Risk Chapter 1-7 Assessments
An acceptable use policy is an example of a(n) _____ control.
Administrative
A risk ____ is a major component of a risk management plan.
Assessment
The ________ is an industry-recognized standard list of common vulnerabilities.
Common Vulnerabilities and Exposures (CVE)
A _____ is used to reduce vulnerability.
Control
If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing a ___________.
Cost-Benefit Analysis (CBA)
A loss of client confidence or public trust is an example of a loss of_________.
Intangible value
An organization may use a ______ rotation policy to help discover dangerous shortcuts or fraudulent activity.
Job
You are tasked with updating your organization's business continuity plans. When completing this process, you should only include _____ systems.
Mision-critical
You use video cameras to monitor the entrance of secure areas of your building. This is an example of a(n) _______ control.
Physical
A _____ risk assessment is subjective. It relies on the opinions of experts.
Qualitative
You are trying to decide what type of risk assessment methodology to use. A primary benefit of a _____ risk assessment is that it can be completed more quickly than other methods.
Qualitative
A _____ risk assessment is objective. It uses data that can be verified.
Quantitative
A _____ risk assessment uses SLE.
Quantitative
You are trying to decide what type of risk assessment methodology to use. A primary benefit of a _____ risk assessment is that it includes details for a cost-benefit analysis.
Quantitative
Your organization requires users to log on with smart cards. This is an example of a(n) _______ control.
Technical
The CVE list is maintained by ________.
The MITRE Corporation
A company decides to reduce losses of a threat by purchasing insurance. This is known as risk ___________.
Transfer
A fishbone diagram can link causes with effects. a. True b. False
a
A key stakeholder should have authority to make decisions about a project. This includes authority to provide additional resources. a. True b. False
a
An organization wants to determine what the impact will be if a specific IT server fails. What should it use? a. BIA b. BCP c. DRP d. BCC
a
CEOs and CFOs can go to jail if financial statements are inaccurate. What law is this from? a. SOX b. GLBA c. FISMA d. HIPPA
a
Fiduciary refers to a relationship of trust. a. True b. False
a
It is possible to ensure a service is operational 99.999 percent of the time even if a server needs to be regularly rebooted. a. True b. False
a
The National Institute of Standards and Technology published Special Publication 800-30. What does this cover? a. Risk Assessments b. Maturity levels c. A framework of good practices d. Certification and accreditation
a
This standard is focused on maintaining a balance between benefits, risk, and asset use. It is based on five principles and seven enablers. What is this standard? a. COBIT b. ITIL c. GAISP d. CMMI
a
What allows an attacker to gain additional privileges on a system by sending unexpected code to the system? a. Buffer over overflow b. MAC flood c. Input validation d. Spiders
a
What does a qualitative RA use to prioritize a risk? a. Probability and impact b. SLE, ARO and ALE c. Safeguard value d. Cost-benefit analysis
a
What elements are included in a quantitative analysis? a. SLE, ALE, ARO b. ALE, ARO, ARP c. Probability and impact d. Threats and vulnerabilities
a
What is data mining? a. The process of retrieving relevant data from a data warehouse b. A database used in metal mining operations c. A database created by combining multiple databases into a central database d. A process used to extract, load, and transform a data warehouse
a
What is hardening a server? a. Securing it from the default configuration b. Ensuring it cannot be powered down c. Locking it in a room that is hard to access d. Enabling necessary protocols and services
a
What three elements should be included in the findings of the risk management report? a. Causes, criteria, and effects b. Threats, causes, and effects c. Criteria, vulnerabilities and effects d. Causes, criteria and milestones
a
Which government agency includes the Information Technology Laboratory and publishes SP 800-30? a. NIST b. DHS c. NCSD d. US-CERT
a
Which of the following is a goal of risk management? a. To identify the correct cost balance between risk and controls b. To eliminate risk by implementing controls c. To eliminate the loss associated with risk d. To calculate value associated with residual risk
a
Which type of assessment can you perform to identify weaknesses in a system without exploiting the weakness? a. Vulnerability assessment b. Risk assessment c. Exploit assessment d. Penetration test
a
You are beginning an RA for a system. You should define both the operational characteristics and the mission of the system in the early stages of the RA. a. True b. False
a
You want to ensure that users are granted only the rights to perform actions required for their jobs. What should you use? a. Principle of least privilege b. Principle of need to know c. Principle of limited rights d. Separation of duties
a
A risk management plan project manager overseas the entire plan. What is the project manager responsible for? (Select two.) a. Ensuring costs are controlled b. Ensuring the project stays on schedule c. Ensuring stakeholders have adequate funds d. Ensuring recommendations are adopted
a and b
You are working on a qualitative risk assessment for your company. You are thinking about the final report. What should you consider when providing the results and recommendations? (Select two.) a. Resource allocation b. Risk acceptance c. SLE and ARO d. SLE and ALE
a and b
Which of the following are accurate pairings of threat categories? (Select two). a. External and Internal b. Natural and Supernatural c. Intentional and Accidental d. Computer and User
a and c
What can you do to manage risk? (Select three). a. Accept b. Transfer c. Avoid d. Migrate
a,b, and c
A risk management plan includes steps to mitigate risks. Who is responsible for choosing what steps to implement? a. The project manager b. Management c. Risk management team d. The POAM manager
b
A technical control prevents unauthorized personnel from having physical access to a secure area or secure system. a. True b. False
b
An organization wants to ensure it can continue mission-critical operations in the event of a disaster. What should it use? a. BIA b. BCP c. DRP d. BCC
b
As long as a company is profitable, it does not need to consider survivability. a. True b. False
b
Employees in some companies are often required to take an annual vacation of at least five consecutive days. The purpose is to reduce fraud and embezzlement. What is this called? a. Job rotation b. Mandatory vacation c. Separation of Duties d. Due diligence
b
Qualitative analysis is more time conspiring than quantitative analysis. a. True b. False
b
Risk assessment are a continuous process. a. True b. False
b
What does a quantitative RA use to prioritize a risk? a. Probability and impact b. SLE, ARO and ALE c. Safeguard value d. Cost-benefit analysis
b
What is a single point of failure? a. Any single part of a system that can fail b. Any single part of a system that can cause the entire system to fail, if it fails c. Any single part of system that has been protected with redundancy d. Any single part of a system
b
What is a stakeholder? a. A mark that identifies critical steps b. An individual or group that has an interest in the project c. A critical process or procedure
b
What is created with a risk assessment to track the implementation of the controls? a. CBA b. POAM c. ALE d. SLE
b
What must you define when performing a qualitative risk assessment? a. Formulas used for ALE b. Scales used to define probability and impact c. Scales used to define SLE and ALE d. Acceptable levels of risk
b
What will the scope of a risk management plan define? a. Objectives b. POAM c. Recommendations d. Boundaries
b
When defining the system for the risk assessment, what should you ensure is included? a. Only the title of the system b. The current configuration of the system c. A list possible attacks d. A list of previous risk assessments
b
Which of the following ISO standards can be used to verify that an organization meets certain requirements? Part I identifies objectives and controls. Part II is used for certification. a. ISO 73 Risk Management - Vocabulary b. ISO 27002 Information Technology Security Techniques c. ISO 31000 Risk Management Principles and Guidelines d. IEC 31010 Risk Management - Risk Assessment Techniques
b
Which one of the following properly defines total risk? a. Threat - Mitigation b. Threat x Vulnerability x Asset Value(this is a key aspect here) c. Vulnerability - Controls d. Vulnerability x Controls
b
You can completely eliminate risk in an IT environment. a. True b. False
b
You want to ensure that users are granted only the permissions needed to access data required to perform their jobs. What should you use? a. Principle of least privilege b. Principle of need to know c. Principle of limited rights d. Principle of limited permissions
b
Your organization purchased a control and installed it on several servers. The control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased? a. The cost and time to implement the control b. The operational impact of the control c. The in-place and planned controls d. The impact of the risk
b
A POAM is used to track the progress of a project. What type of chart is commonly used to assist with tracking? a. Fishbone chart b. Cause and effect chart c. Gantt chart d. POAM chart
c
An organization wants to ensure it can recover a system in the event of a disaster. What should it use? a. BIA b. BCP c. DRP d. BCC
c
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization? a. Never b. Quarterly c. Annually d. Every three years
c
The COBIT framework refers to IT governance. Of the following choices what best describes IT governance? a. IT-related laws b. IT-related regulations c. Processes to manage IT resources d. Processes to manage IT-related laws and regulations
c
What are two types of intrusion detection systems? a. Intentional and unintentional b. Natural and manmade c. Host-based and network-based d. Technical and physical
c
What elements are included in a qualitative analysis? a. SLE, ALE, ARO b. ALE, ARO, ARP c. Probability and impact d. Threats and vulnerabilities
c
What is a data warehouse? a. A data base used in a warehouse b. A database used to identify the location of products in a warehouse c. A database created by combining multiple databases into a central database d. One of several databases used to create a central database for data mining
c
What is included in an RA that helps justify the cost of a control? a. Probability and impact b. ALE c. CBA d. POAM
c
What is the primary tool used to identify the financial significance of a mitigation tool? a. Ishikawa diagram b. Fishbone diagram c. CBA d. POAM
c
What problem can occur if the scope of a risk management plan is not defined? a. Excess boundaries b. Stakeholder loss c. Scope creep d. SSCP
c
Which of the following ISO documents provides generic guidance on risk management? a. ISO 73 Risk Management - Vocabulary b. ISO 27002 Information Technology Security Techniques c. ISO 31000 Risk Management Principles and Guidelines d. IEC 31010 Risk Management - Risk Assessment Techniques
c
Which of the following security principles divides job responsibilities to reduce fraud? a. Need to know b. Least privilege c. Separation of duties d. Mandatory vacations
c
Which of the following should you match with a control to mitigate a relevant risk? a. Threats b. Vulnerabilities c. Threat/vulnerability pair d. Residual risk
c
Who is ultimately responsible for losses resulting from residual risk? a. End users b. Technical staff c. Senior management d. Security personnel
c
You present management with recommendations from a risk management plan. What can management choose to do? a. Accept or reject recommendations b. Adjust, defer, or modify the recommendations c. Accept, defer or modify the recommendations d. Allow or deny the recommendations
c
A BCP and DRP are the same thing. a. True b. False
d
A risk management plan includes a list of findings in a report. The findings identify threats and vulnerabilities. What type of diagram can document some of the findings? a. Gantt chart b. Critical path chart c. POAM diagram d. Cause and effect diagram
d
Merchants that handle credit cards are expected to implement data security. What standard should they follow? a. GAISP b. CMMI c. COBIT d. PCI DSS
d
One of the challenges facing risk assessments is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data? a. Probability statement b. Accuracy scale c. Validity level d. Uncertainty level
d
What can you use to ensure that unauthorized changes are not made to systems? a. Input validation b. Patch management c. Version control d. Configuration management
d
What can you use to identify relevant vulnerabilities? a. Historical data b. Threat modeling c. CBA d. A and B only e. None of the above
d
What can you use to share or transfer risk associated with potential disasters? a. Business impact analysis b. Business continuity plan c. Disaster recovery plan d. Insurance
d
What is a POAM? a. Project objectives and milestones b. Planned objectives and milestones c. Project action milestones d. Plan of action and milestones
d
What is a security policy? a. A rigid set of rules that must be followed explicitly to be effective b. A technical control used to enforce security c. A physical control used to enforce security d. A document created by senior management that identifies the role of security in the organization
d
What is the primary goal of an information security program? a. To eliminate losses related to employee actions b. To eliminate losses related to risk c. To reduce losses related to residual risk d. To reduce losses related to loss of confidentiality, integrity, and availability
d
What law applies to organizations handling health care information? a. SOX b. GLBA c. FISMA d. HIPPA
d
Which one of the following properly defines risk? a. Threat x Mitigation b. Vulnerability x Controls c. Controls - Residual Risk d. Threat x Vulnerability
d
You are reviewing your organization's asset management data. You want to ensure all elements of the organization are included. What can you compare the asset management system against to ensure the entire organization is covered? a. Hardware and software assets b. Software assets c. Personnel and data assets d. The seven domains of a typical IT infrastructure
d
You have applied controls to minimize risk in the environment. What is the remaining risk called? a. Remaining risk b. Mitigated risk c. Managed risk d. Residual risk
d
Of the following choices, what would be considered an asset? a. Hardware b. Software c. Personnel d. Data and information e. All of the above
e
Of the following, what would be considered a best practice when performing a risk assessments? a. Start with clear goals and a defined scope b. Enlist support of senior management c. Repeat the risk assessment regularly d. Provide clear recommendations e. All of the above
e
What are valid contents of a risk management plan? a. Objectives b. Scope c. Recommendations d. POAM e. All of the above
e
What can you use to help quantify risks? a. SLE b. ARO c. Risk assessment d. Risk mitigation plan e. All of the above
e
What should be included in the objectives of a risk management plan? a. A list of threats b. A list of vulnerabilities c. Cost associated with risk d. Cost-benefit analysis e. All of the above
e
What type of data should be included when identifying an organization's data or information assets? a. Organizational data b. Customer data c. Intellectual property d. A and B only e. A, B and C
e
When identifying hardware assets in your organization, what information should you include? a. Model and manufacturer b. Serial number c. Location d. Only A and C e. A, B, and C
e
When identifying the assets you have in your organization, what would you include? a. Hardware b. Software c. Personnel d. Only A and B e. A, B, and C
e
Which of the following should you identify during a risk assessment? a. Assets b. Threats c. Vulnerabilities d. Countermeasures e. All of the above
e
Which of the following steps could be taken to harden a server? a. Removing unnecessary services and protocols b. Keeping the server up to date c. Changing defaults d. Enabling local firewalls e. All of the above
e
