10

As part of a risk assessment, a general controls review (GCR) identifies threats existing in the general security processes. Which of the following high-level functions is not part of the GCR?

B. Vulnerabilities at the application and network levels

A _______ is anything that can damage or compromise an asset. It is what you are trying to protect against.

B. threat

There are recommended controls for most network vulnerabilities. Which of the following is a risk category for which an appropriate control is the use of fault-tolerant and resilient designs that eliminate single points of failure?

D. Availability

As part of a risk assessment, which of the following is used to identify greater or lesser threats based on a score rather than a mathematic probability?

D. Probability assessment

All of the following are true of risk analysis, except:

NOT B. system or network vulnerability is measured in terms of accessibility and the corresponding number of authorized users. NOT B. asset, threat, and vulnerability mapping is the process of documenting or pairing asset vulnerabilities with any potential threats that could expose those vulnerabilities.

During which stage of a risk assessment does the security team determine the value of assets and identify associated risks?

B. Risk analysis

To determine risk, you must know the system or network's vulnerabilities. Which of the following is a risk category that addresses the most vulnerable locations in a network?

D. Access

A new CEO asks you for a security risk assessment. What do you do?

D. Outline all the risks, threats, vulnerabilities, and opportunities, both internal and external.

Which of the following is true of quantitative methods of risk assessment?

D. The single loss expectancy (SLE) is the expected monetary cost of the occurrence of a risk on an asset.

During which stage of a risk assessment are permissions sought, granted, and documented?

D. Planning