Quiz 3
If you know a single loss expectancy is $100 and the associated annualized rate of occurrence is 5, what is the annual loss expectancy?
$500
The formula for single loss expectancy (SLE) is?
AV * EF
A security risk assessment which is technically accurate is still a failure if it what? - doesn't include an assignment of blame for specific security failings - Fails to provide detailed mitigation strategies - Includes un- actionable positive findings - Alienates those who receive the information
Alienates those who receive the information
(T/F): Inherent risk is the value of the unmitigated risk exposure.
True
(T/F): Malignant Threats are threats that are always present.
True
(T/F): Risk Management choices are made in a top down fashion affecting the sensitivity of risk throughout the organization.
True
(T/F): Risk tolerance levels reflect an organizations culture & disposition of upper management.
True
(T/F): Some recovery point objectives require you to recover data up to a moment in time.
True
(T/F): The 2 primary terms related to recovery requirements are recovery time objective and recovery point objective.
True
Which of the following is not considered an important point to articulate when specifying a risk? - why is the vulnerability causing exposure - what employee might be responsible - what is the impact - who or what is the threat
What employee might be responsible
When identifying mission- critical business functions and processes, who or what possess(es) the key information?
experts
Formulas for quantitative risk assessments usually look at a period of ____.
one year
What is NOT a direct cost? - equipment replacement costs - penalty costs for non repudiation issues - building replacement costs
penalty costs for non repudiation issues
When should you perform a risk assessment?
periodically
Which of the following would not be a common category for asking risk sensitivity questions? - legal - financial - reputation - skills - regulatory
skills
BIA stands for ____.
Business Impact Analysis
(T/F): An organization should implement as many controls as possible.
False.
If there are 3 possible outcomes to an event, one of which has a probability of 40% and will cost you $4000 and one of which has a probability of 30% and which will cost you $1500, and another with a probability of 30% that will cost you $2500, what is your expected loss?
2800
Which of the following can be calculated using the values from an annualized rate of occurrence multiplied by the values from a single loss expectancy (SLE)? - asset valuation - cost benefit analysis - annualized loss expectancy - operational feasability
Annualized Loss Expectancy (ALE)
2 of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process? - creating an inventory of information assets - assigning a value to each information asset - calculating the severity of risks to which assets are exposed in their current setting - classifying and organizing information assets into meaningful groups
Calculating the severity of risks to which assets are exposed in their current setting
(T/F): A BIA typically identifies the customers and how the organization plans to serve them
False
(T/F): A business impact analysis is concerned w/ identifying & implementing recovery methods.
False
(T/F): A business impact analysis is intended to include all IT functions.
False
(T/F): A security Scan & a Risk Assessment are the same.
False
(T/F): Compensating controls are controls in place that do not effectively reduce exploitability.
False
The risk value of an asset is directly proportional to the ____ and ____ of a particular threat exploiting a vulnerability after considering the controls in place that are protecting the asset. - force, popularity - impact, likelihood - impact, severity - likelihood, popularity - popularity, damage
Impact, Likelihood
What are the 2 primary methods used to create a risk assessment?
Quantitative & Qualitative
RTO stands for ____.
Recovery Time Objective.
Risk = ____ x ____ x ____
Risk = Cost of Asset X Likelihood X Threat
Low recovery time objectives are ____ but ____.
achievable, costly