MIS516 EXAM 2
Planned safeguards are the same as approved controls. True False
F
The terms safeguard, countermeasure, and control can be used interchangeably. True False
T
What type of control ensures that account management is secure? account management controls account controls access management controls access controls
account management controls
Clear and effective security risk assessment reporting requires that the contents of the report be perceived as (check all that apply) nonthreatening accurate relevant actionable unambiguous
nonthreatening accurate relevant unambiguous
What are the two primary goals when implementing a risk mitigation plan? increasing security and maintaining easy access avoiding surprises and staying on budget staying on schedule and in budget being thorough and cautious
staying on schedule and in budget
A logon identifier is a type of __________ control. access procedural functional technical
technical
The actual methods used to protect against data loss are __________ controls, but the program that identifies which data to protect is a ___________ control. mechanical, procedural procedural, technical manual, technical technical, procedural
technical, procedural
What is the purpose of a risk mitigation plan? a. to bolster a risk assessment b. to ensure compliance c. to implement approved countermeasures d. to reduce threats
to implement approved countermeasures
The ______________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.
transference
XYZ Co. has decided that the loss event of a single incident on RESOURCE-A is $300,000 and it would result in 40% exposure factor. They also feel that this event could happen 3 times a year. What is the annual loss expectancy (ALE)? $360,000 $120,000 $900,000 $50,000
$360,000
Order the following for measuring and incorporating metrics. Test metrics Mature measurements Launch metrics Determine requirement Design and select metric system Manage measurements Develop metrics Business case
1. Determine requirement 2. Business case 3. Design and select metric system 4. Develop metrics 5. Test metrics 6. Launch metrics 7. Manage measurements 8. Mature measurements
What portion of the risk assessment report is actually essential in ANY report? Methodology Supporting Appendices A Good Conclusion A Good Executive Summary
A Good Executive Summary
The final summary of risks, impacts, rationales, and treatments is called what? A Risk Catalog A Risk Index A Threat-Control-Vulnerability-Impact Catalog A Risk Register
A Risk Register
The final phase of the security risk assessment is to create a(n) ________ that addresses all security risks identified in the ___________. Final report, Action plan Action plan, data gathering phase Risk report, risk assessment Action plan, final report Final report, risk assessment
Action plan, final report
What is a significant part of the step of evaluating controls and determining which controls to implement? DRPs DMZs CBAs BCPs
CBAs
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? COSO ISO COBIT NIST
COBIT
What is the first step in applying the RMF? Select an initial set of baseline security controls Authorize information system operation based on risk determination Assess the security controls using appropriate assessment procedures Categorize the information system and the information processed
Categorize the information system and the information processed
All of the following are risk treatments in different frameworks except? Control Avoid Defer Mitigate Transfer Accept
Control
____________ mitigate(s) risk. Controls Assessments Databases Management
Controls
What is NOT a best practice for enabling a risk mitigation plan from your risk assessment? Stay within the scope. Control the schedule. Create a new POAM. Control the costs.
Create a new POAM.
You have created a risk assessment, and management has approved it. What do you do next? Create a risk mitigation plan. Gather the stakeholders for a progress meeting. Start assessing risks for a different department. Define the scope of the risk assessment.
Create a risk mitigation plan.
What is NOT an example of an intangible value? Cost of gaining a consumer Customer influence Future loss Data
Data
All of the following are KPI types except: Qualitative Esoteric Milestone Threshold
Esoteric
It is important to understand that not all frameworks are created as equivalents. Let's look at the differences between FAIR and OCTAVE. Which statement is NOT true? OCTAVE is lower level, more methodological FAIR addresses a wider range of security and risk assessment issues than OCTAVE OCTAVE is more flexible and customizable FAIR is more quantitative and prescriptive
FAIR addresses a wider range of security and risk assessment issues than OCTAVE
The security risk for each vulnerability found during the gathering phase can be addressed through all of the following EXCEPT: Avoid Security Risk Ignore Security Risk Accept Security Risk Reduce Security Risk
Ignore Security Risk
The COSO framework is built on eight interrelated components. Which of the following is NOT one of them? Monitoring Risk response Risk assessment InfoSec Governance
InfoSec Governance
When calculating safeguard costs we must typically be sure to include which of the following? (select all that apply) a. installation charges b. purchase price c. training costs d. operational costs e. maintanence costs
Installation Charges purchase price training costs operational costs
A risk ____ could be a simple listing of identified risks, some of which are already assessed and others of which are still in the process of being qualified Mitigation Assessment Plan Inventory
Inventory
The relation between Controls and Threats is best described as? One-to-Many (One Threat can have many Controls) One-to-Many (One Control can address many Threats) One-to-One Many-to-Many
Many-to-Many
Which of the following is NOT one of the components of the COSO framework? Communication and reporting Risk assessment Information and communication Meeting stakeholder needs
Meeting stakeholder needs
Which of the following can affect the state of risks? Risk levels of competitors Mergers Personnel changes Supply Chain changes
Mergers Personnel changes Supply Chain changes
Which of the following is a Tier 1 risk monitoring activity? Ongoing threat assessments Penetration Testing Analysis of new or current technologies Automated monitoring of standard configuration settings for IT products Vulnerability scanning
Ongoing threat assessments
What does OCTAVE stand for? Operationally Critical Threat Asset and Variable Evaluation Optional Tension After Vulnerability Excessiveness Operationally Critical Threat, Asset, and Vulnerability Evaluation Optional Tactical Active Variable Evaluation
Operationally Critical Threat, Asset, and Vulnerability Evaluation
Which of the following is NOT a phase in the information security measurement system lifecycle? Prepare a business case Mature the measurement system Remove the measurement system Launch the measurement system Select security metrics
Remove the measurement system
Which of the following is NOT a way organizations can respond to risk? Risk Avoidance Risk Acceptance Risk Mitigation Risk Transfer Risk Elimination
Risk Elimination
PRAGMATIC is a Threat Catalog Security Measurement System Government Regulation Risk Assessment Approach Cyber Security Framework
Security Measurement System
Which of the following is a well-framed phrase used by the security risk assessment team when risk reporting? Group C would be better if they had more security awareness training The users in group B are not doing what they are supposed to Administrators in group A failed to properly harden all servers in their area Security awareness training is not completely effective for all users Bad user habits leave written passwords written in the clear around their workstations
Security awareness training is not completely effective for all users
A CBA helps determine if you should use a safeguard. True False
T
What is Risk Acceptance? The acceptance of what the actual risk is How appropriate the risk can be to the situation None of the above The appropriate risk response when the identified risk is within the organizational risk tolerance.
The appropriate risk response when the identified risk is within the organizational risk tolerance.
Many firms and regulators refer to one or more Cybersecurity and/or risk assessment frameworks. However, firms sometimes create their own custom frameworks. Using a predefined framework has all of the following benefits except what? The framework can be easier to implement for your specific organization The framework is defensible if your process is called into question by others The framework has less initial work to set up and understand The framework unlikely to miss important key concepts
The framework can be easier to implement for your specific organization
Which of the following is a type of safeguard cost? Orientation Cost Selling Cost Employment Cost Training Cost
Training Cost
OCTAVE is one of the many frameworks available. Although heavy and labor intensive, it includes innovative approaches. One of the unique aspects of OCTAVE is the pools of mitigation approaches. The pools used include everything but? Transfer Mitigate Mitigate or Defer Accept Defer or Accept
Transfer
Which of the following is NOT a purpose of ISO/IEC 27001:2005? Implementation of business-enabling information security Use to form information technology governance Use within an organization to ensure compliance with laws and regulations Use within an organization to formulate security requirements and objectives
Use to form information technology governance
Select all of the following that risk monitoring allows organizations to do: Avoid performing risk assessments Verify compliance Determine the ongoing effectiveness of risk response measures Evaluate the costs and benefits of different security controls Identify risk-impacting changes to organization information systems
Verify compliance Determine the ongoing effectiveness of risk response measures Identify risk-impacting changes to organization information systems
Security risk decision variables include all the following aspects EXCEPT Likelihood that a vulnerability will be exploited Weakness of the security Value of the asset Severity of the impact
Weakness of the security
Organizations employ risk monitoring tools, techniques, and procedures to increase risk _____
awareness
What is NOT one of the three primary objectives of controls? correct eliminate detect prevent
eliminate
What is an important element of following up on a risk mitigation plan? installing a firewall ensuring that security gaps are closed performing test restores creating a new POAM
ensuring that security gaps are closed
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them? evaluating alternative strategies measuring program effectiveness conducting decision support implementing controls
evaluating alternative strategies
Which of the following represents the basic structure of a risk assessment report? base report and appendices executive summary, base report, appendices vulnerability analysis, appendices base report, BIA, executive summary
executive summary, base report, appendices
When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.
exploited
What information should you include in your report for management when you present your recommendations? recommendation, justification, and procedure findings, recommendation cost and time frame, and cost-benefit analysis affinity diagram, POAM, and CBA stakeholders, key stakeholders, and C-level stakeholders
findings, recommendation cost and time frame, and cost-benefit analysis
Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed? framework SLA security standard security model
framework security model
ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and how to set up a(n) ____________________.
information security management system (ISMS)
Another term for data range and reasonableness checks is ______________. input checks data validation input validation reasonableness range
input validation
which of the following affects the cost of a control? a. liability insurance b. CBA report c. asset resale d. maintanance
maintanence
What is NOT one of the implementation methods of controls? technical procedural physical manual
manual
Which of the following orders is consistent with the KPI, KPx and KRI formation? metrics, KPI, KPx, KRI, Dashboard metrics, KPx, KPR, KPI, Dashboard metrics, KPI, KPR, KPx, Dashboard metrics, KPR, KPI, KPx, Dashboard
metrics, KPI, KPx, KRI, Dashboard **IxR**
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk? analysis and adjustment monitoring and measurement review and reapplication evaluation and funding
monitoring and measurement
What are the seven COBIT enablers? meeting stakeholder needs; processes; enabling a holistic approach; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies covering the enterprise end-to-end; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and applying a single integrated framework meeting stakeholder needs; covering the enterprise end-to-end; applying a single integrated framework; enabling a holistic approach; information; separating governance from management; and people, skills, and competencies principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies
principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies
Insurance, background checks, and security plans are all categories of ___ a. policy controls b. procedural controls c. procedures d. policies
procedural controls
Risk mitigation, or risk ________, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred.
reduction
Purchasing insurance is the primary way to ___ or ___ risk a. mitigate, share b. mitigate, accept c. share, transfer d. transfer, accept
share, transfer
Place the following in the correct order for risk management. analyze risks rank risks monitor and review risks identify risks treat risks
1. identify risk 2. analyze risks 3. rank risks 4. treat risks 5. monitor and review risks
If there are three possible outcomes to an event, one of which has a probability of 40% and will cost you $4000 and one of which has a probability of 30% and which will cost you $1500, and another with a probability of 30% that will cost you $2500, what is your expected loss? 1200 2800 8000 1600 2050 2350 4000
2800
In addition to the data captured in your risk assessment template, exceptions and mitigation plans need to include the following information EXCEPT: Budget Process Business justification for the risk Policy exceptions/risk acceptance approval and time frame Mitigation action items, long- and short-term
Budget Process
As a top-level executive at your own company, you are worried that your employees may steal confidential data too easily by downloading and taking home data onto thumb drives. What is the best way to prevent this from happening? Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives. Instruct higher level employees to inform their employees that the use of a thumb drive is a fireable offense. Hold a seminar that explains to employees why the use of thumb drives in the workplace is a security hazard. Install a technical control to prevent the use of thumb drives.
Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives.
A KPx is a summary of one or more KRIs. True False
F
A business impact analysis (BIA) is an output of the risk assessment process. True False
F
COBIT worked with ISACA to develop ITGI. True False
F
Change management ensures that similar systems have the same, or at least similar, configurations. True False
F
Configuration management is the same as change management. True False
F
FAIR's BRAG relies uses qualitative assessment of many risk components using scales with value ranges. True False
F
If an in-place countermeasure needs to be upgraded or replaced, you should disable or remove the countermeasure until the new or upgraded control can be installed in order to best reduce vulnerabilities. True False
F
In information security, a framework or security model customized to an organization, including implementation details is known as a floor plan. True False
F
In the risk management process, it is not important to identify who should be responsible for the various processes or steps. True False
F
Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. True False
F
KPIs do not necessarily need to be tied to organizational strategy. True False
F
Key Performance Indicators monitor risk appetite. True False
F
Loss Before Countermeasure - Loss After Countermeasure = Countermeasure Value True False
F
Organizations can only implement risk monitoring at risk management tiers 1 and 2. True False
F
Risk mitigation plans help determine the numerical values for the risk formula, which is Risk = Threat x Vulnerability. True False
F
Technical controls alone, when properly configured, can secure an IT environment. True False
F
The objective in risk assessment reporting is to assign blame to those who pose risks. True False
F
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. True False
F
The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy. True False
F
The risk control strategy were the organization is willing to accept the current level of risk and makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy. True False
F
You will never need to replace in-place controls (T/F)
F
Which of the following is NOT risk evaluation step? Identify the key components Determine residual risk level Determine likelihood of threat/vulnerability Determine risk exposure (including risk sensitivity) Determine severity of threat/vulnerability
Identify the key components
All of the following are risk treatments in different frameworks except? Mitigate Ignore Defer Accept Avoid Transfer
Ignore
Which phase of the information security measurement system lifecycle involves gaining a solid appreciation of the organization information security-related information needs? Phase 3 Phase 8 Phase 4 Phase 1
Phase 1
Which of the following is NOT part of a risk report structure? Exhibits Base Report Appendices Risk Report Memorandum Executive-Level Report
Risk Report Memorandum
ALE is: ARO * EF SLE - ARO SLE / ARO SLE x ARO
SLE x ARO
A best practice for enabling a risk mitigation plan from your risk assessment is prioritizing countermeasures. True False
T
A best practice for enabling a risk mitigation plan from your risk assessment is staying within scope. True False
T
A decision is made to accept, avoid, transfer, or mitigate a risk is done in the risk evaluation stage. True False
T
A gap analysis report documents differences between what is mitigated and what is NOT mitigated, resulting in a gap in security. True False
T
A risk assessment ends with a report. True False
T
A risk assessment provides a point-in-time report. True False
T
A threshold KPI is significant when an index falls into a set range. True False
T
Access controls testing verifies user rights and permissions. True False
T
Action plans are a necessary output of the risk assessment process so that recommendations can be acted upon quickly once the assessment is approved. True False
T
Change management is a process that ensures that changes are made only after a review process. True False
T
Continuous monitoring is necessary because security work is never done. True False
T
Ensuring that controls are effective is a best practice for risk mitigating security controls. True False
T
Good risk reporting should include tables and figures to visually convey information to the audience. True False
T
How your organization starts its risk mitigation process depends entirely on the type of organization you are working in. True False
T
In Information Security, KPIs measure the performance or health of Information Security. True False
T
In addition to deciding on appropriate monitoring activities across the risk management tiers, organizations also decide how monitoring is to be conducted (e.g., automated or manual approaches) and the frequency of monitoring activities. True False
T
Information security is a dynamic field because the risks fluctuate in a complex and, hence, not entirely predictable manner. True False
T
KRIs measure how risky an activity is. True False
T
Key Risk Indicators should be tied to one or more Key Performance Indexes. True False
T
Logs need to be reviewed. True False
T
One of the ways to identify controls is to identify critical business functions and critical business operations. True False
T
One or more KPIs can be included in a key performance index. True False
T
Organizations can implement risk monitoring at any of the risk management tiers with different objectives and utility of information produced. True False
T
Physical access controls protect valuable assets by restricting physical access to them. (T/F)
T
ROSI = reduction in risk exposure / investment in countermeasures (T/F)
T
Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance. True False
T
Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. True False
T
Risk monitoring provides organization with the means to verify compliance, determine the effectiveness of risk measures, and identify risk-impacting changes to organizational information systems and environments of operations. True False
T
The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. True False
T
The Information Technology Infrastructure Library (ITIL) defines the organizational structure and skill requirements of an IT organization and a set of standard operational procedures and practices that allow the organization to manage an IT operation and associated infrastructure. True False
T
The criterion most commonly used when evaluating a strategy to implement InfoSec controls is economic feasibility. True False
T
The first step of becoming ISO 27002 certified involves implementing best practices. True False
T
The organizations level of security risk acceptance should be considered when selecting recommended safeguards. True False
T
The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. True False
T
The risk control strategy that elminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy (T/F)
T
When converting a risk assessment to a risk mitigation plan, you may need to verify the risk elements. True False
T
planned contrrols are controls that have been approved but not installed yet (T/F)
T
risk sharing shifts a portion of the responsibility or liability (T/F)
T
Risk monitoring provides organizations the means to (click all that apply): assess risk identify risk-impacting changes to organizational information systems and environments of operation verify compliance determine the ongoing effectiveness of risk response measures
identify risk-impacting changes to organizational information systems and environments of operation verify compliance determine the ongoing effectiveness of risk response measures
What does the Assign Security Risk help with? a. all the above b. based on business mission and other factors, accept the identified security risk c. reduce specified security risk d. purchase insurance to assign or transfer the security risk to another party
purchase insurance to assign or transfer the security risk to another party
What does FAIR's BRAG rely on to build the risk management framework that is unlike many other risk management frameworks? qualitative assessment of many risk components risk analysis estimates quantitative valuation of safeguards subjective prioritization of controls
quantitative valuation of safeguards
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following? risk treatment risk determination risk assessment risk communication
risk determination
After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this? to avoid several time-consuming presentations about each individual recommendation to inform management of the progress of the risk management task to help management assess how much of the risk was mitigated by the proposed solution to help management decide which recommendations to use
to help management decide which recommendations to use
SLE is AV / EF AV - EF AV + ALE AV x EF
AV x EF
The standard format that must be followed when writing a vulnerability assessment report requires that the vulnerability assessment includes the following sections: table of contents, executive summary, methods, results, and recommendations. True False
F
There is only one way to format and organize a risk assessment report. True False
F
Which of the following is NOT a valid rule of thumb on risk control strategy selection? When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
_____ monitoring results gives organizations the capability to maintain awareness of the risk being incurred, highlight the need to revisit other steps in the risk management process, and initiate process improvement activities as needed.
analyzing
Which of the following is NOT a step in the FAIR risk management framework? evaluate loss event frequency identify scenario components assess control impact derive and articulate risk
assess control impact
Which of the following is NOT a factor for developing a risk mitigation/response plan? a. best practice in industry b. scaled to magnitude of risk c. achievable d. cost effectiveness
best practice in industry
In the COSO framework, ___________ activities include those policies and procedures that support management directives.
control
Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident? asset valuation feasibility analysis cost avoidance cost-benefit analysis
cost avoidance
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy? cost-benefit analysis single loss expectancy exposure factor annualized rate of occurrence
cost-benefit analysis