cyber quiz 4
_____ include information and the systems that use, store, and transmit information
information assets
the probability that a specific vulnerability within an organization will be attacked by a threat is known as
likelihood
the _____ risk treatment strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards
mitigation
the _____ treatment strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation
mitigation
when deciding which information assets to track, consider the following asset attributes: people, _____, data, software, and hardware
procedures
As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.
relative
_____ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty
risk
_____ involves four major undertakings: risk identification, risk analysis, risk evaluation, and risk treatment control
risk management
______ is the process of identifying risk, as represented by vulnerabilities, to an organization's information assets and infrastructure, and taking steps to reduce this risk to an acceptable level
risk management
Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack.
true
Risk control, also known as risk treatment, is the application of controls that reduce the risks to an organization's information assets to an acceptable level.
true
when it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the value incurred from the cost of protecting the information
true
In a _____ assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking the scores
weighted table analysis
The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) ____.
CBA
A threat _____ is an evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack.
assessment
you can determine the relative risk for each of the organizations information assets using a process called risk _____, which combines risk identification, risk analysis, and risk evaulation
assessment
risk _____ is the application of security mechanisms to reduce the risks to an organization's data and information systems
control
A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them.
false
a data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict when people who can access it
false
cost mitigation is the process of preventing the financial impact of an incident by implementing control
false
cost-benefit analyses (CBAs) cannot be calculated after controls have been functioning for a time, an observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended
false
residual risk is the risk that organizations are willing to accept even after current current controls have been applied
false
risk acceptance defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility
false
risk mitigation is the process of assigning a risk rating or score to each information asset
false
risk mitigation is the risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards, but it is not the preferred approach to controlling risk
false
when an organization depends on IT-based systems to remain viable, infosec, and the discipline of asset management must become an integral part of the economic basis for making business decisions
false
within data classification schemes, it is important that all categories used be unique and mutually exclusive
false
you cannot use qualitative measures to rank information asset values
false
a(n) _____ scheme is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it
security clearance
Risk _____ is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization's overall risk appetite.
tolerance
the _____ risk treatment strategy attempts to shift risk to other assets, other processes, or other organizations
transference
if the acceptance risk treatment strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and may portray as apathetic approach to security in general
true
in addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization
true
one way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed
true
the identification, analysis, and evaluation of risk as initial parts of risk management is called risk assessment
true
the mitigation risk treatment strategy applies controls and safeguards that eliminate or reduce the remaining uncontrolled risk
true
the organization should adopt naming standards that do not convey information to potential system attackers
true
the upper management of an organization must structure the IT and information security functions to defend the organizations information assets
true
to determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited
true
when determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts
true
in the TVA worksheet, assets are placed into a matrix with threats and then the exposure of the assets, to specific threats is explored by documenting _______
vulnerabilities
once the inventory and value assessment are complete, you can prioritize each asset using a straightforward process known as _____ analysis
weighted factor
Risk _____ is a determination of the extent to which an organization's information assets are exposed to risk.
analysis
Risk ____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.
appetite
A data _____ scheme is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.
classification
The concept of competitive ____ refers to falling behind the competition.
disadvantage
A single loss ____________________ is the calculation of the value associated with the most likely loss from an attack.
expectancy
Within a data classification scheme, "comprehensive" means that an information asset should fit in only one category.
false
the risk management (RM) _____ is the overall structure of the strategic planning and design for the entirety of the organization's RM efforts
framework
