Management of Information Security Chapter 6

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

False

MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.

False

Risk identification, risk analysis, and risk evaluation are part of a single function known as risk protection. __________

False

Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. __________

False

The IT community often takes on the leadership role in addressing risk.

vulnerabilities

What is defined as specific avenues that threat agents can exploit to attack an information asset?

ranking assets in order of importance

What is the final step in the risk identification process?

properly classified inventory

What should you be armed with to adequately assess potential weaknesses in each information asset?

False

When operating any kind of organization, a certain amount of debt is always involved. __________

MAC address

Which of the following is an attribute of a network device built into the network interface?

True

Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.

risk tolerance

What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?

residual risk

What is the risk to information assets that remains even after current controls have been applied?

threats-vulnerabilities-assets worksheet

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

calculating the severity of risks to which assets are exposed in their current setting

Which of the following activities is part of the risk evaluation process?

product dimensions

Which of the following attributes does NOT apply to software information assets?

manufacturer's model or part number

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

process contingency planning

The Risk Management Framework includes all of the following EXCEPT:

False

The degree to which a current control can reduce risk is also subject to calculation error. __________

risk appetite

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________.

False

The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk control. __________

threat severity weighted table analysis

The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization.

specifying who will supervise and perform the RM process

Which of the following is NOT a task performed by the governance group during the framework design phase, in cooperation with the framework team?

uncertainty percentage

Which of the following is NOT among the typical columns in the risk rating worksheet?

IP address

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset identification using this attribute difficult?

outdated servers

Which of the following is an example of a technological obsolescence threat?

legal management must develop corporate-wide standards

Which of the following is not a role of managers within the communities of interest in controlling risk?

RM process

Which of these denotes the identification, analysis, evaluation, and treatment of risk to information assets?

RM framework

Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts?

risk ranking worksheet

__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty.

information asset value weighted table analysis

__________ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization.

assigning a value to each information asset

Which of the following activities is part of the risk identification process?

False

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. __________

False

A prioritized list of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. __________

It is not limited by stakeholder expectations.

A well-defined risk appetite should have the following characteristics EXCEPT:

uncertainty

An estimate made by the manager using good judgment and experience can account for which factor of risk assessment?

False

An evaluation of the threats to information assets, including a determination of their potential to endanger the organization, is known as exploit assessment. __________

impact

An understanding of the potential consequences of a successful attack on an information asset by a threat is known as __________.

sensitivity and security needs

Data classification schemes should categorize information assets based on which of the following?

the organization's governance structure

Factors that affect the external context and impact the RM process, its goals, and its objectives include the following EXCEPT:

The threat environment—threats, known vulnerabilities, attack vectors

Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT:

all of these are needed

For an organization to manage its InfoSec risk properly, managers should understand how information is __________.

False

Having an established risk management program means that an organization's assets are completely protected.

the corporate change control officer

In the area of risk management, process communications is the necessary information flow within and between all of the following EXCEPT:

True

Likelihood is the overall rating of the probability that a specific vulnerability will be exploited or attacked.

relative value

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

its personnel structure

Once the members of the RM framework team have been identified, the governance group should communicate all of the following for the overall RM program EXCEPT:

create a subjective ranking based on anticipated recovery costs

Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________.

False

The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ___________

comprehensive

Classification categories must be mutually exclusive and which of the following?

risk management policy

The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts.

risk assessment

The identification, analysis, and evaluation of risk in an organization describes which of the following?

False

The information technology management community of interest often takes on the leadership role in addressing risk.__________

legacy cost of recovery

The organization can perform risk determination using certain risk elements, including all but which of the following?

likelihood

The probability that a specific vulnerability within an organization will be attacked by a threat is known as __________.

uncertainty

The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes, is known as __________.


Ensembles d'études connexes

Organizational Behavior: Midterm Chapter 1-4; 7,8

View Set

Chapter 17 Objectives: From Gene to Protein

View Set

Karch Chapter 38: Agents to Control Blood Glucose Levels

View Set

http://gratisexam.com/ec-council/312-50/ECCouncil.BrainDumps.312-50.v2016-08-09.by.Worm.260q.pdf (V2)

View Set