Chapter 5 Quiz
security clearance scheme
A _________ assigns a status level to employees to designate the maximum level of classified data they may access.
False
A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them.
FCO
A(n) _________ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.
False
According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to be successful in an engagement.
False
Cost-benefit analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended.
weighted factor analysis
In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores.
standards of due care
When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as __________.
False
You cannot use qualitative measures to rank information asset values.
Qualitative assessment
__________ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures.
ARO
__________ is simply how often you expect a specific type of attack to occur.
defense
The _________ control strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.
performance gap
The __________ is the difference between an organization's observed and desired performance.
IR
The __________ plan specifies the actions an organization can and should take while an adverse event is in progress. An adverse event could result in loss of an information asset or assets, but it does not currently threaten the viability of the entire organization.
control
Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems.
True
Risk control is the application of controls that reduce the risks to an organization's information assets to an acceptable level.
