Test 3 Book

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Which of the following activities is part of the risk identification process?

Assigning a value to each information asset

____________________ is a risk management framework developed to help organizations to understand, analyze, and measure information risk.The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.

Factor Analysis of Information Risk

The ____ is an effective attribute for tracking network devices and servers, but rarely applies to software.

IP address

Which of the following is not an example of a disaster recovery plan?

Information gathering procedures

Which of the following is the final step in the risk identification process of information assets?

Listing by order of importance

The ____ is also referred to as an electronic serial number.

MAC address

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

Manufacturer's part number

The ____________________ Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.

OCTAVE

An alternate set of possible risk control strategies includes all but which of the following?

Obscurity: Hiding critical security assets in order to protect them from attack

____________________ is a is a combined function of (1) a threat less the effect of threat-reducing safeguards; (2) a vulnerability less the effect of vulnerability-reducing safeguards; and (3) an asset less the effect of asset value-reducing safeguards.

Residual risk

Residual risk is a combined function of all but which of the following?

Residual risk less a factor of error

In the Cost-Benefit Analysis Formula presented in the text, ALE is calculated by ____.

SLE * ARO

The Annualized Loss Expectancy in the CBA formula is determined as ____.

SLE * ARO

Examples of technical software failures or errors include code problems, unknown loopholes, and ____.

bugs

Classification categories must be ____________________ and mutually exclusive.

comprehensive

Classification categories must be ____ (all inventoried assets fit into a category) and ____ (each asset is found in only one category).

comprehensive, mutually exclusive

At a minimum, each information asset-threat pair should have a(n) ____ that clearly identifies any residual risk that remains after the proposed strategy has been executed.

documented control strategy

Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the ____ consequences of the vulnerability.

economic and non-economic

A single loss expectancy is calculated by multiplying the asset value by the ____.

exposure factor

The ____________________ assessment, tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures.

hybrid

A(n) ____________________ defense is the foundation of any information security program.

layered

Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.

likelihood

The ____ is an attribute that can be helpful in analyzing threat outbreaks when certain manufacturers announce specific vulnerabilities.

manufacturer name

The effectiveness of controls should be ____________________ and measured regularly once a control strategy has been selected.

monitored

Once a control strategy has been selected and implemented, controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk.

monitored and measured

The inventory should also reflect the ____________________ and security priority assigned to each information asset.

sensitivity

Risk is the likelihood of the occurrence of a(n) ____ multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability.

vulnerability

The final step in the risk identification process is to list the assets in order of importance. This goal can be achieved by using a(n) ____ worksheet.

weighted factor analysis

The ____ is the indication of how often you expect a specific type of attack to occur.

ARO

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?

Building executive consensus

Which of the following activities is part of the risk assessment process?

Calculating the risks to which assets are exposed in their current setting

Some organizations document the outcome of the control strategy for each information asset-threat pair in a(n) _____, which includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual.

action plan

A cost-benefit analysis is conducted by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy

annualized cost of the safeguard

Risk ____________________ defines the quantity and nature of risk that an organization is willing to accept.

appetite

In a TVA worksheet, along one asset lies the prioritized set of ____, along the other the prioritized set of ____.

assets, threats

In an economic feasibility study, the ____________________ is the value to the organization of using controls that prevent losses related to a particular vulnerability.

benefit

Piracy and copyright infringement are examples of the threat of compromise to ____________________ property.

intellectual

The sample classification scheme for an information asset of confidential, ____ and public, designates the level of protection needed for a particular information asset.

internal

One of the most common methods of obtaining user acceptance and support is via user

involvement

A cost benefit analysis (CBA) result is obtained from the difference between the pre-control and the ____________________ annualized loss expectancy (ALE).

post-control

A press release is likely to fall under the ____ data classification scheme.

public

One of the calculations that guides corporate spending on controls is the cost of ____ operations if an attack occurs and is successful.

recovery

A(n) ____________________ number uniquely identifies a specific device.

serial

The relative value of an information asset depends on how much ____ it generates—or, in the case of a nonprofit organization, how critical it is to service delivery.

revenue

Deliberate software attacks include worms, denial of service, macros, and ____.

viruses


Set pelajaran terkait

Chapter 48 cardiovascular system

View Set

The Reproductive and Genituorinary System

View Set

Principles of Management - Introduction to Management

View Set

Which British political theorist is most associated with the notion of the trustee style of representation?

View Set

EDUC 125 Exam Review Part 1- Ch 1-6

View Set

Ch 31 - Complementary and Alternative Medicine

View Set