cyber quiz 4

_____ include information and the systems that use, store, and transmit information

information assets

the probability that a specific vulnerability within an organization will be attacked by a threat is known as

likelihood

the _____ risk treatment strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards

mitigation

the _____ treatment strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation

mitigation

when deciding which information assets to track, consider the following asset attributes: people, _____, data, software, and hardware

procedures

As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.

relative

_____ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty

risk

_____ involves four major undertakings: risk identification, risk analysis, risk evaluation, and risk treatment control

risk management

______ is the process of identifying risk, as represented by vulnerabilities, to an organization's information assets and infrastructure, and taking steps to reduce this risk to an acceptable level

risk management

Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack.

true

Risk control, also known as risk treatment, is the application of controls that reduce the risks to an organization's information assets to an acceptable level.

true

when it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the value incurred from the cost of protecting the information

true

In a _____ assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking the scores

weighted table analysis

The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) ____.

CBA

A threat _____ is an evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack.

assessment

you can determine the relative risk for each of the organizations information assets using a process called risk _____, which combines risk identification, risk analysis, and risk evaulation

assessment

risk _____ is the application of security mechanisms to reduce the risks to an organization's data and information systems

control

A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them.

false

a data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict when people who can access it

false

cost mitigation is the process of preventing the financial impact of an incident by implementing control

false

cost-benefit analyses (CBAs) cannot be calculated after controls have been functioning for a time, an observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended

false

residual risk is the risk that organizations are willing to accept even after current current controls have been applied

false

risk acceptance defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility

false

risk mitigation is the process of assigning a risk rating or score to each information asset

false

risk mitigation is the risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards, but it is not the preferred approach to controlling risk

false

when an organization depends on IT-based systems to remain viable, infosec, and the discipline of asset management must become an integral part of the economic basis for making business decisions

false

within data classification schemes, it is important that all categories used be unique and mutually exclusive

false

you cannot use qualitative measures to rank information asset values

false

a(n) _____ scheme is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it

security clearance

Risk _____ is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization's overall risk appetite.

tolerance

the _____ risk treatment strategy attempts to shift risk to other assets, other processes, or other organizations

transference

if the acceptance risk treatment strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and may portray as apathetic approach to security in general

true

in addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization

true

one way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed

true

the identification, analysis, and evaluation of risk as initial parts of risk management is called risk assessment

true

the mitigation risk treatment strategy applies controls and safeguards that eliminate or reduce the remaining uncontrolled risk

true

the organization should adopt naming standards that do not convey information to potential system attackers

true

the upper management of an organization must structure the IT and information security functions to defend the organizations information assets

true

to determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited

true

when determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts

true

in the TVA worksheet, assets are placed into a matrix with threats and then the exposure of the assets, to specific threats is explored by documenting _______

vulnerabilities

once the inventory and value assessment are complete, you can prioritize each asset using a straightforward process known as _____ analysis

weighted factor

Risk _____ is a determination of the extent to which an organization's information assets are exposed to risk.

analysis

Risk ____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.

appetite

A data _____ scheme is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.

classification

The concept of competitive ____ refers to falling behind the competition.

disadvantage

A single loss ____________________ is the calculation of the value associated with the most likely loss from an attack.

expectancy

Within a data classification scheme, "comprehensive" means that an information asset should fit in only one category.

false

the risk management (RM) _____ is the overall structure of the strategic planning and design for the entirety of the organization's RM efforts

framework