Chapter 4
Qualitative risk-analysis is a list of identified risks that results from the risk-identification process. (T/F)
False
The term risk methodology refers to a list of identified risks that results from the risk-identification process. (T/F)
False
Risks can be a positive thing, and a risk management plan should address positive and negative risk occurrences. (T/F)
True
Single Loss Expectancy (SLE) means the expected loss for a single threat occurrence. The formula to calculate SLE is SLE = Resource Value x EF. (T/F)
True
A parallel test evaluates the effectiveness of the ____________ by enabling full processing capability at an alternate data center without interrupting the primary data center. a. DRP b. Security Plan c. BIA d. BCP
a. DRP
Which of the following is the definition of business driver? a. The estimated loss due to a specific, realized threat. b. The process of identifying, assessing, prioritizing, and addressing risks. c. A comparison of security controls in place that are needed to address all identified threats. d. The collection of components, including people, information, and conditions that support business objectives.
d. The collection of components, including people, information, and conditions that support business objectives.
Annual Loss Expectancy (ALE) means the process of identifying, assessing, prioritizing, and addressing risks. (T/F)
False
Residual risk is a risk-analysis method that uses mathematical formulas and numbers to assist in ranking risk severity. (T/F)
False
Having too many risks in the risk register is much better than overlooking any severe risk that does occur. (T/F)
True
The term Annual Rate of Occurrence (ARO) describes the annual probability that a stated threat will be realized. (T/F)
True
The term Risk Management describes the process of identifying, assessing, prioritizing, and addressing risks. (T/F)
True
The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks. (T/F)
True
What is meant by Risk Register? a. A list of identified risks that results from the risk-identification process. b. The estimated loss due to a specific realized threat. c. A comparison of security controls in place and controls that are needed to address all identified threats. d. The process of identifying, assessing, prioritizing, and addressing risks.
a. A list of identified risks that results from the risk-identification process.
The recovery point objective (RPO) identifies the amount of _______________ that is acceptable. a. Data Loss b. Risk c. Time to Recover d. Support
a. Data Loss
Your ____________ plan shows that you have examined risks to your organization and have developed plans to address each risk. a. Risk-Response b. Business c. Compliance d. Disaster
a. Risk-Response
The process of managing risks starts by identifying _______________. a. Risks b. Business Drivers c. Exposure Factor (EF) d. Standards
a. Risks
What is the Project Management Body of Knowledge (PMBOK)? a. A description of how you will manage overall risk. It includes the approach, required information, and techniques to address each risk. b. A collection of the knowledge and best practices of the project management profession. c. Any risk that exists but has a defined response. d. The collection of components, including people, information, and conditions that support business objectives.
b. A collection of the knowledge and best practices of the project management profession.
Information security activities directly support several common business drivers, including _________________ and efforts to protect intellectual property. a. Quantitative Risk Analysis b. Compliance c. Regulations d. Confidentiality
b. Compliance
_____________ is rapidly becoming an increasingly important aspect of enterprise computing. a. Risk Methodology b. Disaster Recovery c. Risk Analysis d. Risk Management
b. Disaster Recovery
A ___________ will help identify not only which functions are critical, but also how quickly essential business functions must return to full operation following a major interruption. a. Business Continuity Plan (BCP) b. Disaster Recovery Plan (DRP) c. Business Impact Analysis (BIA) d. Risk Methodology
b. Disaster Recovery Plan (DRP)
RTO identifies the maximum allowable ____________ to recover the function. a. Support b. Time c. Risk d. Data Loss
b. Time
A ___________ primarily addresses the processes, resources, equipment, and devices needed to continue conducting critical business activities when an interruption occurs that affects the business's viability. a. True Downtime Cost b. Business Impact Analysis (BIA) c. Business Continuity Plan (BCP) d. Risk Register
c. Business Continuity Plan (BCP)
What name is given to a risk-analysis method that uses relative ranking to provide further definition of the identified risks in order to determine responses to them? a. Annual Loss Expectancy (ALE) b. Quantitative Risk Analysis c. Qualitative Risk Analysis d. Gap Analysis
c. Qualitative Risk Analysis
The goal of ____________ is to quantify possible outcomes of risk, determine probabilities of outcomes, identify high-impact risks, and develop plans based on risks. a. Qualitative Risk Analysis b. Annual Rate of Occurrence (ARO) c. Quantitative Risk Analysis d. Risk Register
c. Quantitative Risk Analysis
Any organization that is serious about security will view _________________ as an ongoing process. a. Gap Analysis b. Standards c. Risk Management d. Business Objectives
c. Risk Management
What is the difference between a BCP and a DRP? a. A BCP does not specify how to recover from disasters, just interruptions b. A DRP is part of a BCP c. A DRP directs the actions necessary to recover resources after a disaster d. All of the above
d. All of the above
____________ is the proportion of value of a particular asset likely to be destroyed by a given risk, expressed as a percentage. a. Annual Rate of Occurrence (ARO) b. Risk Management c. Business Drivers d. Exposure Factor (EF)
d. Exposure Factor (EF)
What name is given to any risk that exists but has a defined response? a. Risk Register b. Quantitative Risk Analysis c. Risk Management d. Residual Risk
d. Residual Risk