Management of Information Security Notes Chapter 8 -- Risk Assessment

Ace your homework & exams now with Quizwiz!

Likelihood is the overall rating of the probability that a specific vulnerability will be exploited.

True

Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability

True

The amount of danger posed by a threat is sometimes difficult to assess. It may be simply the impact of a threat attacking the organization, or it may reflect the amount of damage that the threat could create or the frequency with which an attack can occur.

True

Which of the following activities is part of the risk identification process?

Assigning a value to each information asset

A ranked vulnerability risk worksheet assigns a ranked value or impact weight to each information asset.

False

Assessing risks includes assigning a value to each information asset.

False

The data classification scheme for an information asset could include confidential, internal, and private. Each of these classification categories designates the level of protection needed for a particular information asset.

False

The first stage in the Risk Identification process is to develop an inventory of information assets.

False

The ultimate goal of risk identification is to assess the circumstances and setting of each information asset to reveal any threats.

False

To make the process of analyzing threats less daunting, steps in the threat and vulnerability identification processes should be handled jointly.

False

Which of the following is the final step in the risk identification process of information assets?

Listing by order of importance

The ____ is also referred to as an electronic serial number.

MAC address

____ elements are divided into three categories: applications, operating systems, or security components.

Software

A TVA spreadsheet combines prioritized lists of assets and threats to identify vulnerabilities and provide a prioritized list of efforts relating to the implementation of needed controls.

True

A well-developed risk management program consists of two formal processes: risk identification and assessment and risk control.

True

A(n) comprehensive classification of information assets means that all inventoried assets fit into a category.

True

Assigning a value to each information asset is part of the identification process.

True

During risk identification, managers identify the organization's information assets, classify and categorize them into useful groups, and prioritize them by their overall importance.

True

Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.

likelihood

The ____ is an attribute that can be helpful in analyzing threat outbreaks when certain manufacturers announce specific vulnerabilities.

manufacturer name

The relative value of an information asset depends on how much ____ it generates—or, in the case of a nonprofit organization, how critical it is to service delivery.

revenue

The process of assigning relative values to information assets helps to ensure that assets with higher values are protected first.

True

In a TVA worksheet, along one asset lies the prioritized set of ____, along the other the prioritized set of ____.

assets, threats

The inventory should also reflect the ____________________ and security priority assigned to each information asset.

sensitivity

A(n) ____________________ number uniquely identifies a specific device.

serial

Knowing the enemy means that the threats facing an organization's information assets should be identified, examined, and ____________________.

understood

Deliberate software attacks include worms, denial of service, macros, and ____.

viruses

Risk is the likelihood of the occurrence of a(n) ____ multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability.

vulnerability

The final step in the risk identification process is to list the assets in order of importance. This goal can be achieved by using a(n) ____ worksheet.

weighted factor analysis

Almost every organization is aware of its image in the local, national, and international spheres. Loss or ____ of some assets would prove especially embarrassing.

...

The process of evaluating potential weaknesses in each information asset is known as ____________________ identification.

...

Which of the following activities is part of the risk assessment process?

Calculating the risks to which assets are exposed in their current setting

Determining the likelihood that vulnerable systems will be attacked by specific threats is part of the risk identification process.

False

People are divided into insiders (employees) and outsiders (nonemployees). Outsiders come in two categories: either they hold trusted roles and have correspondingly greater authority and accountability, or they are regular staff without any special privileges.

False

Risk Analysis is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be controlled or mitigated.

False

The ____ is an effective attribute for tracking network devices and servers, but rarely applies to software.

IP address

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

Manufacturer's part number

Weighting criteria can be used to assess the value of information assets or impact evaluation.

True

Examples of technical software failures or errors include code problems, unknown loopholes, and ____.

bugs

As each information asset is identified, ____________________, and classified, a relative value must also be assigned to it.

categorized

As each information asset is identified, categorized, and ____, a relative value must also be assigned to it.

classified

Classification categories must be ____________________ and mutually exclusive.

comprehensive

Classification categories must be ____ (all inventoried assets fit into a category) and ____ (each asset is found in only one category).

comprehensive, mutually exclusive

Risk management is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be

controlled

Piracy and copyright infringement are examples of the threat of compromise to ____________________ property.

intellectual

The sample classification scheme for an information asset of confidential, ____ and public, designates the level of protection needed for a particular information asset.

internal

A(n) ____________________ defense is the foundation of any information security program.

layered

The standard IT system components include: people, data, networks, hardware, software, and ____________________.

procedures

A press release is likely to fall under the ____ data classification scheme.

public

One of the calculations that guides corporate spending on controls is the cost of ____ operations if an attack occurs and is successful.

recovery


Related study sets

Chapter 1 completing the application Quiz

View Set

Physiology: The Muscular System Extra Info

View Set

Ch. 14: Accounting and Economics

View Set

Stats for behavioral sciences Final

View Set

A&P2 LAB 6: Cardiovascular Physiology

View Set