Cyber Security - Ch5
False
A data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict the number of people who can access it.
expectancy
A single loss ________ is the calculation of the value associated with the most likely loss from an attack
clean desk
A(n) _________ policy requires that employees secure all information in appropriate storage containers at the end of each day.
data classification scheme
A(n) ____________ is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it
False
A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternate location.
threats
After identifying and performing the preliminary classification of an organization's information assets, the analysis phase moves on to an examination of the ________facing the organization.
False
Baselining is the comparison of past security activities and events against the organization's current performance.
operational feasibility
Behavioral feasibility is also known as _______
True
Benchmarking is the process of comparing other organizations' activities against the practices used in one's own organization to produce results it would like to duplicate.
False
Cost mitigation is the process of preventing the financial impact of an incident by implementing a control
False
Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization, which is known as a threat prioritization
True
Establishing a competitive business model, method, or technique enables an organization to provide a product or service that is superior and creates a(n) competitive advantage.
True
Exposure factor is the expected percentage of loss that would occur from a particular attack.
Unclassified
Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered "National Security Information," __________ data is the lowest-level classification.
False
Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets.
True
If the acceptance strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and may portray an apathetic approach to security in general.
Weighted Factor Analysis
In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores.
True
In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization
False
Knowing yourself means identifying, examining, and understanding the threats facing the organization.
True
Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack.
distribution, portability, and destruction
Management of classified data includes its storage and ______________, ______________, and _____________
business continuity
Of the three types of mitigation plans, the _____________ plan is the most strategic and long-term, as it focuses on the steps to ensure the continuation of the organization.
weighted factor
Once the inventory and value assessment are complete, you can prioritize each asset using a straightforward process known as ___________ analysis
People: employees and nonemployees Procedures: either do not expose knowledge useful to an attacker or are sensitive and would be useful Data components account for the management of information during transmission, processing, and storage Software components: applications, operating systems, and security components Hardware components: the usual systems devices and the devices that are part of information security control systems
One of the first components of risk identification is identification, inventory, and categorization of assets, including all elements, or attributes, of an organization's information system. List and describe these asset attributes.
True
One way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed.
False
Operational feasibility is an assessment of whether the organization can acquire the technology necessary to implement and support the proposed control.
need-to-know
Overriding an employee's security clearance requires that the employee meet the __________ standard
mitigation
The ___________control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
transference
The _________control strategy attempts to shift risk to other assets, other processes, or other organizations.
loss frequency
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range is called the _________
magnitude
The combination of an asset's value and the percentage of the asset that might be lost in an attack is known as the loss ___________
False
The computed value of the ALE compares the costs and benefits of a particular control alternative to determine whether the control is worth its cost.
disadvantage
The concept of competitive __________ refers to falling behind the competition.
risk identification
The first phase of risk management is ___________
CBA
The formal decision-making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) __________.
True
The mitigation control strategy attempts to reduce the impact of a successful attack through planning and preparation.
True
The most common example of a mitigation procedure is a contingency plan.
True
The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment.
True
The upper management of an organization must structure the IT and information security functions to defend the organization's information assets.
True
The value of information to the organization's competition should influence the asset's valuation
external
Using the simplified information classification scheme outlined in the text, all information that has been approved by management for public release has a(n) ______________ classification.
CBA determines if an alternative system is worth its cost to control vulnerabilities CBA = prior ALE - post ALE - ACS
What is a cost-benefit analysis (CBA) and how can it be calculated?
procedures
When deciding which information assets to track, consider the following asset attributes: people, _______, data, software, and hardware.
True
When determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts.
True
When it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the value incurred from the cost of protecting the information.
Which asset is more critical to the organization's success? Which asset generates the most revenue? Which asset plays the largest role in delivering services? Which asset is the most expensive to replace? Which asset would cause the greatest liability if compromised?
When valuing information assets, what criteria could be considered in establishing or determining the value of the assets?
False
Within organizations, the most important feasibility is technical feasibility, which defines what can and cannot occur based on the consensus and relationships between the communities of interest
False
You cannot use qualitative measures to rank information asset values.
True
You should adopt naming standards that do not convey information to potential system attackers.
Political
_______ feasibility analysis is an assessment of which controls can and cannot occur based on the consensus and relationships among communities of interest.
ARO
________ is simply how often you expect a specific type of attack to occur.
Risk
__________ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty
Data
___________ components account for the management of information in all its states: transmission, processing, and storage.
likelihood
___________ is the probability that a specific vulnerability within an organization's assets will be successfully attacked.
Process-based
___________ measures are generally less focused on numbers and are more strategic than metrics-based measures.
Asset valuation
____________ is the process of assigning financial value or worth to each information asset.
Information assets
_______________ include information and the systems that use, store, and transmit information.
False
TVA safeguard risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset less the effect of asset value-reducing safeguards.
acceptance
The __________ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
defense
The ___________ control strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.
performance group
The ____________ is the difference between an organization's observed and desired performance.
dumpster diving
Some people search trash and recycling bins-a practice known as ______________ -to retrieve information that could embarrass a company or compromise information security
True
Sometimes a risk assessment report is prepared for a specific IT project at the request of the project manager, either because it is required by organizational policy or because it is good project management practice.
False
Pervasive risk is the amount of risk that remains to an information asset even after the organization has applied its desired level of controls
False
Residual risk is the risk that has not been removed, shifted, or planned for after vulnerabilities have been completely resolved.
control
Risk _______ is the application of security mechanisms to reduce the risks to an organization's data and information systems.
appetite
Risk ________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
False
Risk acceptance defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
True
Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices.
