Quiz 3

Ace your homework & exams now with Quizwiz!

If you know a single loss expectancy is $100 and the associated annualized rate of occurrence is 5, what is the annual loss expectancy?

$500

The formula for single loss expectancy (SLE) is?

AV * EF

A security risk assessment which is technically accurate is still a failure if it what? - doesn't include an assignment of blame for specific security failings - Fails to provide detailed mitigation strategies - Includes un- actionable positive findings - Alienates those who receive the information

Alienates those who receive the information

(T/F): Inherent risk is the value of the unmitigated risk exposure.

True

(T/F): Malignant Threats are threats that are always present.

True

(T/F): Risk Management choices are made in a top down fashion affecting the sensitivity of risk throughout the organization.

True

(T/F): Risk tolerance levels reflect an organizations culture & disposition of upper management.

True

(T/F): Some recovery point objectives require you to recover data up to a moment in time.

True

(T/F): The 2 primary terms related to recovery requirements are recovery time objective and recovery point objective.

True

Which of the following is not considered an important point to articulate when specifying a risk? - why is the vulnerability causing exposure - what employee might be responsible - what is the impact - who or what is the threat

What employee might be responsible

When identifying mission- critical business functions and processes, who or what possess(es) the key information?

experts

Formulas for quantitative risk assessments usually look at a period of ____.

one year

What is NOT a direct cost? - equipment replacement costs - penalty costs for non repudiation issues - building replacement costs

penalty costs for non repudiation issues

When should you perform a risk assessment?

periodically

Which of the following would not be a common category for asking risk sensitivity questions? - legal - financial - reputation - skills - regulatory

skills

BIA stands for ____.

Business Impact Analysis

(T/F): An organization should implement as many controls as possible.

False.

If there are 3 possible outcomes to an event, one of which has a probability of 40% and will cost you $4000 and one of which has a probability of 30% and which will cost you $1500, and another with a probability of 30% that will cost you $2500, what is your expected loss?

2800

Which of the following can be calculated using the values from an annualized rate of occurrence multiplied by the values from a single loss expectancy (SLE)? - asset valuation - cost benefit analysis - annualized loss expectancy - operational feasability

Annualized Loss Expectancy (ALE)

2 of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process? - creating an inventory of information assets - assigning a value to each information asset - calculating the severity of risks to which assets are exposed in their current setting - classifying and organizing information assets into meaningful groups

Calculating the severity of risks to which assets are exposed in their current setting

(T/F): A BIA typically identifies the customers and how the organization plans to serve them

False

(T/F): A business impact analysis is concerned w/ identifying & implementing recovery methods.

False

(T/F): A business impact analysis is intended to include all IT functions.

False

(T/F): A security Scan & a Risk Assessment are the same.

False

(T/F): Compensating controls are controls in place that do not effectively reduce exploitability.

False

The risk value of an asset is directly proportional to the ____ and ____ of a particular threat exploiting a vulnerability after considering the controls in place that are protecting the asset. - force, popularity - impact, likelihood - impact, severity - likelihood, popularity - popularity, damage

Impact, Likelihood

What are the 2 primary methods used to create a risk assessment?

Quantitative & Qualitative

RTO stands for ____.

Recovery Time Objective.

Risk = ____ x ____ x ____

Risk = Cost of Asset X Likelihood X Threat

Low recovery time objectives are ____ but ____.

achievable, costly


Related study sets

Chapter 7: Life Insurance Delivery

View Set

Chapter 49. Mythical Impressions: Program Music at the End of the Nineteenth Century

View Set

Database Application Transaction Processing_Chapter_4

View Set