MIS 516 Exam 2

The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy.

False

Which of the following can affect the state of risks? Mergers Personnel changes Supply Chain changes Risk levels of competitors

Mergers, Personnel changes, supply chain changes (not risk level of competitors)

Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?

Mitigation

The actual methods used to protect against data loss are __________ controls, but the program that identifies which data to protect is a ___________ control.

Technical, procedural

What is Risk Acceptance? The acceptance of what the actual risk is The appropriate risk response when the identified risk is within the organizational risk tolerance. None of the above How appropriate the risk can be to the situation

The appropriate risk response when the identified risk is within the organizational risk tolerance.

Many firms and regulators refer to one or more Cybersecurity and/or risk assessment frameworks. However, firms sometimes create their own custom frameworks. Using a predefined framework has all of the following benefits except what? The framework has less initial work to set up and understand The framework unlikely to miss important key concepts The framework is defensible if your process is called into question by others The framework can be easier to implement for your specific organization

The framework can be easier to implement for your specific organization

Which of the following is a type of safeguard cost? Orientation Cost Training Cost Employment Cost Selling Cost

Training Cost

OCTAVE is one of the many frameworks available. Although heavy and labor intensive, it includes innovative approaches. One of the unique aspects of OCTAVE is the pools of mitigation approaches. The pools used include everything but? Defer or Accept Mitigate or Defer Transfer Accept Mitigate

Transfer

The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.

Transference

A best practice for enabling a risk mitigation plan from your risk assessment is prioritizing countermeasures.

True

A best practice for enabling a risk mitigation plan from your risk assessment is staying within scope.

True

A decision is made to accept, avoid, transfer, or mitigate a risk is done in the risk evaluation stage.

True

A gap analysis report documents differences between what is mitigated and what is NOT mitigated, resulting in a gap in security.

True

A risk assessment ends with a report.

True

A risk assessment provides a point-in-time report.

True

A threshold KPI is significant when an index falls into a set range.

True

Access controls testing verifies user rights and permissions.

True

Action plans are a necessary output of the risk assessment process so that recommendations can be acted upon quickly once the assessment is approved.

True

Change management is a process that ensures that changes are made only after a review process.

True

Continuous monitoring is necessary because security work is never done.

True

Ensuring that controls are effective is a best practice for risk mitigating security controls.

True

Good risk reporting should include tables and figures to visually convey information to the audience.

True

In Information Security, KPIs measure the performance or health of Information Security.

True

In addition to deciding on appropriate monitoring activities across the risk management tiers, organizations also decide how monitoring is to be conducted (e.g., automated or manual approaches) and the frequency of monitoring activities.

True

Information security is a dynamic field because the risks fluctuate in a complex and, hence, not entirely predictable manner.

True

KRIs measure how risky an activity is.

True

Key Risk Indicators should be tied to one or more Key Performance Indexes.

True

Logs need to be reviewed.

True

One of the ways to identify controls is to identify critical business functions and critical business operations.

True

One or more KPIs can be included in a key performance index.

True

Organizations can implement risk monitoring at any of the risk management tiers with different objectives and utility of information produced.

True

Physical access controls protect valuable assets by restricting physical access to them

True

Planned controls are controls that have been approved but not installed yet.

True

ROSI = reduction in risk exposure / investment in countermeasures

True

Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred.

True

Which of the following is NOT risk evaluation step? Determine severity of threat/vulnerability Determine residual risk level Determine risk exposure (including risk sensitivity) Determine likelihood of threat/vulnerability Identify the key components

Identify the key components

All of the following are risk treatments in different frameworks except? Mitigate Defer Transfer Ignore Accept Avoid

Ignore

The security risk for each vulnerability found during the gathering phase can be addressed through all of the following EXCEPT: Reduce Security Risk Avoid Security Risk Accept Security Risk Ignore Security Risk

Ignore Security Risk

The COSO framework is built on eight interrelated components. Which of the following is NOT one of them? InfoSec Governance Risk assessment Risk response Monitoring

InfoSec Governance

A risk ____ could be a simple listing of identified risks, some of which are already assessed and others of which are still in the process of being qualified Inventory Assessment Mitigation Plan

Inventory

The relation between Controls and Threats is best described as? Many-to-Many One-to-One One-to-Many (One Threat can have many Controls) One-to-Many (One Control can address many Threats)

Many-to-Many

Which of the following is NOT one of the components of the COSO framework? Communication and reporting Risk assessment Meeting stakeholder needs Information and communication

Meeting stakeholder needs

Risk monitoring provides organization with the means to verify compliance, determine the effectiveness of risk measures, and identify risk-impacting changes to organizational information systems and environments of operations.

True

Risk sharing shifts a portion of the responsibility or liability.

True

The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.

True

The Information Technology Infrastructure Library (ITIL) defines the organizational structure and skill requirements of an IT organization and a set of standard operational procedures and practices that allow the organization to manage an IT operation and associated infrastructure.

True

The criterion most commonly used when evaluating a strategy to implement InfoSec controls is economic feasibility.

True

The first step of becoming ISO 27002 certified involves implementing best practices.

True

The organizations level of security risk acceptance should be considered when selecting recommended safeguards.

True

The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.

True

What type of control ensures that account management is secure? access controls account management controls account controls access management controls

account management controls

Risk monitoring provides organizations the means to (click all that apply): verify compliance assess risk determine the ongoing effectiveness of risk response measures identify risk-impacting changes to organizational information systems and environments of operation

all except assess risk

What are the seven COBIT enablers? meeting stakeholder needs; processes; enabling a holistic approach; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies covering the enterprise end-to-end; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and applying a single integrated framework principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies meeting stakeholder needs; covering the enterprise end-to-end; applying a single integrated framework; enabling a holistic approach; information; separating governance from management; and people, skills, and competencies

principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies

Insurance, background checks, and security plans are all categories of ____________. procedural controls policies procedures policy controls

procedural controls

What are the two primary goals when implementing a risk mitigation plan? being thorough and cautious staying on schedule and in budget avoiding surprises and staying on budget increasing security and maintaining easy access

staying on schedule and in budget

After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this? to inform management of the progress of the risk management task to help management decide which recommendations to use to avoid several time-consuming presentations about each individual recommendation to help management assess how much of the risk was mitigated by the proposed solution

to help management decide which recommendations to use

What is the purpose of a risk mitigation plan? to implement approved countermeasures to ensure compliance to bolster a risk assessment to reduce threats

to implement approved countermeasures

Select all of the following that risk monitoring allows organizations to do: a. Avoid performing risk assessments b. Verify compliance c. Determine the ongoing effectiveness of risk response measures d. Evaluate the costs and benefits of different security controls e. Identify risk-impacting changes to organization information systems

verify, determine, identify

Key Performance Indicators monitor risk appetite.

False

Loss Before Countermeasure - Loss After Countermeasure = Countermeasure Value

False

Organizations can only implement risk monitoring at risk management tiers 1 and 2.

False

Planned safeguards are the same as approved controls.

False

Technical controls alone, when properly configured, can secure an IT environment.

False

The objective in risk assessment reporting is to assign blame to those who pose risks.

False

The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy.

False

All of the following are KPI types except: Milestone Esoteric Threshold Qualitative

Esoteric

XYZ Co. has decided that the loss event of a single incident on RESOURCE-A is $300,000 and it would result in 40% exposure factor. They also feel that this event could happen 3 times a year. What is the annual loss expectancy (ALE)? $360,000 $120,000 $900,000 $50,000

$360,000

If there are three possible outcomes to an event, one of which has a probability of 40% and will cost you $4000 and one of which has a probability of 30% and which will cost you $1500, and another with a probability of 30% that will cost you $2500, what is your expected loss? 2350 1200 1600 4000 8000 2050 2800

2800

What portion of the risk assessment report is actually essential in ANY report? A Good Executive Summary A Good Conclusion Supporting Appendices Methodology

A Good Executive Summary

The final summary of risks, impacts, rationales, and treatments is called what? A Risk Catalog A Threat-Control-Vulnerability-Impact Catalog A Risk Index A Risk Register

A Risk Register

SLE=

AV x EF

The final phase of the security risk assessment is to create a(n) ________ that addresses all security risks identified in the ___________. Risk report, risk assessment Final report, Action plan Final report, risk assessment Action plan, final report Action plan, data gathering phase

Action plan, final report

In addition to the data captured in your risk assessment template, exceptions and mitigation plans need to include the following information EXCEPT: Mitigation action items, long- and short-term Budget Process Business justification for the risk Policy exceptions/risk acceptance approval and time frame

Budget Process

What is a significant part of the step of evaluating controls and determining which controls to implement? DRPs DMZs CBAs BCPs

CBAs

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? COBIT ISO NIST COSO

COBIT

What is the first step in applying the RMF? Categorize the information system and the information processed Authorize information system operation based on risk determination Assess the security controls using appropriate assessment procedures Select an initial set of baseline security controls

Categorize the information system and the information processed

All of the following are risk treatments in different frameworks except? Defer Accept Mitigate Transfer Control Avoid

Control

What is NOT a best practice for enabling a risk mitigation plan from your risk assessment? Control the costs. Create a new POAM. Control the schedule. Stay within the scope.

Create a new POAM.

You have created a risk assessment, and management has approved it. What do you do next?

Create a risk mitigation plan

As a top-level executive at your own company, you are worried that your employees may steal confidential data too easily by downloading and taking home data onto thumb drives. What is the best way to prevent this from happening? Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives. Hold a seminar that explains to employees why the use of thumb drives in the workplace is a security hazard. Instruct higher level employees to inform their employees that the use of a thumb drive is a fireable offense. Install a technical control to prevent the use of thumb drives.

Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives.

What is NOT an example of an intangible value? Cost of gaining a consumer Future loss Customer influence Data

Data

What is an important element of following up on a risk mitigation plan?

Ensuring that security gaps are closed

It is important to understand that not all frameworks are created as equivalents. Let's look at the differences between FAIR and OCTAVE. Which statement is NOT true? OCTAVE is more flexible and customizable OCTAVE is lower level, more methodological FAIR is more quantitative and prescriptive FAIR addresses a wider range of security and risk assessment issues than OCTAVE

FAIR addresses a wider range of security and risk assessment issues than OCTAVE

A KPx is a summary of one or more KRIs.

False

A business impact analysis (BIA) is an output of the risk assessment process.

False

Asset valuation is a listing or grouping of assets under an assessment.

False

COBIT worked with ISACA to develop ITGI.

False

Change management ensures that similar systems have the same, or at least similar, configurations.

False

Configuration management is the same as change management.

False

FAIR's BRAG relies uses qualitative assessment of many risk components using scales with value ranges.

False

How your organization starts its risk mitigation process depends entirely on the type of organization you are working in.

False

If an in-place countermeasure needs to be upgraded or replaced, you should disable or remove the countermeasure until the new or upgraded control can be installed in order to best reduce vulnerabilities.

False

In information security, a framework or security model customized to an organization, including implementation details is known as a floor plan.

False

In the risk management process, it is not important to identify who should be responsible for the various processes or steps.

False

Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure.

False

KPIs do not necessarily need to be tied to organizational strategy.

False

The risk control strategy were the organization is willing to accept the current level of risk and makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.

False

The standard format that must be followed when writing a vulnerability assessment report requires that the vulnerability assessment includes the following sections: table of contents, executive summary, methods, results, and recommendations.

False

The terms safeguard, countermeasure, and control can be used interchangeably.

False

There is only one way to format and organize a risk assessment report.

False

You will never need to replace in-place controls.

False

Which of the following is a Tier 1 risk monitoring activity? Vulnerability scanning Ongoing threat assessments Automated monitoring of standard configuration settings for IT products Analysis of new or current technologies Penetration Testing

Ongoing threat assessments

What does OCTAVE stand for? Optional Tactical Active Variable Evaluation Optional Tension After Vulnerability Excessiveness Operationally Critical Threat, Asset, and Vulnerability Evaluation Operationally Critical Threat Asset and Variable Evaluation

Operationally Critical Threat, Asset, and Vulnerability Evaluation

Which phase of the information security measurement system lifecycle involves gaining a solid appreciation of the organization information security-related information needs? Phase 3 Phase 4 Phase 1 Phase 8

Phase 1

Which of the following is NOT a phase in the information security measurement system lifecycle? Prepare a business case Launch the measurement system Select security metrics Mature the measurement system Remove the measurement system

Remove the measurement system

Which of the following is NOT a way organizations can respond to risk? Risk Elimination Risk Mitigation Risk Transfer Risk Avoidance Risk Acceptance

Risk Elimination

Which of the following is NOT part of a risk report structure? Risk Report Memorandum Exhibits Executive-Level Report Base Report Appendices

Risk Report Memorandum

ALE is: SLE / ARO SLE x ARO SLE - ARO ARO * EFS

SLE x ARO

PRAGMATIC is a Risk Assessment Approach Threat Catalog Cyber Security Framework Security Measurement System Government Regulation

Security Measurement System

Which of the following is a well-framed phrase used by the security risk assessment team when risk reporting? Administrators in group A failed to properly harden all servers in their area Bad user habits leave written passwords written in the clear around their workstations Security awareness training is not completely effective for all users The users in group B are not doing what they are supposed to Group C would be better if they had more security awareness training

Security awareness training is not completely effective for all users

When converting a risk assessment to a risk mitigation plan, you may need to verify the risk elements.

True

Which of the following is NOT a purpose of ISO/IEC 27001:2005? Use within an organization to ensure compliance with laws and regulations Use within an organization to formulate security requirements and objectives Use to form information technology governance Implementation of business-enabling information security

Use to form information technology governance

Security risk decision variables include all the following aspects EXCEPT Severity of the impact Likelihood that a vulnerability will be exploited Value of the asset Weakness of the security

Weakness of the security

Which of the following is NOT a valid rule of thumb on risk control strategy selection? When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

_____ monitoring results gives organizations the capability to maintain awareness of the risk being incurred, highlight the need to revisit other steps in the risk management process, and initiate process improvement activities as needed.

analyzing

Which of the following is NOT a step in the FAIR risk management framework? assess control impact derive and articulate risk identify scenario components evaluate loss event frequency

assess control impact

Organizations employ risk monitoring tools, techniques, and procedures to increase risk _____.

awareness

Which of the following is NOT a factor for developing a risk mitigation/response plan? achievable best practice in industry cost effectiveness scaled to magnitude of risk

best practice in industry

Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident? cost-benefit analysis feasibility analysis cost avoidance asset valuation

cost avoidance`

What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?

cost-benefit analysis

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them? evaluating alternative strategies conducting decision support measuring program effectiveness implementing controls

evaluating alternative strategies

Clear and effective security risk assessment reporting requires that the contents of the report be perceived as (check all that apply) relevant unambiguous accurate actionable nonthreatening

everything except actionable

Which of the following represents the basic structure of a risk assessment report? vulnerability analysis, appendices executive summary, base report, appendices base report and appendices base report, BIA, executive summary

executive summary, base report, appendices

When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.

exploited

What information should you include in your report for management when you present your recommendations? findings, recommendation cost and time frame, and cost-benefit analysis stakeholders, key stakeholders, and C-level stakeholders affinity diagram, POAM, and CBA recommendation, justification, and procedure

findings, recommendation cost and time frame, and cost-benefit analysis

Order the following for measuring and incorporating metrics. __1__ Determine requirement __2__ Business case __3__ Design and select metric system __4__ Develop metrics __5__ Test metrics __6__ Launch metrics __7__ Manage measurements __8__ Mature measurements

idk

Place the following in the correct order for risk management. _1__ identify risk _2__ analyze risks _3__ rank risks __4__ treat risks __5__ monitor and review risks _

idk

Another term for data range and reasonableness checks is ______________. input checks reasonableness range input validation data validation

input validation

Which of the following affects the cost of a control? Question options: liability insurance CBA report asset resale maintenance

maintenance

What is NOT one of the implementation methods of controls? Question options: manual physical technical procedural

manual

Which of the following orders is consistent with the KPI, KPx and KRI formation? metrics, KPx, KPR, KPI, Dashboard metrics, KPI, KPx, KRI, Dashboard metrics, KPI, KPR, KPx, Dashboard metrics, KPR, KPI, KPx, Dashboard

metrics, KPI, KPx, KRI, Dashboard

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk? evaluation and funding review and reapplication monitoring and measurement analysis and adjustment

monitoring and measurement

What does FAIR's BRAG rely on to build the risk management framework that is unlike many other risk management frameworks? quantitative valuation of safeguards qualitative assessment of many risk components risk analysis estimates subjective prioritization of controls

quantitative valuation of safeguards

The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following? risk assessment risk determination risk communication risk treatment

risk determination

Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed? security model SLA framework security standard

security model, framework

When Calculating Safeguard Costs we must typically be sure to include which of the following? (select all that apply) Training Costs Installation Charges Purchase Price Maintenance Costs Operational Costs

select all of them

Purchasing insurance is the primary way to ______ or _______ risk. share, transfer transfer, accept mitigate, accept mitigate, share

share, transfer