ISMN 6740 Exam 2

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

what is business impact analysis

-study used to identify the impact that can result from disruptions in the business -focuses on the failure of one or more critical IT function

qualitative risk assessment limitations

-subjective -based on expertise of experts -no CBA -no real standards

qualitative risk assessment comparison

-subjective -word values -expert opinions -key terms: probability and impact

elements to consider when determining asset value

-system access and availability -system functions -hardware and software assets -personnel assets -data and information assets -facilities and supplies

qualitative risk assessment benefits

-uses opinions of experts -easy to compute -uses words that are easy to express and understand

potential scope for web server risk assessment

-web server -database server -firewalls -DMZ

steps in implementing BIA

1. identify environment 2. identify stakeholders 3. identify CBFs 4. identify critical resources 5. identify maximum downtime 6. identify recovery priorities 7. develop the BIA report

the BIA is part of the _________

Business continuity plan (BCP)

small organization scope of BIA

Scope could include entire organization

large organization scope of BIA

Scope could include only certain areas, department, divisions

threat -> attack

a threat creates an attack

which of the following is a technical control? a. PKI b. awareness and training c. guards d. electrical grounding

a. PKI

what elements are included in a quantitative analysis? a. SLE, ALE, ARO b. ALE, ARO, ARP c. probability and impact d. threats and vulnerabilities

a. SLE, ALE, ARO

what can be used to ensure confidentiality of sensitive data? a. encryption b. hashing c. digital signature d. nonrepudiation

a. encryption

what does a qualitative RA use to prioritize a risk? a. probability and impact b. SLE, ARO, and ALE c. safeguard value d. cost benefit analysis

a. probability and impact

you are working on a qualitative risk assessment for your company. you are thinking about the final report. what should you consider when providing the results and recommendations? (select two) a. resource allocation b. risk acceptance c. SLE and ARO d. SLE and ALE

a. resource allocation b. risk acceptance

which type of assessment can you perform to identify weaknesses in a system without exploiting the weakness? a. vulnerability assessment b. risk assessment c. exploit assessment d. penetration test

a. vulnerability assessment

a(n) _________ control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more

access

an acceptable use policy is an example of a(n) __________ control

administrative

attack -> vulnerability

an attack exploits a vulnerability

vulnerability -> loss or impact

an exploited vulnerability results in a loss

A risk ________ is a major component of a risk management plan.

assessment

what does a quantitative RA use to prioritize a risk? a. probability and impact b. ALE, ARO, and ALE c. safeguard value d. cost benefit analysis

b. ALE, ARO, and ALE

which of the following is a physical control? a. logon identifiers b. CCTV c. encryption d. BCP

b. CCTV

what is created with a risk assessment to track the implementation of the controls? a. CBA b. POAM c. ALE d. SLE

b. POAM

what type of control is an intrusion detection system (IDS)? a. preventive b. detective c. corrective d. recovery

b. detective

what must you define when performing a qualitative risk assessment? a. formulas used for ALE b. scales used to define probability and impact c. scales used to define SLE and ALE d. acceptable levels of risk

b. scales used to define probability and impact

which of the following statements is true a. the RPO applies to any systems or functions. however, the RTO only refers to data housed in databases b. the RTO applies to any systems or functions. however, the RPO only refers to data housed in databases c. the the RTO and RPO apply to any system or functions d. the RTO and RPO apply to data housed in databases

b. the RTO applies to any systems or functions. however, the RPO only refers to data housed in databases

when defining the system for the risk assessment, what should you ensure is included? a. only the title of the system b. the current configuration of the system c. a list of possible attacks d. a list of previous risk assessments

b. the current configuration of the system

your organization purchased a control and installed it on several servers. this control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased? a. the cost and time to implement the control b. the operational impact of the control c. the in place and planned controls d. the impact of the risk

b. the operational impact of the control

what can you use to identify relevant vulnerabilities? a. historical data b. threat modeling c. CBA d. A and B only e. none of the above

d. A and B only

which of the following is a procedural control? a. session timeout b. reasonableness check c. water detection d. DRP

d. DRP

a _________ risk assessment is subjective. it relies on the opinions of experts

qualitatitive

you are trying to decide what type of risk assessment methodology to use. A primary benefit of a _______ risk assessment is that it can be completed more quickly than other methods

qualitative

a ________ risk assessment is objective. it uses data that can be verified

quantitative

a ________ risk assessment uses SLE

quantitative

you are trying to decide what type of risk assessment methodology to use. A primary benefit of a _______ risk assessment is that it includes details for a cost benefit analysis

quantitative

your organization requires users to log on with smart cards. this is an example of a(n) __________ control

technical

probability

the likelihood that a threat will exploit a vulnerability

general goal of risk assessment

to get risks to low consequence/low likelihood area

T/F A PTZ camera is used within a CCTV system. It can pan, tilt, and zoom.

true

T/F: controls can be identified based on their function. the functions are preventive, detective, and corrective

true

T/F: you are beginning an RA for a system. you should define both the operational characteristics and the mission of the system in the early stages of the RA

true

T/F:stakeholders can determine what functions are considered critical business functions

true

when should risk assessment be conducted

when evaluating risk and control and periodically after the control is implemented

do all systems have vulnerabilities

yes, all systems have vulnerabilities

why is risk assessment important

identifies which systems/assets to protect and gives insight into which controls provide most value

you are working on a BIA. you are calculating costs to determine the impact of an outage for a specific system. when calculating the costs, you should calculate the direct and _________ costs

indirect

risk matrix

matching probability and impact

the __________ identifies the maximum acceptable downtime for a system

maximum acceptable outage (MAO)

impact

negative result if a risk occurs

do all vulnerabilities result in a loss

no, not all vulnerabilities result in loss

You use video cameras to monitor the entrance of secure areas of your building. This is an example of a(n) ________ control.

physical

dimensions of BIA

- identify business impact of IT disruptions -mission ctitical IT systems and components - does not analyze all IT functions -stakeholders identify mission critical systems -compliance issues often drive BIA -inputs into the business continuity plan and risk assessment

technical control examples

- login identifier - system logs -firewalls

defining scope of BIA

-Define BIA scope early in the process -Scope defines the boundaries of the plan - Scope is affected by the size of the organization

vulnerability

-a weakness in physical, technical, or operational security -can be procedural, technical, or administrative

quantitative risk assessment limitations

-accurate data not always available -ensure people use control as expected

mission critical functions

-any function considered to be vital -derived from critical success factors -successful CSFs result in performing CBFs

asset valuation

-base on replacement or recovery value of asset -ensure risk assessment performed on current systems -evaluate only assets within boundary of risk assessment

prior to conducting risk assessment you should:

-define the assessment -review previous findings

best practices for risk mitigation security controls

-ensure control is effective -review controls in all areas -review NIST families -redo risk assessment if control is changed

planned controls

-identified in planning documents -specified implementation date -approved but not yet installed

critical components of risk assessment

-identify scope of assessment -identify critical areas -identify team

in place controls

-in the operational system -supported by associated documentation

what is risk assessment

-key step in risk management process -determination of quantitative and qualitative value of risk -help identify safeguards to implement -required to evaluate risk/control -conducted after implementation of control

physical control examples

-locked doors -video cameras -fire detection and suppression

control categories

-national institute of standards and technology (NIST) -three classes, 18 families of control -grouped as procedural, technical, and physical

quantitative risk assessment comparison

-objective -monetary values -historical data -key terms: SLE, ARO, ALE

procedural control examples

-policies and procedures -security plans -insurance -awareness and training -background and financial checks

3 objectives of in place controls

-prevent -recover -detect

developing mitigating recommendations

-provide specific recommendations to mitigate risks identified in analysis

identifying management structure

-refers to how responsibilities are assigned -large organization may have multiple divisions

identifying and evaluating threats

-review historical data -threat modeling -understand how threats interact with risks

quantitative risk assessment benefits

-simple math problem -provides CBA -management familiar with terminology -formulas use verifiable and objective measurements

what is included in an RA that helps justify the cost of a control? a. probability and impact b. ALE c. CBA d. POAM

c. CBA

what are two objectives of a BIA? (select two) a. identify MAO b. document new policy c. identify critical resources d. identify critical business funcitons

c. identify critical resources d. identify critical business funcitons

you are working on a BIA. you are calculating costs to determine the impact of an outage for a specific system. which one of the following is a direct cost? a. loss of customers b. loss of public goodwill c. loss of sales d. loss of opportnities

c. loss of sales

logon identifiers help ensure that users cannot deny taking a specific action such as deleting a file. what is this called? a. digital signature b. encryption c. nonrepudiation d. PKI

c. nonrepudiation

what are the primary objectives of a control? a. prevent, control, and attack b. prevent, respond, and log c. prevent, recover, and detect d. detect, recover, and attack

c. prevent, recover, and detect

what elements are included in a qualitative analysis? a. SLE, ALE, ARO b. ALE, ARO, ARP c. probability and impact d. threats and vulnerabilities

c. probability and impact

you have identified the MAO for a system. you now want to specify the time required for a system to be recovered. what is this called? a. BIA time b. MAO c. recovery time objectives d. recovery point objectives

c. recovery time objectives

what should you use to ensure that users understand what they can and cannot do on systems within the network? a. acceptable use banner b. data range checks c. rules of behavior d. audit trails

c. rules of behavior

which of the following should you match with a control to mitigate a relevant risk? a. threats b. vulnerabilities c. threat/vulnerability pair d. residual risk

c. threat/vulnerability pair

quantitative risk assessment

calculates absolute financial values, losses, and costs

qualitative risk assessment

calculates relative values, losses, and costs

your organization wants to issue certificates for internal systems such as internal Web server. you'll need to install a ___________ to issue and manage certificates

certification authority (CA)

a ______ will reduce or eliminate a threat or vulnerability

control or countermeasure

functional controls

controls based on function being performed -preventive -detective -corrective

Controls are often categorized based on how they are implemented. What are the three common methods of implementing controls? a. preventive, detective, corrective b. administrative, technical, operational c. technical, administrative, environmental d. procedural, technical, physical

d. procedural, technical, physical

you are working on a BIA. you want to identify the maximum amount of data loss an organization can accept. what is this called? a. BIA time b. MAO c. recovery time objectives d. recovery point objectives

d. recovery point objectives

what defines the boundaries of a business impact analysis? a. MAO b. BCP c. recovery objectives d. scope

d. scope

one of the challenges facing risk assessments is getting accurate data. what can be included in the risk assessment report to give an indication of the reliability of the data? a. probability statement b. accuracy scale c. validity level d. uncertainty level

d. uncertainty level

what should be logged in an audit log? a. all system events b. all security related events c. the details of what happened for an event d. who, what, when, and where details of an event

d. who, what, when, and where details of an event

of the following choices, what would be considered an asset? a. hardware b. software c. personnel d. data and information e. all of the above

e. all of the above

of the following, what would be considered a best practice when performing risk assessments? a. start with clear goals and a defined scope b. enlist support of senior management c. repeat the risk assessment regularly d. provide clear recommendations e. all of the above

e. all of the above

what can you use to help quantify risks? a. SLE B. ARO c. risk assessment d. risk mitigation plan e. all of the above

e. all of the above

which of the following should you identify during a risk assessment? a. assets b. threats c. vulnerabilities d. countermeasures e. all of the above

e. all of the above

T/F: qualitative analysis is more time consuming than quantitative analysis

false

T/F: risk assessments are a continuous process

false


Ensembles d'études connexes

The Red Scare and the Palmer Raids

View Set

Quiz 7: Binomial Distributions (Ch 6.2)

View Set