MIS 416 Exam 2 FinalXX

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Temporal Isolation

A time-release safe is an example of which type of access control?

Esoteric

All of the following are KPI types except...?

It is important to understand that not all frameworks are created as equivalents. Let's look at the differences between FAIR and OCTAVE. Which statement is NOT true?

FAIR addresses a wider range of security and risk assessment issues than OCTAVE

SLE x ARO -AV x EF --> SLE -(Monetary reduction in risk exposure) - (Cost of safeguard) --> ROSI -(ALE) - (mALE) --> Savings

Formula for ALE? -SLE x ARO -AV x EF -(Monetary reduction in risk exposure) - (Cost of safeguard) -(ALE) - (mALE)

AV X EF Asset value x exposure factor

Formula for SLE? AV x ARO ARO x Savings AV x EF EF x mALE

ISMS

ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and how to set up a(n) ____________________. *This was fill-in-blank on practice exam

Which of the following is NOT part of a risk report structure?

Risk Report Memorandum

ALE is:

SLE x ARO

False

T/F: COBIT worked with ISACA to develop ITGI

Ignore security risk

The security risk for each vulnerability found during the gathering phase can be addressed through all of the following EXCEPT:

Security Model

To design a security program, an organization can use a(n) ____________________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.

What is the purpose of a risk mitigation plan?

To implement approved countermeasures

Change management is a process that ensures that changes are made only after a review process.

True

T / F Organizations can implement risk monitoring at any of the risk management tiers with different objectives and utility of information produced.

True

T / F Organizations employ risk monitoring tools, techniques, and procedures to increase risk _____.

True

Mitigating

Which of the following is NOT a category of access control?

COBIT

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT governance institute? -ISA -ISMS -IG -COBIT

Executive summary, base report, appendices

Which of the following represents the basic structure of a risk assessment report? Table of contents, base report, executive summary Executive summary, base report, appendices Executive summary, base report, conclusion

Security Clearances

Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle?

The final summary of risks, impacts, rationales, and treatments is called what?

a risk register

What type of control ensures that account management is secure?

account management controls

Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?

cost avoidance

What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?

cost-benefit analysis

Risk monitoring provides organizations the means to (click all that apply): determine the ongoing effectiveness of risk response measures verify compliance identify risk-impacting changes to organizational information systems and environments of operation assess risk

determine the ongoing effectiveness of risk response measures verify compliance identify risk-impacting changes to organizational information systems and environments of operation

What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?

documented control strategy

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?

evaluating alternative strategies

Which of the following represents the basic structure of a risk assessment report?

executive summary, base report, appendices

When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.

exploited

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?

risk appetite

-Account management controls

what type of controls ensures that account management is secure? -Account controls -Account management controls -Access controls -Access management controls

When Calculating Safeguard Costs we must typically be sure to include which of the following? (select all that apply)

-Maintenance costs -Training costs -Operational costs -Purchase price -Installation charges

Order the following for measuring and incorporating metrics.

1. Determine requirement 2. Business case 3. Design and select metric system 4. Develop metrics 5. Test metrics 6. Launch metrics 7. Manage measurements 8. Mature measurements

Place the following in the correct order for risk management.

1. identify risk 2. analyze risks 3. rank risks 4. treat risks 5. monitor and review risks

If there are three possible outcomes to an event, one of which has a probability of 40% and will cost you $4000 and one of which has a probability of 30% and which will cost you $1500, and another with a probability of 30% that will cost you $2500, what is your expected loss?

2800

What portion of the risk assessment report is actually essential in ANY report?

A good executive summary

Technical

A logon identifier is a type of ____ control -Functional -Technical -Procedural -Access

True

A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. ____________

-inventory

A risk _____ could be a simple listing of identified risks, some of which are already assessed and others of which are still in the process of being qualified. -plan -mitigation -inventory -assessments **key word: simple

False

A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. ____________

SLE is

AV x EF

The final phase of the security risk assessment is to create a(n) ________ that addresses all security risks identified in the ___________.

Action plan, final report

To help management decide which recommendations to use

After you collect data on risk and recommendations, you include that information in a report, and you give that report to management. Why do you do this? (don't over think)

Control

All of the following are risk treatments in different frameworks except? Identify Analyze Evaluate Control Treat Monitor

Ignore

All of the following are risk treatments in different frameworks except? Identify Monitor Ignore Evaluate Analyze

_____ monitoring results gives organizations the capability to maintain awareness of the risk being incurred, highlight the need to revisit other steps in the risk management process, and initiate process improvement activities as needed.

Analyzing

-Input validation

Another term for data range and reasonableness checks is ___ -Input checks -Input validation -Data validation -Reasonableness range

Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives.

As a top-level executive at your own company, you are worried that your employees may steal confidential data too easily by downloading and taking home data onto thumb drives. What is the best way to prevent this from happening?

Which of the following is NOT a step in the FAIR risk management framework?

Assess and control impact

Organizations employ risk monitoring tools, techniques, and procedures to increase risk _____.

Awareness

Which of the following is NOT a factor for developing a risk mitigation/response plan?

Best practice in industry

In addition to the data captured in your risk assessment template, exceptions and mitigation plans need to include the following information EXCEPT:

Budget process

What is a significant part of the step of evaluating controls and determining which controls to implement?

CBAs

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?

COBIT

What is the first step in applying the RMF?

Categorize the information system and the information processed

-Unambiguous -Nonthreatening -Accurate -Relevant All but actionable. Contents cannot be perceived as "actionable" anyway

Clear and effective security assessment reporting requires that the contents of the report be perceived as which of the following? -Unambiguous -Nonthreatening -Actionable -Accurate -Relevant

All of the following are risk treatments in different frameworks except?

Control

____________ mitigate(s) risk.

Controls

Corrective

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?

What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?

Cost-benefit analysis

What is NOT a best practice for enabling a risk mitigation plan from your risk assessment?

Create a new POAM.

You have created a risk assessment, and management has approved it. What do you do next?

Create a risk mitigation plan

What is NOT an example of an intangible value?

Data

False

Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. ____________

What is an important element of following up on a risk mitigation plan?

Ensuring that security gaps are closed

All of the following are KPI types except:

Esoteric

All of the following are KPI types except: Threshold Qualitative Esoteric Milestone

Esoteric

A KPx is a summary of one or more KRIs.

False

A business impact analysis (BIA) is an output of the risk assessment process.

False

Asset valuation is a listing or grouping of assets under an assessment.

False

COBIT worked with ISACA to develop ITGI.

False

Change management ensures that similar systems have the same, or at least similar, configurations.

False

Configuration management is the same as change management.

False

FAIR's BRAG relies uses qualitative assessment of many risk components using scales with value ranges.

False

How your organization starts its risk mitigation process depends entirely on the type of organization you are working in.

False

If an in-place countermeasure needs to be upgraded or replaced, you should disable or remove the countermeasure until the new or upgraded control can be installed in order to best reduce vulnerabilities.

False

In information security, a framework or security model customized to an organization, including implementation details is known as a floor plan.

False

In the risk management process, it is not important to identify who should be responsible for the various processes or steps.

False

Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure.

False

Key Performance Indicators monitor risk appetite.

False

Loss Before Countermeasure - Loss After Countermeasure = Countermeasure Value

False

Organizations can only implement risk monitoring at risk management tiers 1 and 2.

False

Planned safeguards are the same as approved controls.

False

T / F Configuration management is the same as change management

False

T / F KPIs do not necessarily need to be tied to organizational strategy.

False

T / F Key Risk Indicators should be tied to one or more Key Performance Indexes.

False

The objective in risk assessment reporting is to assign blame to those who pose risks.

False

The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy.

False

The risk control strategy were the organization is willing to accept the current level of risk and makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.

False

The second step of becoming ISO 27002 certified involves implementing best practices.

False

The standard format that must be followed when writing a vulnerability assessment report requires that the vulnerability assessment includes the following sections: table of contents, executive summary, methods, results, and recommendations.

False

There is only one way to format and organize a risk assessment report.

False

Which of the following is NOT risk evaluation step?

Identify the key components

2800 (idk)

If there are three possible outcomes to an event, one of which has a probability of 40% and will cost you $4000 and one of which has a probability of 30% and which will cost you $1500, and another with a probability of 30% that will cost you $2500, what is your expected loss? 2000 2900 2800 3000

All of the following are risk treatments in different frameworks except?

Ignore

The security risk for each vulnerability found during the gathering phase can be addressed through all of the following EXCEPT:

Ignore security risk

Budget process

In addition to the data captured In your risk assessment template, exceptions and mitigation plans need to include the following information EXCEPT:

Control

In the COSO framework, ___________ activities include those policies and procedures that support management directives. *fill in blank

The COSO framework is built on eight interrelated components. Which of the following is NOT one of them?

InfoSec Governance

Another term for data range and reasonableness checks is ______________.

Input validation

Procedural controls

Insurance, background checks, and security plans are all categories of ____________.

A risk ____ could be a simple listing of identified risks, some of which are already assessed and others of which are still in the process of being qualified

Inventory

FAIR addresses a wider range of security and risk assessment issues than OCTAVE (OCTAVE is longer word so can address more. So this is the false statement bc FAIR cant be wider range)

It is important to understand that not all frameworks are created as equivalents. Let's look at the differences between FAIR and OCTAVE. Which statement is NOT true? (think about the length of OCTAVE vs FAIR)

Which of the following affects the cost of a control?

Maintenance

-The framework can be easier to implement for your specific organization

Many firms and regulators refer to one or more Cybersecurity and/or risk assessment frameworks. However, firms sometimes create their own custom frameworks. Using a predefined framework has all of the following benefits except what? -The framework can be easier to implement for your specific organization -The framework has less initial work to set up and understand -The framework is sensible if your process is called into question by others -The framework unlikely to miss important key concepts

The relation between Controls and Threats is best described as?

Many-to-Many

Which of the following is NOT one of the components of the COSO framework?

Meeting stakeholder needs

Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?

Mitigation

-Transfer

OCTAVE is one of the many frameworks available. Although heavy and labor intensive, it includes innovative approaches. One of the unique aspects of OCTAVE is the pools of mitigation approaches. The pools used include everything but? -Transfer -Accept -Mitigate -Mitigate or defer -Defer or accept

Which of the following is a Tier 1 risk monitoring activity?

Ongoing threat assessments

What does OCTAVE stand for?

Operationally Critical Threat, Asset, and Vulnerability Evaluation

1. Determine requirement 2. Business case 3. Design and select metric system 4. Develop metrics 5. Test metrics 6. Launch metrics 7. Manage measurements 8. Mature measurements

Order the following for measuring and incorporating metrics. 1. Determine requirement 2. Business case 3. Design and select metric system 4. Develop metrics 5. Test metrics 6. Launch metrics 7. Manage measurements 8. Mature measurements

Awareness

Organizations employ risk monitoring tools, techniques and procedures to increase risk ______.

-Security measurement system

PRAGMATIC is a....? -Security measurement system -threat catalog -Government regulation -Risk assessment approach

Which phase of the information security measurement system lifecycle involves gaining a solid appreciation of the organization information security-related information needs?

Phase 1

1. Identify risk 2. Analyze risk 3. Rank risks 4. Treat risks 5. Monitor and review risks

Place the following in the correct order for risk management: 1. Identify risk 2. Analyze risk 3. Rank risks 4. Treat risks 5. Monitor and review risks

Insurance, background checks, and security plans are all categories of ____________.

Procedural controls

Share, transfer

Purchasing insurance is the primary way to ________ or _________ risk.

Which of the following is NOT a phase in the information security measurement system lifecycle?

Remove the measurement system

Which of the following is NOT a phase in the information security measurement system lifecycle? Select security metrics Prepare a business case Mature the measurement system Launch the measurement system Remove the measurement system

Remove the measurement system

The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?

Risk determination

Which of the following is NOT a way organizations can respond to risk?

Risk elimination

A) Verify compliance C) Determine the ongoing effectiveness of risk response measures D) Identify risk-impacting changes to organizational information systems and environments of operation *all but assess risk bc it's monitoring!!!!

Risk monitoring provides organizations the means to....? Select all that apply. A) Verify compliance B) Assess risk C) Determine the ongoing effectiveness of risk response measures D) Identify risk-impacting changes to organizational information systems and environments of operation

PRAGMATIC is a

Security Measurement System

Which of the following is a well-framed phrase used by the security risk assessment team when risk reporting?

Security awareness training is not completely effective for all users

-Weakness of the security

Security risk decision variables include all of the following aspects EXCEPT? -Weakness of the security -Severity of the impact -Likelihood that a vulnerability will exploited -Value for the asset

-Verify compliance -Determine the ongoing effectiveness of risk response measures -Identify risks impacting changes to organization information systems

Select all of the following that risk monitoring allows organizations to do: -Avoid performing risk assessments -Verify compliance -Determine the ongoing effectiveness of risk response measures -Evaluate the costs and benefits of different security controls -Identify risks impacting changes to organization information systems

False *it's ALE not "loss" Countermeasure value = ALE previous - ALE now - Countermeasure cost

T/F: Loss Before Countermeasure - Loss After Countermeasure = Countermeasure Value

False *another analysis cannot be the output of an assessment ????

T/F: A Business Impact Analysis (BIA) is an output of the risk assessment process

True

T/F: A CBA helps determine if you should use a safeguard

True

T/F: A best practice for enabling a risk mitigation plan from your risk assessment is prioritizing countermeasures.

True

T/F: A decision is made to accept, avoid, transfer, or mitigate a risk is done in the risk evaluation stage.

True

T/F: A gap analysis report documents differences between what is mitigated and what is NOT mitigated, resulting in a gap in security GAPPPPP

True

T/F: A risk assessment ends with a report

True

T/F: A risk assessment provides a point-in-time report

True

T/F: A threshold KPI is significant when an index falls into a set range

True

T/F: Access controls testing verifies user rights and permissions

True action = quickly

T/F: Action plans are a necessary output of the risk assessment process so that recommendations can be acted upon quickly once the assessment is approved *key word: quickly

False

T/F: Asset valuation is a listing or grouping of assets under an assessment

False

T/F: Change management ensures that similar systems have the same, or at least similar, configurations.

True

T/F: Ensuring that controls are effective is a best practice for risk mitigating security controls.

False

T/F: FAIR's BRAG relies uses qualitative assessment of many risk components using scales with value ranges

True

T/F: Formula for ROSI? = reduction in risk exposure / investment in countermeasures

True

T/F: Good risk reporting should include tables and figures to visually convey information to the audience.

False

T/F: If an in-place countermeasure needs to be upgraded or replaces, you should disable or remove the countermeasure until the new upgraded control can be installed in order to best reduce vulnerabilities

True health = good = true

T/F: In information security, KPIs measure the performance or health of information security *key word: health

False

T/F: In information security, a framework or security model customized to an organization, including implementation details is known as a floor plan

False

T/F: In the risk management process, it is not important to identify who should be responsible for the various processes or steps

False

T/F: Information technology infrastructure library provides guidance in the development and implementation of an organizational InfoSec governance structure

False

T/F: KPIs do not necessarily need to be tied to organizational strategy

True

T/F: KRIs measure how risky an activity is

false

T/F: Key Performance Indicators monitor risk appetite.

True

T/F: Logs need to be reviewed

True

T/F: One of the ways to identify controls is to identify critical business functions and critical business operations.

True

T/F: One or more KPIs can be included in a key performance index.

False

T/F: Organizations can only implement risk monitoring at risks management tiers 1 and 2

True

T/F: Planned controls are controls that have been approved but not installed yet

True

T/F: Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance.

true

T/F: Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred.

true

T/F: Risk monitoring provides organization with the means to verify compliance, determine the effectiveness of risk measures, and identify risk-impacting changes to organizational information systems and environments of operations.

True

T/F: Risk sharing shifts a portion of the responsibility or liability

False

T/F: Technical controls alone, when properly configured, can secure an IT environment

True five = 4 letters true = 4 letters

T/F: The ISO 27005 Standard for InfoSec Risk Management includes a FIVE-stage management methodology; among them are RISK TREATMENT and RISK COMMUNICATION *key word: five

True

T/F: The Information Technology Infrastructure Library (ITIL) defines the organizational structure and skill requirements of an IT organization and a set of standard operational procedures and practices that allow the organization to manage an IT operation and associated infrastructure.

True

T/F: The criterion most commonly used when evaluating a strategy to implement InfoSec controls is economic feasibility.

True

T/F: The first step of becoming ISO 27002 certified involved implementing best practices

False

T/F: The objective in risk assessment reporting is to assign blame to those who pose risks

False

T/F: The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy.

True

T/F: The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy.

False (This is transference)

T/F: The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy

True

T/F: The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.

False

T/F: The risk control strategy where the organization is willing to accept the current level of risk and makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy

False

T/F: The standard format that must be followed when writing a vulnerability assessment report requires that the vulnerability assessment includes the following sections: table of contents, executive summary, methods, results, and recommendations

False

T/F: There is only one way to format and organize a risk assessment report

True

T/F: When converting a risk assessment to a risk mitigation plan, you may need to verify the risk elements.

False

T/F: You will never need to replace in-place controls

False

T/F: a KPx is a summary of one or more KRIs

True

T/F: change management is a process that ensures that changes are made only after a review process

False

T/F: configuration management is the same as change management

True

T/F: continuous monitoring is necessary because security work is never done

False

T/F: how your organization starts its risk mitigation process depends entirely on the type of organization you are working in

True

T/F: information security is a dynamic field because the risks fluctuate in a complex and, hence, not entirely predictable manner

True

T/F: key risk indicators should be tied to one or more key performance indexes

True

T/F: organizations can implement risk monitoring at any of the risk management tiers with different objectives and utility of information produced

True

T/F: physical access controls protect valuable assets by restricting physical access to them

True

T/F: the organizations level of security risk acceptance should be considered when selecting recommended safeguards

The actual methods used to protect against data loss are __________ controls, but the program that identifies which data to protect is a ___________ control.

Technical, procedural

InfoSec governance

The COSO framework is built on eight interrelated components. Which of the following is NOT one of them?

InfoSec Governance

The COSO framework is built on five interrelated components. Which of the following is NOT one of them?

Risk determination

The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following? -Risk treatment -Risk communication -Risk analytics -Risk determination

False

The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. ____________

-Evaluating alternative strategies

The Microsoft Risk Management approach includes four phases. Which of the following is NOT one of them? -Measuring program effectiveness -Evaluating alternative strategies -Implementing controls -Conducting decision support

Transference

The ___ risk control strategy attempts to shift the risk to other assets, processes, or organizations.

Need to know

The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.

Technical, procedural

The actual methods used to protect against data loss are __________ controls, but the program that identifies which data to protect is a ___________ control. Operational, technical Planned, procedural Technical, procedural

What is Risk Acceptance?

The appropriate risk response when the identified risk is within the organizational risk tolerance

False

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege. ____________

Action plan, final report

The final phase of the security risk assessment is to create a(n) ________ that addresses all security risks identified in the ___________.

a risk register

The final summary of risks, impacts, rationales and treatments is called what? -A risk catalog -A risk register -A risk index

Many firms and regulators refer to one or more Cybersecurity and/or risk assessment frameworks. However, firms sometimes create their own custom frameworks. Using a predefined framework has all of the following benefits except what?

The framework can be easier to implement for your specific organization

True

The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. ____________

Many - to-many

The relation between Controls and Threats is best described as? One - to-many Many - to-many Many-to-one

OCTAVE is one of the many frameworks available. Although heavy and labor intensive, it includes innovative approaches. One of the unique aspects of OCTAVE is the pools of mitigation approaches. The pools used include everything but?

Transfer

The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.

Transference

A best practice for enabling a risk mitigation plan from your risk assessment is prioritizing countermeasures.

True

A decision is made to accept, avoid, transfer, or mitigate a risk is done in the risk evaluation stage.

True

A gap analysis report documents differences between what is mitigated and what is NOT mitigated, resulting in a gap in security.

True

A risk assessment ends with a report.

True

A risk assessment provides a point-in-time report.

True

A threshold KPI is significant when an index falls into a set range.

True

Action plans are a necessary output of the risk assessment process so that recommendations can be acted upon quickly once the assessment is approved.

True

Continuous monitoring is necessary because security work is never done.

True

Ensuring that controls are effective is a best practice for risk mitigating security controls.

True

Good risk reporting should include tables and figures to visually convey information to the audience.

True

In Information Security, KPIs measure the performance or health of Information Security.

True

In addition to deciding on appropriate monitoring activities across the risk management tiers, organizations also decide how monitoring is to be conducted (e.g., automated or manual approaches) and the frequency of monitoring activities.

True

Information security is a dynamic field because the risks fluctuate in a complex and, hence, not entirely predictable manner.

True

KPIs do not necessarily need to be tied to organizational strategy.

True

KRIs measure how risky an activity is.

True

Key Risk Indicators should be tied to one or more Key Performance Indexes.

True

Logs need to be reviewed.

True

One of the ways to identify controls is to identify critical business functions and critical business operations.

True

One or more KPIs can be included in a key performance index.

True

Organizations can implement risk monitoring at any of the risk management tiers with different objectives and utility of information produced.

True

Physical access controls protect valuable assets by restricting physical access to them.

True

Planned controls are controls that have been approved but not installed yet.

True

ROSI = reduction in risk exposure / investment in countermeasures

True

Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance.

True

Risk monitoring provides organization with the means to verify compliance, determine the effectiveness of risk measures, and identify risk-impacting changes to organizational information systems and environments of operations.

True

Risk sharing shifts a portion of the responsibility or liability.

True

T / F Continuous monitoring is necessary because security work is never done.

True

T / F Information security is a dynamic field because the risks fluctuate in a complex and, hence, not entirely predictable manner.

True

T / F KRIs measure how risky an activity is.

True

T / F The organizations level of security risk acceptance should be considered when selecting recommended safeguards.

True

The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.

True

The Information Technology Infrastructure Library (ITIL) defines the organizational structure and skill requirements of an IT organization and a set of standard operational procedures and practices that allow the organization to manage an IT operation and associated infrastructure.

True

The first step of becoming ISO 27002 certified involves implementing best practices.

True

The organizations level of security risk acceptance should be considered when selecting recommended safeguards.

True

When converting a risk assessment to a risk mitigation plan, you may need to verify the risk elements.

True

Access Control List

Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?

Which of the following is NOT a purpose of ISO/IEC 27001:2005?

Use to form information technology governance

Select all of the following that risk monitoring allows organizations to do: Question 5 options: Avoid performing risk assessments Verify compliance Determine the ongoing effectiveness of risk response measures Evaluate the costs and benefits of different security controls Identify risk-impacting changes to organization information systems

Verify compliance Determine the ongoing effectiveness of risk response measures Identify risk-impacting changes to organization information systems

Security risk decision variables include all the following aspects EXCEPT

Weakness of the security

-Staying on schedule and in budget

What are the 2 primary goal when implementing a risk mitigation plan?

principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies *just remember PRINCIPLES first and COMPETENCIES lat

What are the seven COBIT enablers?

-Quantitative valuation of safeguards

What does FAIR's BRAG rely on to build the risk management framework that is unlike many other risk management frameworks? -Qualitative assessment of many risk components -Subjective prioritization of controls -Risk analysis estimates -Quantitative valuation of safeguards

Operationally Critical Threat, Asset, and Vulnerability Evaluation *look for comma between 'threat' & 'asset'

What does OCTAVE stand for? -Operationally Critical Threat Asset, and Vulnerability Evaluation -Operationally Critical Threat, Asset, and Vulnerability Evaluation -Operations, Critical Threat, Asset, Valuation Efficiency

-Purchase insurance to assign or transfer the security risk to another party

What does the assign security risk help with? -Based on business mission and other factors, accept the identified security risk -Purchase insurance to assign or transfer the security risk to another party -All of the above -Reduce specific security risk

Findings, Recommendation cost and time frame, Cost benefit analysis

What information should you in your report for management when you present your recommendations?

Creating a new POAM (Plan of action and milestones)

What is NOT a best practice for enabling a risk mitigation plan from your risk assessment?

Data

What is NOT an example of an intangible value? -Data -Cost of gaining a customer -Future loss -Customer influence

Manual

What is NOT one of the implementation methods of controls? Mitigate Transfer Control Manual Decide

-CBAs

What is a significant part of the step of evaluating controls and determining which controls to implement? -DRPs -BCPs -CBAs -DMZs

Ensuring that security gaps are closed *you made the plan in the first place to close the gap

What is an important element of following up on a risk mitigation plan?

The appropriate risk response when the identified risk is within the organizational risk tolerance *acceptance = a = appropriate

What is risk acceptance? *hint: 'a'

-Categorize the information system and the information processed

What is the first step in applying the RMF?

To implement approved countermeasures *countermeasures will eliminate/mitigate risk

What is the purpose of a risk mitigation plan? *key word: mitigation

-Cost benefit analysis

What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy? -Annualized rate of occurrence -Exposure factor -Single loss expectancy -Cost benefit analysis

A good executive summary

What portion of the risk assessment report is actually essential in ANY report? A table of contents A risk evaluation table A good executive summary

-A good executive summary

What portion of the risk assessment report is actually essential in ANY report? -Methodology -Supporting appendices -A good executive summary -A good conclusion

-Maintenance costs -Training costs -Operational costs -Purchase price -Installation charges

When Calculating Safeguard Costs we must typically be sure to include which of the following? (select all that apply) -Maintenance costs -Training costs -Operational costs -Purchase price -Education costs -Installation charges

Which of the following is NOT a valid rule of thumb on risk control strategy selection

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

Need-to-know

Which access control principle limits a user's access to the specific information required to perform the currently assigned task?

Least Privilege

Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary?

Deterrent

Which control category discourages an incipient incident?

-Personnel changes -Mergers -Supply chain changes The risks of competitors do not affect your own firm's risk levels.

Which of the following can affect the state of risks? -Personnel changes -Mergers -Supply chain changes -Risk levels of competitors

-Mitigation

Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster? -Acceptance -Mitigation -Avoidance -Transference

Cost avoidance

Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident? *key words: defense

No changes by authorized subjects without external validation

Which of the following is NOT a change control principle of the Clark-Wilson model?

Risk report memorandum

Which of the following is NOT a part of a risk report structure? Good executive summary Risk report memorandum Risk report summary

-Remove the measurement system

Which of the following is NOT a phase in the information security measurement system lifecycle? -Select security metrics -Mature the measurement system -Prepare a business case -Remove the measurement system -Launch the measurement system

Use to form information technology governance

Which of the following is NOT a purpose of ISO/IEC 27001:2005?

-Assess control impact

Which of the following is NOT a step in the FAIR risk management framework? -Assess control impact -Identify scenario components -Evaluate loss event frequency -Derive and articulate risk (Think about RA HW assignments)

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

Which of the following is NOT a valid rule of thumb on risk control strategy selection?

Risk elimination

Which of the following is NOT a way organizations can respond to risk? -Risk mitigation -Risk transfer -Risk elimination -Risk acceptance

For official use only

Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information?

Identify key components

Which of the following is NOT risk evaluation step?

Both A and B are correct (Security Model and Framework)

Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?

Ongoing threat assessments

Which of the following is a tier 1 risk monitoring activity?

-Training cost

Which of the following is a type of SAFEGUARD cost? -Selling cost -Orientation cost -Employment cost -Training cost *think about this!

Security awareness training is not completely effective for all users

Which of the following is a well-framed PHRASE used by the security risk assessment TEAM when risk reporting?

Meeting stakeholder needs

Which of the following is not one of the components of the COSO framework?

-Security model -Framework

Which of the following is/are a generic blueprint(s) offered by a service organization which must be flexible, scalable, robust and detailed? -Security model -Framework -SLA -Security standard

-Metrics, KPI, KPx, KRI, dashboard *P comes before R

Which of the following orders is consistent with the KPI, KPx and KRI formation? -KPI, KPx, KRI, dashboard -Metrics, KPI, KPx, KRI, dashboard -Metrics, KRI, KPx, KPI, dashboard

COBIT

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?

Phase 1

Which phase of the information security measurement system lifecycle involves gaining a solid appreciation of the organization information security-related information needs? -Phase 4 -Phase 1 -Phase 6 -Phase 1 and 2

Reference Monitor

Which piece of the Trusted Computing Base's security system manages access controls?

TCSEC

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?

Nondiscretionary

Which type of access controls can be role-based or task-based?

360,000

XYZ Co. has decided that the loss event of a single incident on RESOURCE-A is $300,000 and it would result in 40% exposure factor. They also feel that this event could happen 3 times a year. What is the annual loss expectancy (ALE)?

-Create a risk mitigation plan

You have created a risk assessment, and management has approved it. What do you do next? -Start assessing risks for a different department -Define the scope of the risk assessment -Gather the stakeholders for a progress meeting -Create a risk mitigation plan

Analyzing

_____ monitoring results gives organizations the capability to maintain awareness of the risk being incurred, highlight the need to revisit other steps in the risk management process, and initiate process improvement activities as needed. *fill in blank

Controls

______ mitigate risks *Fill in the blank

Covert

____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels.

What information should you include in your report for management when you present your recommendations?

findings, recommendation cost and time frame, and cost-benefit analysis

Risk monitoring provides organizations the means to (click all that apply):

identify risk-impacting changes to organizational information systems and environment operation, determine the ongoing effectiveness of risk response measures, and verify compliance

Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?

incident response plan

Which of the following orders is consistent with the KPI, KPX, and KRI formation?

metrics, KPI, KPx, KRI, Dashboard

Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?

mitigation

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?

monitoring and measurement

Which of the following can affect the state of risks?

personnel changes, mergers, supply chain changes

Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.

political feasibility

What are the seven COBIT enablers?

principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

qualitative assessment of many risk components

What does FAIR's BRAG rely on to build the risk management framework that is unlike many other risk management frameworks?

quantitative valuation of safeguards

Clear and effective security risk assessment reporting requires that the contents of the report be perceived as

relevant, unambiguous, nonthreatening, accurate

Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?

security model, framework

Purchasing insurance is the primary way to ______ or _______ risk.

share, transfer

By multiplying the asset value by the exposure factor, you can calculate which of the following?

single loss expectancy

True

t/f: in addition to deciding on appropriate monitoring activities across the risk management tiers, organizations also decide how monitoring is to be conducted (e.g., automated or manual approaches) and the frequency of monitoring activities.

After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this?

to help management decide which recommendations to use


Ensembles d'études connexes

Chapter 19 - Autonomic Nervous System

View Set

Ancient Greek Philosophers - Unit 1 - Challenge 2: Socrates and Dialectic

View Set

Acid Base Balance During Exercise

View Set

Critical Care: Chapter 14: Nervous System Alterations

View Set

Writing Workshop: Narrative Writing - American Individualism

View Set

Chapter 64: Arthritis and Connective Tissue Diseases

View Set