Module 11 Risk Mitigation

Ace your homework & exams now with Quizwiz!

Which of the following are key regulations and standards in BIA?

- International organization for standardization (ISO) 22301 - National fire protection act 1600 - Federal financial institutions examination council's (FFIEC) BCP standard

detective control

A control designed to identify any threat that has reached the system.

Operational

A control implemented and executed by people.

Technical

A control incorporated as part of hardware, software, or firmware.

deterrent control

A control that attempts to discourage security violations before they occur.

preventative control

A control that attempts to prevent the threat from coming in and reaching contact with the vulnerability.

physical control

A control that implements security in a defined structure and location.

corrective control

A control that is intended to mitigate or lessen the damage caused by an incident.

compensating control

A control that provides an alternative to normal controls that for some reason cannot be used.

Managerial

A control that uses administrative methods.

policy

A document that outlines specific requirements or rules that must be met.

Prescriptive frameworks

A framework that describes specific cybersecurity issues, such as security controls, which must be addressed.

Risk-based frameworks

A framework that focuses on the management and measurement of risk.

engineering trade-offs

A means for addressing compromises in risk evaluation.

White Team

A penetration testing team that enforces the rules of the penetration testing.

Blue Team

A penetration testing team that monitors for Red Team attacks and shores up defenses as necessary.

Red Team

A penetration testing team that scans for vulnerabilities and then exploits them.

continuous monitoring policy

A policy that defines how the organization may monitor its employees.

acceptable use policy (AUP)

A policy that defines the actions users may perform while accessing devices and networks belonging to the organization.

data ownership policy

A policy that defines the duties of a data custodian and a data owner for the protection of data.

data retention policy

A policy that outlines how to maintain information in the user's possession for a predetermined length of time.

code of conduct/ethics policy

A policy that outlines the expectations regarding an employee's behavior toward their colleagues, supervisors, customers, and other constituents.

work product retention policy

A policy that outlines who owns the material produced by an employee in the course of his or her work.

systems assessment

A process for evaluating the cybersecurity protections of a system.

business impact analysis (BIA)

A process for identifying business processes and functions and then quantifies the impact a loss of these functions may have on business operations.

account management policy

A security policy for personnel who are responsible for the management of user accounts, access to shared information or network devices, or access to information held within a database, application, or shared file space.

password policy

A security policy to address how passwords are created and managed.

audit

A systematic evaluation of the effectiveness of the controls when compared against a state of established criteria.

exercises

A technical activity for cyberteams.

Tabletop

A training exercise involving a monthly 30-minute discussion of a scenario conducted in an informal and stress-free environment.

Which of the following is also known as a fair use policy?

Acceptable use(age) policy

compliance audits

An audit to determine if controls are being properly implemented.

regulatory audits

An audit to ensure the controls are aligning to regulations established by outside agencies.

assessment

An internal review of security controls that are compared against stated security objectives.

Which of the following is a systematic evaluation of the effectiveness of the controls as compared to a state of established criteria?

Audit

Giovanni is completing a report on risks. Which risk option would he use to classify the action that the organization has decided not to construct a new a data center because it would be located in an earthquake zone?

Avoidance

What identifies business processes and functions and then quantifies the impact a loss of these functions may have on business operations?

BIA

Which of the following is NOT covered by an AUP?

Competitors

security controls

Countermeasures for managing risk.

Which of the following policy defines the management of and access to the data within an organization?

Data Ownership

Simona needs to research a control that attempts to discourage security violations before they occur. Which control will she research?

Deterrent control

training

End-user instruction to increase risk awareness.

Which of the following threats would be classified as the actions of a hactivist?

External threat

True or False: A preventative control is designed to identify any threat that has reached the system.

False

True or False: Risk avoidance utilizes cybersecurity insurance.

False

True or false: Risk discovery and elimination should not be communicated with stakeholders.

False

True or false: The risk identification phase in the risk management process determines the risk faced by the assets.

False

In which of the following threat classifications would a power blackout be classified?

Operational

Which of the following control categories includes conducting workshops to help users resist phishing attacks?

Operational

Which of the following is a step-by-step implementation of a policy?

Procedure

Purple Team

Provides real-time feedback between the Red and Blue Teams to enhance the testing

Which of the following is NOT a category of risk?

Public

Which of the following approaches to risk calculation typically assigns a numeric value (1-10) or label (High, Medium, or Low) to represent a risk?

Qualitative risk calculation

Risk prioritization

Ranking risks so that the most critical risks are addressed first.

supply chain assessment

Reducing the risk of supply chain infections that can be done by evaluating the steps in the chain.

Which of these is NOT a formal and documented response to risk?

Resistance

Which of the following is a list of potential threats and associated risks?

Risk register

Which of the following frameworks focuses on the management and measurement of risk?

Risk-based frameworks

Emiliano needs to determine the expected monetary loss every time a risk occurs. Which formula will he use?

SLE

Which of the following is NOT used in a cyber systems assessment?

SOAR analysis

Which threat classification affects the long-term goals of the organization?

Strategic

Which of the following is NOT a threat classification category?

Tactical

What is logical control also known as?

Technical Control

risk magnitude

The impact of a risk.

risk probability

The likelihood that a risk will be exploited within a specific period of time.

risk identification process

The procedures for identifying risk.

communication of risk factors

The process of informing constituents of risk prioritization.

documenting compensating controls

The process of recording controls.

hardware source authenticity

The process of verifying that hardware components have been purchased from a reputable supplier.

procedure

The step-by-step implementation of a policy.

Vendor due diligence (VDD)

The steps that purchasers take to vet a supplier from which they are purchasing the hardware or software.

Which of the following is NOT correct about supply chain infections?

They only involve software.

True or False: An operational control is implemented and executed by people.

True

True or False: At a basic level, risk may be defined as a situation that involves exposure to some type of danger, while at a more advanced level, risk can be described as a function of threats, consequences of those threats, and the resulting vulnerabilities.

True

True or false: A policy is a set of principles or guidelines that must define an objective for the organization.

True

True or false: Business impact analysis determines the impact if any of the critical function goes down.

True

True or false: Prescriptive frameworks define a specific direction or a series of steps, which can be in the form of procedures.

True

What does a work product retention policy address?

Who owns material produced by an employee

framework

a series of documented processes used to define policies and procedures for implementation and management of security controls in an enterprise environment.


Related study sets

POLSE 1101 Chapt 2: Constitution

View Set

Programa Master sobre Intervención ABA en Autismo y otros Trastornos del Desarrollo, Promoción 2017-2018

View Set

High Risk Antepartum- Davis Practice Q's

View Set

Principles of Sports Management Ch 1

View Set

Insurance License Laws and regulations

View Set