Chapter 6
27. Once an information asset is identified categorized, and classified, what must also be assigned to it? a. Asset tag b. Relative value c. Location ID d. Threat risk
, ANSWER: b
14. A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________
ANSWER: False - vulnerabilities
2. The InfoSec community often takes on the leadership role in addressing risk. a. True b. False
ANSWER: True
8. Some threats can manifest in multiple ways yielding multiple exploits for an asset-threat pair.
____________ , ANSWER: False - vulnerabilities
38. Classification categories must be ____________________ and mutually exclusive. ANSWER:
comprehensive
4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack. a. True b. False
ANSWER: True
5. Some threats can manifest in multiple ways yielding multiple vulnerabilities for an asset-threat pair. a. True b. False,
ANSWER: True
17. The identification and assessment of levels of risk in an organization describes which of the following? a. Risk analysis b. Risk identification c. Risk management d. Risk reduction
ANSWER: a
28. What should you be armed with to adequately assess potential weaknesses in each information asset? a. Properly classified inventory b. Audited accounting spreadsheet c. Intellectual property assessment d. List of known threats
ANSWER: a
35. Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet? a. Uncertainty percentage b. Asset impact c. Risk-rating factor d. Vulnerability likelihood
ANSWER: a
21. Which of the following is an attribute of a network device is physically tied to the network interface? a. Serial number b. MAC address c. IP address d. Model number
ANSWER: b
24. Data classification schemes should categorize information assets based on which of the following? a. Value and uniqueness b. Sensitivity and security needs c. Cost and replacement value d. Ease of reproduction and fragility
ANSWER: b
32. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? a. Risk exposure report b. Threats-vulnerabilities-assets worksheet c. Costs-risks-prevention database d. Threat assessment catalog
ANSWER: b
33. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____. a. Vulnerability mitigation controls b. Risk assessment estimate factors c. Exploit likelihood equation d. Attack analysis calculation
ANSWER: b
19. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process? a. Determining the likelihood that vulnerable systems will be attacked by specific threats b. Calculating the severity of risks to which assets are exposed in their current setting c. Assigning a value to each information asset d. Documenting and reporting the findings of risk identification and assessment
ANSWER: c
25. Classification categories must be mutually exclusive and which of the following? a. Repeatable b. Unique c. Comprehensive d. Selective
ANSWER: c
29. Which of the following is an example of a technological obsolescence threat? a. Hardware equipment failure b. Unauthorized access c. Outdated servers d. Malware
ANSWER: c
31. What is defined as specific avenues that threat agents can exploit to attack an information asset? a. Liabilities b. Defenses c. Vulnerabilities d. Weaknesses
ANSWER: c
18. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process? a. Creating an inventory of information assets b. Classifying and organizing information assets into meaningful groups c. Assigning a value to each information asset d. Calculating the severity of risks to which assets are exposed in their current setting
ANSWER: d
22. Which of the following attributes does NOT apply to software information assets? a. Serial number b. Controlling entity c. Manufacturer name d. Product dimensions
ANSWER: d
23. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components? a. Name b. MAC address c. Serial number d. Manufacturer's model or part number
ANSWER: d
26. What is the final step in the risk identification process? a. Assessing values for information assets b. Classifying and categorizing assets c. Identifying and inventorying assets d. Listing assets in order of importance
ANSWER: d
34. An estimate made by the manager using good judgement and experience can account for which factor of risk assessment? a. Risk determination b. Assessing potential loss c. Likelihood and consequences d. Uncertainty
ANSWER: d
40. As part of the risk identification processlisting the assets in order of importance can be achieved by using a weighted ____________________ worksheet.,
ANSWER: factor analysis factor table analysis table
36. Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
ANSWER: management
7. An approach to combining risk identification risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________
ANSWER: , False - analysis
39. As each information asset is identified categorized, and classified, a ________ value must also be assigned to it.
ANSWER: , relative
6. The secretarial community often takes on the leadership role in addressing risk. ____________
ANSWER: False - InfoSec, infosec, Information Security, information security
15. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________
ANSWER: False - qualitative
10. An evaluation of the threats to information assets including a determination of their potential to endanger the organization is known as exploit assessment. ____________,
ANSWER: False - threat
9. The recognition enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________
ANSWER: False - identification
30. Determining the cost of recovery from an attack is one calculation that must be made to identify risk what is another? a. Cost of prevention b. Cost of litigation c. Cost of detection d. Cost of identification
, ANSWER: a
16. Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest which includes all but which of the following? a. General management must structure the IT and InfoSec functions b. IT management must serve the IT needs of the broader organization c. Legal management must develop corporate-wide standards d. InfoSec management must lead the way with skill, professionalism, and flexibility
, ANSWER: c
20. Which of the following is a network device attribute that may be used in conjunction with DHCP making asset-identification using this attribute difficult? a. Part number b. Serial number c. MAC address d. IP address
, ANSWER: d
37. Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.
ANSWER: likelihood probability
1. Having an established risk management program means that an organization's assets are completely protected. a. True b. False
ANSWER: False
11. A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________
ANSWER: False - classification
13. The information technology management community of interest often takes on the leadership role in addressing risk. ____________
ANSWER: False - infosec, information security
12. The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ____________
ANSWER: False - likelihood
3. MAC addresses are considered a reliable identifier for devices with network interfaces
since they are essentially foolproof. a. True b. False, ANSWER: False