MIS 416 Exam 1

According to Landoll, which of the following is NOT a type of security test? A) Threat Testing B) Penetration Testing C) Vulnerability Testing D) Information Accuracy Testing

A

According to Talabis, what is the function of a BIA? A) To assess and identify critical and non-critical organizational functions and activities. B) To determine which business processes cannot be modified regardless of recommendations from the risk assessment team. C) To identify what business processes are going to be most impacted by a specific threat. D) To evaluate what threats are specific to each business organization unit in a company and how these threats will specifically impact the business unit.

A

An asset has a value of 50 and 1 vulnerability. The vulnerability has a probability of 1.0. There are no controls. It is estimated this information is 90% accurate. What is the risk rating? A) 55 B) 90 C) 12 D) 45

A

Companies use risk management techniques to differentiate ___________ from _________? A) severe risks, minor risks B) costs, benefits C) vulnerabilities, weaknesses D) vulnerabilities, threats

A

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another? A)Cost of prevention B) Cost of detection C) Cost of litigation D) Cost of identification

A

Factors to consider when gathering information about resources include everything but? A) Social Concerns B) Reputation Damages C) Legal Damages D) Financial Damages E) Regulatory Constraints

A

If you know a single loss expectancy is $100 and the associated annualized rate of occurrence is 5, then what is the annual loss expectancy? A) $500 B) 20 months C) $20 D) $105

A

This will often map out critical process within an organization and if done properly will also identify specific systems supporting those processes. A) BIA B) CBA C) DMZ D) DRP E) FAIR

A

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk *identification* process? A) Inventory and categorize assets B) Documenting and reporting the findings of risk identification and assessment C) Calculating the severity of risks to which assets are exposed in their current setting D) Determining the likelihood that vulnerable systems will be attacked by specific threats

A

What are the two primary methods used to create a risk assessment? A) quantitative and qualitative B) inductive and deductive C) empirically and emotionally D) written or verbally

A

What is the first element to be considered when conducting a Risk Assessment? A) What are the organization's assets B) What controls has the organization already implemented C) What are the possible threats and threat agents facing the organization D) What vulnerabilities does the organization have

A

When identifying mission-critical business functions and processes, who or what possess(es) the key information? A) experts B) stakeholders C) c-level employees D) department-heads

A

When we need to sample because we can't gather information from the entire population, and our population consists of a few clusters which had characteristics very similar to each other but not necessarily other groups, we can use what type of sampling? A) Stratified Sampling B) Simple Sampling C) Cluster Sampling D) Systematic Sampling

A

Which of the following is a Risk Severity calculation? A) threat x vulnerability x impact B) vulnerability / threat C) threat/vulnerability x uncertainty D) threat x impact

A

_________ negatively affect(s) the CIA triad. A) Threats B) NNTP C) Vulnerabilities D) Risks

A

Data is often an organization's most valuable information asset, sensitive data needs to be protected in which states? A) Data in Transit B) Data in Process C) Data in Binary D) Data at Rest

A, B, D

According to Talabis, what is the most rigorous and most encompassing activity in the information security risk assessment process? A) Interviewing Personnel B) Data Collection C) Creating Valid Risk Profiles D) Testing Controls E) Scoping a Project

B

Data collection mechanisms are divided into what two categories? A) Vulnerability and Sensitivity B) Collectors and Containers C) Procurers and Providers D) Primary and Secondary E) Threat and Asset

B

In the RIIOT technique, documents should be reviewed for all the following except: A) Correctness B) Conciseness C) Content D) Clarity E) Completeness

B

RTO stands for ________. A) recovery time obstacle B) recovery time objective C) repair task objective D) repair transfer objective

B

The formula for Single Loss Expectancy or SLE is? A) AV * ARO B) AV * EF C) SV * EF D) SV * ARO

B

Threat ___________ is a process used to identify possible threats on a system. A) profile B) modeling C) system D) analysis

B

Typical data collectors include everything but, ____. A) Workshops B) Retreats C) Interviews D) Document Request Lists E) Surveys

B

What is NOT a classification of data? A) private B) risk C) public D) proprietary

B

What is NOT a direct cost? A) equipment replacement costs B) penalty costs for nonrepudiation issues C) remote backup costs D) building replacement costs

B

What is an indirect objective of a business impact analysis? A) to evaluate the effectiveness of controls B) to justify funding C) to calculate MAOs D) to identify an impact that can result from disruptions in a business

B

What is the key resulting element of an information security risk assessment? A) Vulnerability B) Security Risk C) Threat D) Asset E) Threat Agent

B

What may occur if you do NOT include the scope of the RA when defining it? A) attacks B) missed deadlines C) exploited threats D) losses

B

What type of sampling technique is the following - "This sampling technique selects clusters of sample units from the population to create a representative sample." A) Stratified sampling B) Cluster sampling C) Systematic sampling D) Interval sampling E) Simple sampling

B

Which of the following can be calculated using the values from an annualized rate of occurrence multiplied by the values from a single loss expectancy? A) cost benefit analysis B) annualized loss expectancy C) asset valuation D) operational feasibility

B

Which of the following is NOT an example of what type of document a risk assessor could request during a risk assessment? A) Asset Inventories B) Previously considered IT Security Recommendations C) Current Security Policies, Standards and Procedures D) Previous Information Security Risk Assessments E) Copy of the BIA

B

_____________ is the likelihood that a threat will exploit a vulnerability. A) Risk B) Probability C) Impact D) Assessment

B

A threat event where loss materializes and/or where liability increases. A) Threat Event B) Vulnerability Event C) Loss Event D) Primary Event E) Risk Event

C

According to the CIA triad, which of the following is a desirable characteristic for computer security? A) transparency B) accountability C) availability D) decoupling

C

All of the following are reasons to perform risk assessments except? A) It enables us to determine what assets need protection B) It enables us to determine what assets are high-risk assets C) It enables us to determine which risk assessment framework we should be using D) It enables us to determine what controls or safeguards should be in place E) It enables us to determine a proper security budget

C

BIA stands for ___________. A) business investment analysis B) business improvement applications C) business impact analysis D) business investment assessment

C

If there are three possible outcomes to an event, one of which has a probability of 40% and will cost you $4000 and one of which has a probability of 30% and which will cost you $1500, and another with a probability of 30% that will cost you $2500, what is your expected loss? A) 4000 B) 2050 C) 2800 D) 1200 E) 2350 F) 8000 G) 1600

C

If you expect an event to happen 3 times a year to each of 4 assets, and the single loss expectancy is $2000, what is your expected total annual impact? A) $12000 B) $8000 C) $24,000 D) $6000

C

Objectives during the interview phase of the RIIOT technique include all the following except: A) Measurement of security awareness among staff C) Identification of vulnerabilities in the area of the interviewee's expertise C) Confirmation of managerial involvement in risk assessment process D) Confirmation of security procedure execution E) Confirmation of threat identification, asset valuation and critical systems identification

C

Risk Likelihood Calculation = which of the following? A) threat/vulnerability B) exploit - threat C) Threat x Vulnerability D) vulnerability + exploit

C

Security policies and procedures are the __________ of information security and the most important element of the security program for any organization. A) only concern B) downfall C) cornerstone D) subterfuge

C

The RIIOT approach to Data Gathering has all the following benefits except? A) Coverage B) Organization C) Simplicity D) Project Management

C

What is the key principal element of an information security risk assessment? A) vulnerability B) threat agent C) asset D) threat

C

Which of the following is a CIA characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information? A) Authentication B) Integrity C) Confidentiality D) Availability

C

Select all of the following that are components of the RIIOT method. A) Insure B) Test C) Review D) Inspect E) Interview F) Reevaluate G) Observe H) Optimize

C, E, D, G, B

Another term for risk mitigation is _______. A) risk evaluation B) risk assessment C) risk management D) risk reduction

D

How do you start a risk assessment? A) by mitigating risks B) by generally defining controls C) by identifying countermeasures D) by clearly defining what you will assess

D

Low recovery time objectives are _______ but _______. A) unachievable, ideal B) elusive, maintainable C) risky, high-yield D) achievable, costly

D

Once the Risk Assessment is complete, the next step is what? A) Ensure buy-in from all key stakeholders B) Follow up on detailed recommendations to ensure they are implemented C) Properly file the work product before moving on the next project D) Conduct a postmortem to look for opportunities to improve the process

D

Risk __________ is the practice of identifying, assessing, controlling, and mitigating risks. A) mitigation B) assessment C) evaluation D) management

D

When risk is reduced to an acceptable level, the remaining risk is referred to as _________. A) remaining risk B) acceptable risk C) low-impact risk D) residual risk

D

When should you perform a risk assessment? A) when eliminating a threat B) continuously C) when mitigating a threat D) periodically

D

Which of the following is NOT one of the most common categories of impact that should be included in a security risk profile? A) reputation B) legal C) financial D) economic

D

Which of the following is not considered an important point to articulate when specifying a risk? A) who or what is the threat B) why is the vulnerability causing exposure C) what is the impact D) what employee might be responsible

D

__________ is the negative result if the risk occurs. A) Value B) Probability C) Risk D) Impact

D

The risk value of an asset is directly proportional to the _______ and _______ of a particular threat exploiting a vulnerability after considering the controls in place that are protecting the asset. A) Force, Popularity B) Likelihood, Popularity C) Impact, Severity D) Popularity, Damage E) Impact, Likelihood

E

A business impact analysis is intended to include all IT functions. T/F?

F

A risk assessment is the same as a risk management program. T/F?

F

A threat is a weakness, but a vulnerability is an activity that represents a possible danger. T/F?

F

All companies face the same set of vulnerabilities. T/F?

F

All vulnerabilities result in loss. T/F?

F

An IT asset inventory is a list of IT assets that are vulnerable to a specific threat that is under assessment. T/F?

F

An organization should implement as many controls as possible. T/F?

F

Any and all challenges you face when completing an RA depend on whether you are completing a quantitative or qualitative Risk Analysis. T/F?

F

Asset valuation is NOT a major priority of risk management. T/F?

F

Balanced security satisfies everyone. T/F?

F

CBA stands for Cost Benefit Authorization. T/F?

F

Compensating controls are controls in place that do not effectively reduce exploitability. T/F?

F

In a qualitative Risk Analysis it is important to define value according to the standard scale. T/F?

F

It is essential that risk management be driven by the potential for worst-case scenarios. T/F?

F

Questionnaires, forms, and surveys are the standard way to collect data for a BIA. T/F?

F

Stratified Sampling is "based on a systematic approach to selecting sample units from a population." T/F?

F

The internal LAN is always considered a trusted zone. T/F?

F

There are complete and set guidelines for how to perform personnel observations during the RIIOT technique. T/F?

F

When using the RIIOT method for data gathering, it is essential to inspect security controls prior to interviewing key personnel in order to understand the systems that employees are operating and potentially putting at risk. T/F?

F

A Risk Assessment team should focus both on critical areas and on what management might consider important. T/F?

T

Risk management choices are made in a top-down fashion affecting the sensitivity of risk throughout the organization. T/F?

T

Sampling is also known as "representative testing." T/F?

T

Some recovery point objectives require you to recover data up to a moment in time. T/F?

T

The first part of a qualitative Risk Rating attempts to prioritize risk. The remaining parts the qualitative Risk Rating evaluate the effectiveness of controls as related to the risk. T/F?

T

The two primary terms related to recovery requirements are recovery time objective and recovery point objective. T/F?

T

The ultimate goal in risk management is to protect the organization. T/F?

T

The value of an assessment is only as valuable as the expertise of the experts. T/F?

T

Uncertainty level indicates how valid data is. T/F?

T

A _________ is the likelihood that a loss will occur. A) vulnerability B) threat C) risk D) assessment

C

Organizations that accept risk are generally in a ________ mode whereas larger, more well-established organizations are typically more ____________ to risk taking. A) mature, averse B) growth, acceptable C) growth, averse D) non-growth, acceptable

C

A key step in managing risk is to first understand and manage the source. T/F?

T

Inherent risk is the value of the unmitigated risk exposure. T/F?

T

It is often useful to categorize an organization's environments by risk sensitivity and then go deeper into the specific sensitive resources in each environment. T/F?

T

Malware are a threat to security. T/F?

T

Residual risk = Total Risk - Controls. T/F?

T

Risk analysis is part of the risk assessment process. T/F?

T

Risk management is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated. T/F?

T

Risk tolerance levels reflect an organization's culture and disposition of upper management. T/F?

T

The RIIOT technique can be used with any set of security document requirements, standards or guidelines. T/F?

T

The more data you store, the more valuable that collection of data becomes. T/F?

T

What is a major type of vulnerability for users? A) social engineering B) natural disasters C) firmware D) database relations

A

A relative measurement of a resource's tolerance for risk exposure is: A) Risk aversion B) Threat landscape C) Risk sensitivity D) Vulnerability score

C

The objective of the "inspect security controls" approach in the RIIOT technique is to present alternative methods of potentially reducing risks to an organization. T/F?

F

With proper security measures, a company can eliminate threats. T/F?

F