MIS 516 - Risk Mitigation
One of the ways to identify controls is to identify critical business functions and critical business operations.
True
Which of the following affects the cost of a control? maintenance CBA report asset resale liability insurance
Maintenance
What is NOT one of the implementation methods of controls? procedural technical physical manual
Manual
The relation between Controls and Threats is best described as?
Many-to-many
T / F A CBA helps determine if you should use a safeguard.
True
T / F A best practice for enabling a risk mitigation plan from your risk assessment is prioritizing countermeasures.
True
T / F A decision is made to accept, avoid, transfer, or mitigate a risk is done in the risk evaluation stage.
True
T / F Access controls testing verifies user rights and permissions.
True
T / F Ensuring that controls are effective is a best practice for risk mitigating security controls.
True
T / F Physical access controls protect valuable assets by restricting physical access to them.
True
T / F Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance.
True
T / F Risk sharing shifts a portion of the responsibility or liability.
True
T / F The criterion most commonly used when evaluating a strategy to implement InfoSec controls is economic feasibility.
True
T / F The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy.
True
T / F The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.
True
T / F When converting a risk assessment to a risk mitigation plan, you may need to verify the risk elements.
True
What is NOT one of the three primary objectives of controls? correct eliminate prevent detect
eliminate
What are the two primary goals when implementing a risk mitigation plan?
staying on schedule and in budget
What is the purpose of a risk mitigation plan? to ensure compliance to implement approved countermeasures to bolster a risk assessment to reduce threats
to implement approved counter measures
The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.
transfer control
Risk mitigation plans help determine the numerical values for the risk formula, which is Risk = Threat x Vulnerability.
False
T / F Asset valuation is a listing or grouping of assets under an assessment.
False
T / F Loss Before Countermeasure - Loss After Countermeasure = Countermeasure Value
False
T / F Technical controls alone, when properly configured, can secure an IT environment.
False
T / F The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy.
False
T / F The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy.
False
T/F The risk control strategy were the organization is willing to accept the current level of risk and makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.
False
What type of control ensures that account management is secure? access controls account management controls access management controls account controls
Account Management Controls
What is a significant part of the step of evaluating controls and determining which controls to implement? BCPs CBAs DMZs DRPs
CBA
____________ mitigate(s) risk.
Controls
Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident? cost-benefit analysis cost avoidance feasibility analysis asset valuation
Cost avoidance
As a top-level executive at your own company, you are worried that your employees may steal confidential data too easily by downloading and taking home data onto thumb drives. What is the best way to prevent this from happening? - Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives. Install a technical control to prevent the use of thumb drives. Instruct higher level employees to inform their employees that the use of a thumb drive is a fireable offense. Hold a seminar that explains to employees why the use of thumb drives in the workplace is a security hazard.
Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives.
How your organization starts its risk mitigation process depends entirely on the type of organization you are working in.
False
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk? - review and reapplication - monitoring and measurement - evaluation and funding - analysis and adjustment
Monitoring and Measurement
What does the Assign Security Risk help with? All the above Based on business mission and other factors, accept the identified security risk Purchase insurance to assign or transfer the security risk to another party Reduce specific security risk
Purchase insurance to assign or transfer the security risk to another party
Which of the following is NOT a valid rule of thumb on risk control strategy selection?
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
T / F
You will never need to replace in-place controls.
When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.
exploited
Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster? mitigation transference avoidance acceptance
mitigation