ISO ____ is the ISO standard for the performance of risk management, and includes a five-stage risk management methodology.
A) 27001 B) 27002 C) 27004 D) 27005
Residual risk is a combined function of all but which of the following? A) A threat less the effect of
threat-reducing safeguards
B) A vulnerability less the effect of vulnerability-reducing C) An asset less the effect of asset value-reducing safeguards D) Residual risk less a factor of error
D. Residual risk less a factor of error
____ feasibility determines acceptable practices based on consensus and relationships among the communities of interest.
A) Organizational B)
Political C) Technical D) Operational
Asset valuation must account for value _____.
A) from providing the information B) acquired from the cost of protecting the asset C) of intellectual property D) All of these
D. from providing the information, acquired from the cost of protecting the asset, and of intellectual property
Once a control strategy has been selected and implemented, controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk.
A) budgeted B) updated C) monitored and measured D) evaluated and funded
Communicating new or revised policy to employees is adequate to assure compliance.
The goal of information security is to bring residual risk in line with an organization’s risk appetite.
____ feasibility is also referred to as behavioral feasibility.
A) Operational B) Organizational C) Political D) Technical
When a vulnerability (flaw or weakness) exists, you should implement security policies to reduce the likelihood of a vulnerability being exercised.
At a minimum, each information asset–threat pair should have a(n) ____ that clearly identifies any residual risk that remains after the proposed strategy has been executed.
A) risk management plan B) documented control strategy C) asset valuation D) cost-benefit analysis
B. documented control strategy
The risk control strategy of avoidance means understanding the consequences and avoiding risk by not placing a system in a situation that could result in a loss..
The goal of information security is to bring residual risk to zero.
The ____ is the indication of how often you expect a specific type of attack to occur.
A) SLE B) ALE C) CBA D) ARO
Which of the following plans would not be a considered a mitigation control approach?
A) Incident response plan B) Acceptance plan C) Disaster recovery plan D) Business continuity plan
In Risk Management is asset valuation, as it is relatively easy to determine accurately the true valuate of information and information-bearing assets.
____ is
the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
A) Residual risk B) Risk appetite C) Risk assurance D) Risk management
Cost Benefit Analysis is determined by calculating the single loss expectancy before new controls minus the annualized loss expectancy after controls are implemented minus the annualized cost of the safeguard.
The Annualized Loss Expectancy in the CBA formula is determined as ____.
A) ALE * ARO B) SLE * ARO C) ACS - SLE(post) D) AV * EF
Which of the following is NOT an alternative to cost-benefit analyses?
A) Benchmarking B) Due care/due diligence C) Baselining D) ISO 17799 based controls
D. ISO 17799 based controls
The only use of the acceptance strategy that industry practices recognize as valid occurs when the organization has done all but which of the following?
Determined that the particular function, service, information, or asset did justify the cost of additional protection
Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the ____ consequences of the vulnerability.
A) cost avoidance B) risk C) economic and non-economic D) feasibility
C. economic and non-economic
Asset evaluation is the process of assigning financial worth to each information asset.
Application of training and education is a technique of the ____ control strategy.
A) mitigation B) avoidance C) acceptance D) transference
An organization that chooses to outsource its risk management practice to independent consultants is taking the ____ control approach. A) avoidance B)
mitigation C) transference D) acceptance
____ is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk, and how much risk exists for the asset. A) Risk B) Asset value C) Cost D) Benefit
A system’s exploitable vulnerabilities are usually determined after the system is designed.
Step-by-step rules to regain normalcy is covered by which of the following plans in the mitigation control approach? A) Incident response plan B) Business continuity plan C) Disaster recovery plan D) Damage control plan
C. Disaster recovery plan
Economic feasibility is a standard that is commonly used when evaluating a project that implements information security safeguards.
Risk appetite (also known as risk tolerance) is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
Some organizations document the outcome of the control strategy for each information
asset–threat pair in a(n) _____, which includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual. A) risk management plan B) control strategy C) cost-benefit analysis D) action plan
The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge was designed for large organizations with 300 or more users, while OCTAVE-Allegro
was designed for smaller organizations of about 100 users.
True - per test bank False - per book
Which of the following is NOT among the items that affect the cost of a control? A) Training fees B) Service costs C) Asset resell costs D) Maintenance costs
Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low.
A single loss expectancy is calculated by multiplying the asset value by the ____. A) annualized cost of the safeguard B) exposure factor C) annualized rate of occurrence D) asset value
Economic and non-economic effects of a weakness must be evaluated after a strategy for dealing with a particular vulnerability has been selected.
____ feasibility examines whether the organization has access to the technology necessary to manage control alternatives. A) Political B) Operational C) Technical D) Organizational
A cost-benefit analysis is conducted by subtracting the post-control annualized loss expectancy and the ____ from
the pre-control loss expectancy A) annualized cost of the safeguard B) exposure factor C) annualized rate of occurrence D) asset value
A. annualized cost of the safeguard
The ____ is the calculation of the value associated with the most likely loss from an attack. A) SLE B) ALE C) CBA D) ARO
____ is the process of
assigning financial value or worth to each information component. A) Asset valuation B) Cost-benefit analysis C) Auditing D) Accountability
Avoidance of risk is the choice to forgo the use of security measures and accept loss in the event of an attack.