ch. 9

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

The __________ level and an asset's value should be a major factor in the risk control strategy selection.

Threat

Application of training and education is a common method of which risk control strategy? a. acceptance b. transferal c. mitigation d. defense

d

The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations

transferal

Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. True False

true

The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. True False

true

The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.

true

Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. True False

true

The NIST risk management approach includes all but which of the following elements? a. inform b. frame c. assess d. respond

a

In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result? a. Delphi b. OCTAVE c. Hybrid Measures d. FAIR

a

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them? a. InfoSec community analysis b. implementing controls c. measuring program effectiveness d. conducting decision support

a infosec

The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.

appetite

By multiplying the asset value by the exposure factor, you can calculate which of the following? a. annualized cost of the safeguard b. single loss expectancy c. annualized loss expectancy d. value to adversaries

b

Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster? a. acceptance b. mitigation c. transference d. avoidance

b. mitigation

Which of the following is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk, and how much risk exists for the asset. a. valuation b. benefit c. feasibility d. cost

benefit

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? a. subjective prioritization of controls b. quantitative valuation of safeguards c. qualitative assessment of many risk components d. risk analysis estimates

c

What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy? a. single loss expectancy b. annualized rate of occurrence c. cost-benefit analysis d. exposure factor

c

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. risk assurance b. residual risk c. risk appetite d. risk termination

c

Which of the following is a step in Stage 2 - Evaluate Loss Event Frequency of the FAIR risk management framework? a. identify the asset at risk b. estimate probable loss c. estimate control strength d. derive and articulate risk

c estimate control strength

Strategies to limit losses before and during a disaster is covered by which of the following plans in the mitigation control approach? a. business continuity plan b. damage control plan c. incident response plan d. disaster recovery plan

d

The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following? a. risk assessment b. risk communication c. risk treatment d. risk determination

d

What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed? a. probability calculation b. cost-benefit analysis c. risk acceptance plan d. documented control strategy

d

Which of the following is NOT a valid rule of thumb on risk control strategy selection? a. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. b. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. c. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. d. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

d

When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.

exploited

Which of the following affects the cost of a control? a. CBA report b. asset resale c. liability insurance d. maintenance

maintennace

The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ____________________ .

mitigation


Set pelajaran terkait

HTLM, CSS, XML, BootStrap, Servlets, Log4J (Week 3)

View Set

Delmar's Textbook of Electricity, Section 1, Units 1 - 5

View Set

Music Appreciation - Types of Listeners

View Set

neuroscience 10 module 6-8 quizzes

View Set

HST 120: Chapter 4 - The Northern Colonies in the Seventeenth Century, 1601-1700

View Set

ENTREPRENEURSHIP AND SMALL BUSINESS MANAGEMENT EXAM

View Set