Test 3 Book
Which of the following activities is part of the risk identification process?
Assigning a value to each information asset
____________________ is a risk management framework developed to help organizations to understand, analyze, and measure information risk.The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.
Factor Analysis of Information Risk
The ____ is an effective attribute for tracking network devices and servers, but rarely applies to software.
IP address
Which of the following is not an example of a disaster recovery plan?
Information gathering procedures
Which of the following is the final step in the risk identification process of information assets?
Listing by order of importance
The ____ is also referred to as an electronic serial number.
MAC address
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
Manufacturer's part number
The ____________________ Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.
OCTAVE
An alternate set of possible risk control strategies includes all but which of the following?
Obscurity: Hiding critical security assets in order to protect them from attack
____________________ is a is a combined function of (1) a threat less the effect of threat-reducing safeguards; (2) a vulnerability less the effect of vulnerability-reducing safeguards; and (3) an asset less the effect of asset value-reducing safeguards.
Residual risk
Residual risk is a combined function of all but which of the following?
Residual risk less a factor of error
In the Cost-Benefit Analysis Formula presented in the text, ALE is calculated by ____.
SLE * ARO
The Annualized Loss Expectancy in the CBA formula is determined as ____.
SLE * ARO
Examples of technical software failures or errors include code problems, unknown loopholes, and ____.
bugs
Classification categories must be ____________________ and mutually exclusive.
comprehensive
Classification categories must be ____ (all inventoried assets fit into a category) and ____ (each asset is found in only one category).
comprehensive, mutually exclusive
At a minimum, each information asset-threat pair should have a(n) ____ that clearly identifies any residual risk that remains after the proposed strategy has been executed.
documented control strategy
Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the ____ consequences of the vulnerability.
economic and non-economic
A single loss expectancy is calculated by multiplying the asset value by the ____.
exposure factor
The ____________________ assessment, tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures.
hybrid
A(n) ____________________ defense is the foundation of any information security program.
layered
Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.
likelihood
The ____ is an attribute that can be helpful in analyzing threat outbreaks when certain manufacturers announce specific vulnerabilities.
manufacturer name
The effectiveness of controls should be ____________________ and measured regularly once a control strategy has been selected.
monitored
Once a control strategy has been selected and implemented, controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk.
monitored and measured
The inventory should also reflect the ____________________ and security priority assigned to each information asset.
sensitivity
Risk is the likelihood of the occurrence of a(n) ____ multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability.
vulnerability
The final step in the risk identification process is to list the assets in order of importance. This goal can be achieved by using a(n) ____ worksheet.
weighted factor analysis
The ____ is the indication of how often you expect a specific type of attack to occur.
ARO
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
Building executive consensus
Which of the following activities is part of the risk assessment process?
Calculating the risks to which assets are exposed in their current setting
Some organizations document the outcome of the control strategy for each information asset-threat pair in a(n) _____, which includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual.
action plan
A cost-benefit analysis is conducted by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy
annualized cost of the safeguard
Risk ____________________ defines the quantity and nature of risk that an organization is willing to accept.
appetite
In a TVA worksheet, along one asset lies the prioritized set of ____, along the other the prioritized set of ____.
assets, threats
In an economic feasibility study, the ____________________ is the value to the organization of using controls that prevent losses related to a particular vulnerability.
benefit
Piracy and copyright infringement are examples of the threat of compromise to ____________________ property.
intellectual
The sample classification scheme for an information asset of confidential, ____ and public, designates the level of protection needed for a particular information asset.
internal
One of the most common methods of obtaining user acceptance and support is via user
involvement
A cost benefit analysis (CBA) result is obtained from the difference between the pre-control and the ____________________ annualized loss expectancy (ALE).
post-control
A press release is likely to fall under the ____ data classification scheme.
public
One of the calculations that guides corporate spending on controls is the cost of ____ operations if an attack occurs and is successful.
recovery
A(n) ____________________ number uniquely identifies a specific device.
serial
The relative value of an information asset depends on how much ____ it generates—or, in the case of a nonprofit organization, how critical it is to service delivery.
revenue
Deliberate software attacks include worms, denial of service, macros, and ____.
viruses
