MIS 416 Exam #2 Study Guide
A decision is made to accept, avoid, transfer, or mitigate a risk is done in the risk evaluation stage. (T/F)
True
A gap analysis report documents differences between what is mitigated and what is NOT mitigated, resulting in a gap in security. (T/F)
True
A risk assessment ends with a report. (T/F)
True
A risk assessment provides a point-in-time report. (T/F)
True
A threshold KPI is significant when an index falls into a set range. (T/F)
True
Access controls testing verifies user rights and permissions. (T/F)
True
Action plans are a necessary output of the risk assessment process so that recommendations can be acted upon quickly once the assessment is approved.
True
Information security is a dynamic field because the risks fluctuate in a complex and, hence, not entirely predictable manner. (T/F)
True
KRIs measure how risky an activity is. (T/F)
True
Key Risk Indicators should be tied to one or more Key Performance Indexes. (T/F)
True
Logs need to be reviewed. (T/F)
True
ROSI = reduction in risk exposure / investment in countermeasures (T/F)
True
The relation between Controls and Threats is best described as?
Many-to-Many
Risk monitoring provides organization with the means to verify compliance, determine the effectiveness of risk measures, and identify risk-impacting changes to organizational information systems and environments of operations. (T/F)
True
The organizations level of security risk acceptance should be considered when selecting recommended safeguards. (T/F)
True
What type of control ensures that account management is secure?
account management controls
Which of the following is a Tier 1 risk monitoring activity?
ongoing threat assessments
What are the seven COBIT enablers?
principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies
What are the two primary goals when implementing a risk mitigation plan?
staying on schedule and in budget
After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this?
to help management decide which recommendations to use
The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.
transference
If there are three possible outcomes to an event, one of which has a probability of 40% and will cost you $4000 and one of which has a probability of 30% and which will cost you $1500, and another with a probability of 30% that will cost you $2500, what is your expected loss?
$2800
The final summary of risks, impacts, rationales, and treatments is called what?
A risk register
What is NOT a best practice for enabling a risk mitigation plan from your risk assessment?
Create a new POAM.
All of the following are KPI types except:
Esoteric
A KPx is a summary of one or more KRIs.
False
Which of the following is NOT a phase in the information security measurement system lifecycle?
Remove the measurement system
PRAGMATIC is a
Security Measurement System
Which of the following is a type of safeguard cost?
Training Cost
Organizations employ risk monitoring tools, techniques, and procedures to increase risk _____.
awareness
What is NOT one of the three primary objectives of controls?
eliminate
What is the first step in applying the RMF?
Categorize the information system and the information processed
It is important to understand that not all frameworks are created as equivalents. Let's look at the differences between FAIR and OCTAVE. Which statement is NOT true?
FAIR addresses a wider range of security and risk assessment issues than OCTAVE
In the risk management process, it is not important to identify who should be responsible for the various processes or steps. (T/F)
False
OCTAVE is one of the many frameworks available. Although heavy and labor intensive, it includes innovative approaches. One of the unique aspects of OCTAVE is the pools of mitigation approaches. The pools used include everything but?
Transfer
Change management is a process that ensures that changes are made only after a review process. (T/F)
True
Security risk decision variables include all the following aspects EXCEPT
Weakness of the security
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
evaluating alternative strategies
When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.
exploited
What information should you include in your report for management when you present your recommendations?
findings, recommendation cost and time frame, and cost-benefit analysis
Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
mitigation
To design a security program, an organization can use a(n) ____________________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.
security model
Which of the following can affect the state of risks?
- Supply Chain Changes - Personnel changes - Mergers
Select all of the following that risk monitoring allows organizations to do:
- Verify compliance - Determine the ongoing effectiveness of risk response measures - Identify risk-impacting changes to organization information systems
Risk monitoring provides organizations the means to...
- verify compliance - determine the ongoing effectiveness of risk response measures - identify risk-impacting changes to organizational information systems and environments of operation
Order the following for measuring and incorporating metrics.
1. Determine requirement 2. Business case 3. Design and select metric system 4. Develop metrics 5. Test metrics 6. Launch metrics 7. Manage measurements 8. Mature measurements
Place the following in the correct order for risk management.
1. identify risk 2. analyze risks 3. rank risks 4. treat risks 5. monitor and review risks
What portion of the risk assessment report is actually essential in ANY report?
A Good Executive Summary
Clear and effective security risk assessment reporting requires that the contents of the report be perceived as (check all that apply)
Accurate, nonthreatening, unambiguous, relevant
The final phase of the security risk assessment is to create a(n) ________ that addresses all security risks identified in the ___________.
Action plan, final report
_____ monitoring results gives organizations the capability to maintain awareness of the risk being incurred, highlight the need to revisit other steps in the risk management process, and initiate process improvement activities as needed.
Analyzing
In addition to the data captured in your risk assessment template, exceptions and mitigation plans need to include the following information EXCEPT:
Budget Process
What is a significant part of the step of evaluating controls and determining which controls to implement?
CBAs
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?
COBIT
You have created a risk assessment, and management has approved it. What do you do next?
Create a risk mitigation plan.
As a top-level executive at your own company, you are worried that your employees may steal confidential data too easily by downloading and taking home data onto thumb drives. What is the best way to prevent this from happening?
Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives.
What is NOT an example of an intangible value?
Data
A business impact analysis (BIA) is an output of the risk assessment process. (T/F)
False
Asset valuation is a listing or grouping of assets under an assessment. (T/F)
False
Change management ensures that similar systems have the same, or at least similar, configurations. (T/F)
False
Configuration management is the same as change management. (T/F)
False
FAIR's BRAG relies uses qualitative assessment of many risk components using scales with value ranges.
False
If an in-place countermeasure needs to be upgraded or replaced, you should disable or remove the countermeasure until the new or upgraded control can be installed in order to best reduce vulnerabilities. (T/F)
False
In information security, a framework or security model customized to an organization, including implementation details is known as a floor plan.
False
KPIs do not necessarily need to be tied to organizational strategy. (T/F)
False
Key Performance Indicators monitor risk appetite. (T/F)
False
Loss Before Countermeasure - Loss After Countermeasure = Countermeasure Value (T/F)
False
Organizations can only implement risk monitoring at risk management tiers 1 and 2. (T/F)
False
Planned safeguards are the same as approved controls. (T/F)
False
Risk mitigation plans help determine the numerical values for the risk formula, which is Risk = Threat x Vulnerability. (T/F)
False
The objective in risk assessment reporting is to assign blame to those who pose risks. (T/F)
False
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. (T/F)
False
The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy. (T/F)
False
Which of the following is NOT risk evaluation step?
Identify the key components
All of the following are risk treatments in different frameworks except?
Ignore
ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and how to set up a(n) ____________________.
Information security management system (ISMS)
A risk ____ could be a simple listing of identified risks, some of which are already assessed and others of which are still in the process of being qualified
Inventory
Which of the following is NOT one of the components of the COSO framework?
Meeting stakeholder needs
What does OCTAVE stand for?
Operationally Critical Threat, Asset, and Vulnerability Evaluation
Which of the following is NOT part of a risk report structure?
Risk Report Memorandum
Which of the following is a well-framed phrase used by the security risk assessment team when risk reporting?
Security awareness training is not completely effective for all users
What is Risk Acceptance?
The appropriate risk response when the identified risk is within the organizational risk tolerance.
Many firms and regulators refer to one or more Cybersecurity and/or risk assessment frameworks. However, firms sometimes create their own custom frameworks. Using a predefined framework has all of the following benefits except what?
The framework can be easier to implement for your specific organization
Continuous monitoring is necessary because security work is never done. (T/F)
True
Ensuring that controls are effective is a best practice for risk mitigating security controls. (T/F)
True
Good risk reporting should include tables and figures to visually convey information to the audience. (T/F)
True
In Information Security, KPIs measure the performance or health of Information Security. (T/F)
True
One of the ways to identify controls is to identify critical business functions and critical business operations. (T/F)
True
One or more KPIs can be included in a key performance index. (T/F)
True
Organizations can implement risk monitoring at any of the risk management tiers with different objectives and utility of information produced. (T/F)
True
Planned controls are controls that have been approved but not installed yet. (T/F)
True
The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. (T/F)
True
The Information Technology Infrastructure Library (ITIL) defines the organizational structure and skill requirements of an IT organization and a set of standard operational procedures and practices that allow the organization to manage an IT operation and associated infrastructure. (T/F)
True
Which of the following is NOT a purpose of ISO/IEC 27001:2005?
Use to form information technology governance
Which of the following is NOT a valid rule of thumb on risk control strategy selection?
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?
framework & security model
Which of the following affects the cost of a control?
maintenance
Which of the following orders is consistent with the KPI, KPx and KRI formation?
metrics, KPI, KPx, KRI, Dashboard
Insurance, background checks, and security plans are all categories of ____________.
procedural controls
____________ mitigate(s) risk.
Contols
All of the following are risk treatments in different frameworks except?
Control
The risk control strategy were the organization is willing to accept the current level of risk and makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy. (T/F)
False
The standard format that must be followed when writing a vulnerability assessment report requires that the vulnerability assessment includes the following sections: table of contents, executive summary, methods, results, and recommendations. (T/F)
False
There is only one way to format and organize a risk assessment report. (T/F)
False
Which of the following is NOT a step in the FAIR risk management framework?
assess control impact
In the COSO framework, ___________ activities include those policies and procedures that support management directives.
control
Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
cost avoidance
Another term for data range and reasonableness checks is ______________.
input validation
What does FAIR's BRAG rely on to build the risk management framework that is unlike many other risk management frameworks?
quantitative valuation of safeguards