Chapter 8 (Test 2)

_______________ refers to the amount of harm a threat can cause by exploiting a vulnerability. a. Risk b. Impact c. Threat d. Incident

b. Impact

An organization knows that a risk exists and has decided that the cost of reducing it is higher than the loss would be. This can include self-insuring or using a deductible. This is categorized as _______________. a. Risk avoidance b. Risk acceptance c. Risk mitigation d. Risk assignment

b. Risk acceptance

What term is used to describe something built in or used in a system to address gaps or weaknesses in the controls that could otherwise lead to an exploit? a. Countermeasure b. Safeguard c. Detective control d. Technical control

b. Safeguard

How your organization responds to risk reflects the value it puts on its ___________. a. Environment b. Technology c. Assets d. Vulnerability

c. Assets

It is necessary to create and/or maintain a plan that makes sure your company continues to operate in the face of disaster. This is known as ____________________. a. Disaster plan b. Critical business function c. Business continuity plan d. Risk management plan

c. Business continuity plan

The __________ is a simple review of a plan by managers and the business continuity team to make sure that contact numbers are current and that the plan reflects the company's priorities and structure. a. Structured walk-through test b. Review test c. Checklist test d. Parallel test

c. Checklist test

A measure installed to counter or address a specific threat is the definition of ____________. a. Technical control b. Administrative control c. Countermeasure d. Preventive control

c. Countermeasure

A countermeasure, without a corresponding ______________, is a solution seeking a problem; you can never justify the cost. a. Control b. Event c. Risk d. Response

c. Risk

____________ is a risk management phase that includes assessment of various types of controls to mitigate the identified risks, selection of a control strategy, and justification of choice of controls. a. Identify threats and vulnerabilities b. Inventory of assets c. Risk assessment d. Risk identification

c. Risk assessment

A control that is carried out or managed by a computer system is the definition of ______________. a. Countermeasure b. Corrective control c. Technical control d. Safeguard

c. Technical control

It is necessary to create and/or maintain a plan that makes sure your company continues to operate in the face of disaster. This is known as _______________. a. Risk management plan b. Critical business function c. Disaster plan d. Business continuity plan

d. Business continuity plan

Forensics and incident response are examples of _____________ controls. a. Technical b. Preventive c. Detective d. Corrective

d. Corrective

____________ uses various controls to reduce identified risks. These controls might be administrative, technical, or physical. a. Risk acceptance b. Risk acceptance c. Risk assignment d. Risk mitigation

d. Risk mitigation

A threat source can be a situation or method that might accidentally trigger a(n) ___________. a. Incident b. Control c. Event d. Vulnerability

d. Vulnerability

Impact is the probability that a potential threat will exploit a vulnerability. True or False?

False

Quantitative analysis defines risk using a scenario that describes it. True or False?

False

The most common way to conduct a full-interruption test is at the primary site. True or False?

False

The term incident describes the magnitude of harm that could be caused by a threat exercising a vulnerability. True or False?

False

An organization seeks a balance between an acceptable level of a risk and the cost of reducing it. True or False?

True

The cost of the countermeasure should be less than the ALE. True or False?

True

______________ is exercised frequently evaluating whether countermeasures are performing as expected. a. Corrective control b. Due diligence c. Preventive control d. Detective control

b. Due diligence

What term is used to describe the probability that a potential vulnerability might be exercised within the construct of an associated threat environment? a. Likelihood b. Detective control c. Incident d. Event

a. Likelihood

_____________ is an authentication credential that is generally longer and more complex than a password. a. Passphrase b. Two-factor authentication (TFA) c. Authorization d. Continuous authentication

a. Passphrase

__________ attempts to describe risk in financial terms and put a dollar value on all the elements of a risk. a. Quantitative risk analysis b. Financial risk analysis c. Risk management d. Qualitative risk analysis

a. Quantitative risk analysis

A company can discontinue or decide not to enter a line of business if the risk level is too high. This is categorized as _____________. a. Risk avoidance b. Risk mitigation c. Risk acceptance d. Risk assignment

a. Risk avoidance

A ___________ is a flaw or weakness in a system's security procedures, design, implementation, or internal controls. a. Vulnerability b. Risk c. Impact d. Threat

a. Vulnerability

A __________ determines the extent of the impact that a particular incident would have on business operations over time. a. RTO b. BIA c. MTD d. CBF

b. BIA

___________ is exercised by frequently evaluating whether countermeasures are performing as expected. a. Preventive control b. Due diligence c. Corrective control d. Detective control

b. Due diligence