it is recommended to separate the functions of security?

Functions performed by nontechnology business units outside the IT area of management control Functions performed by IT groups outside the InfoSec area of management control Functions performed within the InfoSec department as a customer service to the organization and its external partners Functions performed within the InfoSec department as a compliance enforcement obligation

What strategic role do the InfoSec and IT communities play in risk management? Explain.

InfoSec - Because members of the InfoSec community best understand the threats and attacks that introduce risk, they often take a leadership role in addressing risk. IT - This group must help to build secure systems and ensure their safe operation. For example, IT builds and operates information systems that are mindful of operational risks and have proper controls implemented to reduce risk.

40. A(n) ____________________ is a specific point in the project plan when a task that has a noticeable impact on plan's the progress is complete.

Milestone

Relative value

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

What does it mean to "know the enemy" with respect to risk management?

Once an organization becomes aware of its weaknesses, managers can take up Sun Tzu's second dictum: Know the enemy. This means identifying, examining, and understanding the threats facing the organization's information assets. Managers must be fully prepared to identify those threats that pose risks to the organization and the security of its information assets.

The probability that a specific vulnerability within an organization will be attacked by a threat is known as __________.

b likelihood

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

b relative value

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________.

b risk appetite

__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty.

b risk ranking worksheet

Data classification schemes should categorize information assets based on which of the following?

b sensitivity and security needs

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

b threats-vulnerabilities-assets worksheet

An approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.

b. risk assessment

19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?

a Security Technician

16. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?

a Systems Testing

29. Which of the following is an advantage of the user support group form of training?

a Usually conducted in an informal social setting

The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization.

c threat severity weighted table analysis

The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes, is known as __________.

c uncertainty

What is defined as specific avenues that threat agents can exploit to attack an information asset?

c vulnerabilities

An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.

h. qualitative assessment

Remains even after the current control has been applied.

i. residual risk

The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk __________.

identification

Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.

j. risk rating worksheet

Assessing risks includes determining the __________ that vulnerable systems will be attacked by specific threats.

likelihood probability

Risk __________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

management

The document designed to regulate organizational efforts related to the identification, assessment, and treatment of risk to information assets is known as the RM __________.

policy

The quantity and nature of risk that organizations are willing to accept.

g. risk appetite

What are the included tasks in the identification of risks?

- Creating an inventory of information assets - Classifying and organizing those assets meaningfully - Assigning a value to each information asset - Identifying threats to the cataloged assets - Pinpointing vulnerable assets by tying specific threats to specific assets

False

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________

54. What is the purpose of a security awareness program? What advantage does an awareness program have for the InfoSec program?

A security awareness program keeps InfoSec at the forefront of users' minds on a daily basis. Awareness serves to instill a sense of responsibility and purpose in employees who handle and manage information, and it leads employees to care more about their work environment.

48. What are some of the variables that determine how a given organization chooses to construct its InfoSec program?

Among the variables that determine how a given organization chooses to structure its information security (InfoSec) program are organizational culture, size, security personnel budget, and security capital budget.

False

An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________

53. What is the role of help desk personnel in the InfoSec team?

An important part of the InfoSec team is the help desk, which enhances the security team's ability to identify potential problems. When a user calls the help desk with a complaint about his or her computer, the network, or an Internet connection, the user's problem may turn out to be related to a bigger problem, such as a hacker, a DoS attack, or a virus. Because help desk technicians perform a specialized role in InfoSec, they need specialized training. These staff members must be prepared to identify and diagnose both traditional technical problems and threats to InfoSec. Their ability to do so may cut precious hours off of an incident response.

Why is threat identification so important in the process of risk management?

Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end. At every step, the manager is called on to exercise good judgment and draw on experience to make the process function smoothly.

relative

As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.

factor analysis

As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.

likelihood

Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats

51. What are the components of the security program element described as preparing for contingencies and disasters?

Business plan, identify resources, develop scenarios, develop strategies, test and revise plan.

Comprehensive

Classification categories must be mutually exclusive and which of the following?

The degree to which a current control can reduce risk is also subject to calculation error. __________

False - estimation

The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk control. __________

False - identification

The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ___________

False - likelihood

12. Most information security projects require a trained project developer. _________________________

False - manager

11. In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________

False - milestones

An evaluation of the threats to information assets, including a determination of their potential to endanger the organization, is known as exploit assessment. __________

False - threat

A prioritized list of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. __________

False - vulnerabilities

Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. __________

False - vulnerabilities

44. ____________________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work.

Projectitis

management

Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

For the purposes of relative risk assessment, how is risk calculated?

Risk equals likelihood of vulnerability occurrence multiplied by value (or impact), minus percentage risk already controlled, plus an element of uncertainty.

50. Which security functions are normally performed by IT groups outside the InfoSec area of management control?

Systems security administration Network security administration Centralized authentication

45. Explain the conflict between the goals and objectives of the CIO and the CISO.

The CIO, as the executive in charge of the organization's technology, manages the efficiency in the processing and accessing of the organization's information. Anything that limits access or slows information processing directly contradicts the CIO's mission. On the other hand, the CISO functions more like an internal auditor, with the information security department examining existing systems to discover information security faults and flaws in technology, software, and employees' activities and processes. At times, these activities may disrupt the processing and accessing of the organization's information.

52. What is the Chief Information Security Office primarily responsible for?

The CISO is primarily responsible for the assessment, management, and implementation of the program that secures the organization's information.

Risk analysis

The identification and assessment of levels of risk in an organization describes which of the following?

False

The information technology management community of interest often takes on the leadership role in addressing risk.​ ____________

How should the initial inventory be used when classifying and categorizing assets?

The inventory should reflect the sensitivity and security priority assigned to each information asset. A classification scheme should be developed (or reviewed, if already in place) that categorizes these information assets based on their sensitivity and security needs.

Risk assessment estimate factors

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.

46. What is the security education, training, and awareness program? Describe how the program aims to enhance security.

The security education, training, and awareness (SETA) program is designed to reduce the occurence of accidental security breaches by members of the organization. The program aims to enhance security in three ways: - By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems - By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely - By improving awareness of the need to protect system resources

47. List the steps of the seven-step methodology for implementing training.

The seven-step methodology for implementing training is as follows: Step 1: Identify program scope, goals, and objectives. Step 2: Identify training staff. Step 3: Identify target audiences. Step 4: Motivate management and employees. Step 5: Administer the program. Step 6: Maintain the program. Step 7: Evaluate the program.

Describe the use of an IP address when deciding which attributes to track for each information asset.

This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a relational database and track software instances on specific servers or networking devices. Many larger organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification process very difficult.

1. Small organizations spend more per user on security than medium- and large-sized organizations.

True

10. Each organization has to determine its own project management methodology for IT and information security projects.

True

9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________

True

Likelihood is the overall rating of the probability that a specific vulnerability will be exploited or attacked.

True

Small organizations spend more per user on security than medium- and large-sized organizations.

True

Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.

True

Calculating the severity of risks to which assets are exposed in their current setting

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?

Assigning a value to each information asset

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?

Vulnerabilities

What is defined as specific avenues that threat agents can exploit to attack an information asset?

Listing assets in order of importance

What is the final step in the risk identification process?

Threats-vulnerabilities-assets worksheet

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

Product dimensions

Which of the following attributes does NOT apply to software information assets?

Manufacturer's model or part number

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

IP address

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?

MAC address

Which of the following is an attribute of a network device is physically tied to the network interface?

Outdated servers

Which of the following is an example of a technological obsolescence threat?

A well-defined risk appetite should have the following characteristics EXCEPT:

a It is not limited by stakeholder expectations.

Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts?

a RM framework

Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________.

a create a subjective ranking based on anticipated recovery costs

An understanding of the potential consequences of a successful attack on an information asset by a threat is known as __________.

a impact

. __________ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization.

a information asset value weighted table analysis

Once the members of the RM framework team have been identified, the governance group should communicate all of the following for the overall RM program EXCEPT:

a its personnel structure

The organization can perform risk determination using certain risk elements, including all but which of the following?

a legacy cost of recovery

What should you be armed with to adequately assess potential weaknesses in each information asset?

a properly classified inventory

What is the risk to information assets that remains even after current controls have been applied?

a residual risk

The identification, analysis, and evaluation of risk in an organization describes which of the following?

a risk assessment

The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts.

a risk management policy

In the area of risk management, process communications is the necessary information flow within and between all of the following EXCEPT:

a the corporate change control officer

Factors that affect the external context and impact the RM process, its goals, and its objectives include the following EXCEPT:

a the organization's governance structure

Which of the following is NOT among the typical columns in the risk rating worksheet?

a uncertainty percentage

The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

a. risk management

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited availability is known as risk __________.

appetite

35. An organization carries out a risk ____________________ function to evaluate risks present in IT initiatives and/or systems.

assessment

An evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack, is known as threat __________.

assessment

Risk __________ is an approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.

assessment

34. An organization's information security program refers to the entire set of activities, resources, personnel, and technologies used by an organization to manage the risks to the information _______ of the organization.

assets

43. The goal of a security ____________________ program is to keep information security at the forefront of users' minds on a daily basis.

awareness

Which of the following is an attribute of a network device built into the network interface?

b MAC address

Which of these denotes the identification, analysis, evaluation, and treatment of risk to information assets?

b RM process

15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

b Risk Assessment

31. __________ is a simple project management planning tool.

b WBS

23. The purpose of SETA is to enhance security in all but which of the following ways?

b by adding barriers

18. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?

b centralized authentication

30. Which of the following is NOT a step in the process of implementing training?

b hire expert consultants

36. A study of information security positions found that positions can be classified into one of three types: ____________________ are the real technical types, who create and install security solutions.

builders

24. Advanced technical training can be selected or developed based on which of the following?

c technology product

26. Which of the following is an advantage of the one-on-one method of training?

c Customized

25. Which of the following is the first step in the process of implementing training?

c Identify program scope, goals and objectives

Which of the following activities is part of the risk identification process?

c assigning a value to each information asset

. Classification categories must be mutually exclusive and which of the following?

c comprehensive

Which of the following is not a role of managers within the communities of interest in controlling risk?

c legal management must develop corporate-wide standards

Which of the following is an example of a technological obsolescence threat?

c outdated servers

20. GGG security is commonly used to describe which aspect of security?

c physical

17. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?

c planning

The Risk Management Framework includes all of the following EXCEPT:

c process contingency planning

21. What is the SETA program designed to do?

c reduce the occurence of accidental security breaches

What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?

c risk tolerance

22. A SETA program consists of three elements: security education, security training, and which of the following?.

c security awareness

Labels that must be comprehensive and mutually exclusive.

c. classification categories

Classification categories must be __________ and mutually exclusive.

comprehensive

37. The information security ____________________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program.

consultant

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset identification using this attribute difficult?

d IP address

28. Which of the following is an advantage of the formal class method of training?

d Interaction with trainer is possible

13. Which of the following variables is the most influential in determining how to structure an information security program? a. Security capital budget b. Organizational size c. Security personnel budget d. Organizational culture

d Organizational Culture

27. Which of the following is a disadvantage of the one-on-one training method?

d Resource intensive, to the point of being inefficient

Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT:

d The threat environment—threats, known vulnerabilities, attack vectors

For an organization to manage its InfoSec risk properly, managers should understand how information is __________.

d all of these are needed

Which of the following activities is part of the risk evaluation process?

d calculating the severity of risks to which assets are exposed in their current setting

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

d manufacturer's model or part number

Which of the following attributes does NOT apply to software information assets?

d product dimensions

What is the final step in the risk identification process?

d ranking assets in order of importance

32. Which of the following is the most cost-effective method for disseminating security information and news to employees?

d security newsletter

Which of the following is NOT a task performed by the governance group during the framework design phase, in cooperation with the framework team?

d specifying who will supervise and perform the RM process

14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?

d they have larger information security needs than a small organization

46. An estimate made by the manager using good judgment and experience can account for which factor of risk assessment?

d uncertainty

The recognition, enumeration, and documentation of risks to an organization's information assets.

d. risk identification

Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.

e. field change order

The evaluation and reaction to risk to the entire organization is known as __________.

enterprise risk management (ERM)

An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization.

f. threat assessment

As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted __________ worksheet.

factor analysis table analysis

As each information asset is identified, categorized, and classified, a __________ value must also be assigned to it.

relative

41. The project planner should describe the skills or personnel needed for a task, often referred to as a(n) ____________________, needed to accomplish a task.

resource

39. Project ____________________ is a description of a project's features, capabilities, functions, and quality level, used as the basis of a project plan.

scope

38. The ____________________ program is designed to reduce the occurrence of accidental security breaches by members of the organization.

security education, training, and awareness SETA

42. The three methods for selecting or developing advanced technical training are by job category, by job function, and by ____________________.

technology product

The assessment of the amount of risk an organization is willing to accept for a particular information asset is known as risk __________.

tolerance


Ensembles d'études connexes

MGMT 6100 Final Review Questions

View Set

Pharmacology: Fractions, Decimals, and Percents/ Dosage Calculations

View Set

T2 U4 Chpt 66 Caring for clients with burns

View Set

Control and Security of Financial Information Theory and Practice

View Set

Med Surg II Exam 2 Practice Questions

View Set

NT512a Epistles to Revelations Midterm (Blomberg)

View Set

CH 97 Postoperative Nursing care

View Set