Is an evaluation of the threats to information assets including a determination of their likelihood of occurrence and potential impact of an attack?

Upgrade to remove ads

Only ₩37,125/year

1. Social Science
2. Sociology
3. Management

Terms in this set (57)

Having an established risk management program means that an organization's assets are completely protected.
a. True
b. False

a. True
*b. False

The IT community often takes on the leadership role in addressing risk.
a. True
b. False

a. True
*b. False

MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.
a. True
b. False

a. True
*b. False

Likelihood is the overall rating of the probability that a specific vulnerability will be exploited or attacked.
a. True
b. False

*a. True
b. False

Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
a. True
b. False

*a. True
b. False

When operating any kind of organization, a certain amount of debt is always involved.
a. True
b. False

a. True
*b. False

Risk identification, risk analysis, and risk evaluation are part of a single function known as risk protection.
a. True
b. False

a. True
*b. False

Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair.
a. True
b. False

a. True
*b. False

The recognition, enumeration and documentation of risks to an organization's information assets is known as risk control.
a. True
b. False

a. True
*b. False

An evaluation of the threats to information assets, including a determination of their potential to endanger the organization, is known as exploit assessment.
a. True
b. False

a. True
*b. False

A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as data categorization scheme.
a. True
b. False

a. True
*b. False

The probability that a specific vulnerability within an organization will be the target of an attack is known as risk
a. True
b. False

a. True
*b. False

THe information technology management community of interest often takes on the leadership role in addressing risk.
a. True
b. False

a. True
*b. False

A prioritized list of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet.
a. True
b. False

a. True
*b. False

The degree to which a current control can reduce risk is also subject to a calculation error.
a. True
b. False

a. True
*b. False

For an organization to manage its infosec risk properly, managers should understand how information is:
a. collected
b. processed
c. transmitted
d. all of these are needed

*d. all of these are needed

The risk management framework includes all of the following except:
a. Executive governance and support
b. framework design
c. process contingency planning
d. continuous improvement

*c. process contingency planning

Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization's risk management efforts?

a. RM framework
b. RM process
c. RM initiative
d. RM leadership

*a. RM framework

which of these denotes the identification, analysis, evaluation and treatment of risk to information assets?
a. RM framework
b. RM process
c. RM initiative
d. RM leadership

*b. RM process

Factors that affect the external context and impact the risk management process, it's goals and it's objectives include the following except:
a. the organization's governance structure
b. the legal/regulatory/compliance environment—laws, regulations, industrystandards
c. the business environment—customers, suppliers, competitors
d. the threat environment—threats, known vulnerabilities, attack vectors

*a. the organization's governance structure

Which of the following is not a role of managers within the communities interest in controlling risk?
a. general management must structure the IT and InfoSec functions
b. IT management must serve the IT needs of the broader organization
c. legal management must develop corporate-wide standards
d. InfoSec management must lead the way with skill, professionalism, and flexibility

*c. legal management must develop corporate-wide standards

Which of the following is not a task performed by the governance group during the framework design phase, in cooperation with the framework team?

a. ensuring compliance with all legal and regulatory statutes and mandates
b. guiding the development of, and formally approving, the RM policy
c. recommending performance measures for the RM effort and ensuring that theyare compatible with other performance measures in the organization
d. specifying who will supervise and perform the RM process

d. specifying who will supervise and perform the RM process

The _________ converts the instructions and perspectives provided to the risk management framework team into cohesive guidance that structures and directs all subsequent risk management efforts.
a. risk management policy
b. enterprise information security policy
c. risk control implementation policy
d. risk management board directive

*a. risk management policy

Once the members of the risk management framework team have been identified, the governance group should communicate all of the following for the overall risk management program EXCEPT:

a. its personnel structure
b. its desired outcomes
c. its priorities
d. its intent

*a. its personnel structure

A well-defined risk appetite should have the following characteristics EXCEPT:
a. It is not limited by stakeholder expectations.
b. It acknowledges a willingness and capacity to take on risk.
c. It is documented as a formal risk appetite statement.
d. It is reflective of all key aspects of the business.

*a. It is not limited by stakeholder expectations.

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between security and unlimited accessibility is known as:
a. residual risk
b. risk appetite
c. risk acceptance
d. risk avoidance

b. risk appetite

What is the risk to information assets that remains even after current controls have been applied?

*a. residual risk
b. risk appetite
c. risk tolerance
d. risk avoidance

*a. residual risk

According to the Corporate Governance Task Force, which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?

a. Initiating
b. Establishing
c. Acting
d. Learning

a. initiating

What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?
a. residual risk
b. risk appetite
c. risk tolerance
d. risk avoidance

c. risk tolerance

Which of the following activities is part of the risk identification process?

a. determining the likelihood that vulnerable systems will be attacked by specific threats
b. calculating the severity of risks to which assets are exposed in their current setting
*c. assigning a value to each information asset
d. documenting and reporting the findings of risk analysis

*c. assigning a value to each information asset

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset identification using this attribute difficult?

a. part number
b. serial number
c. MAC address
d. IP address

d. IP address

Factors that affect the internal context and impact the risk management process, it's goals and its objectives include the following except:

a. The organization's governance structure
b. The organization's culture
c. The maturity of the organization's information security program
d. The threat environment—threats, known vulnerabilities, attack vectors

*d. The threat environment—threats, known vulnerabilities, attack vectors

Which of the following attributes does NOT apply to software information assets?

a. serial number
b. controlling entity
c. manufacturer name
*d. product dimensions

d. product dimensions

Which of the following is an attribute of a network device built into the network interface?

a. serial number
*b. MAC address
c. IP address
d. model number

b. MAC address

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

a. name
b. MAC address
c. serial number
*d. manufacturer's model or part number

d. Manufacturer's model or part number

Data classification schemes should categorize information assets based on which of the following?

a. value and uniqueness
b. sensitivity and security needs
c. cost and replacement value
d. ease of reproduction and fragility

b. sensitivity and security needs

Classification categories must be mutually exclusive and which of the following?

a. repeatable
b. documentable
*c. comprehensive
d. selective

*c. comprehensive

What is the final step in the risk identification process?

a. assessing values for information assets
b. classifying and categorizing assets
c. identifying and inventorying assets
d. ranking assets in order of importance

d. ranking assets in order of importance

Once an information asset is identified, categorized, and classified, what must be assigned to it?

a.. asset tag
b. relative value
c. location ID
d. threat risk

b. relative value

What should you be armed with to adequately assess potential weaknesses in each information asset?

a. properly classified inventory
b. audited accounting spreadsheet
c. intellectual property assessment
d. list of known threats

a. properly classified inventory

Which of the following is an example of a technological obsolescence threat?

a. hardware equipment failure
b. unauthorized access
c. outdated servers
d. malware

*c. outdated servers

Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often:

a. create a subjective ranking based on anticipated recovery costs
b. estimate cost from past experience
c. leave the value empty until later in the process
d. use a consultant to calculate an exact value

*a. create a subjective ranking based on anticipated recovery costs

What is defines as specific avenues that threat agents can exploit to attack an information asset?

a. liabilities
b. defenses
c. vulnerabilities
d. obsolescence

c. vulnerabilities

which of the following activities is part of the risk evaluation process?

a. creating an inventory of information assets
b. classifying and organizing information assets into meaningful groups
c. assigning a value to each information asset
d. calculating the severity of risks to which assets are exposed in their current setting

d. calculating the severity of risks to which assets are exposed in their current setting

What should the prioritized list of assets and their vulnerabilities and prioritized list of threats facing the organization be combined to create?

a. risk exposure report
b. threats-vulnerabilities-assets worksheet
c. costs-risks-prevention database
d. threat assessment catalog

b. threats-vulnerabilities-assets worksheet

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?

a. risk determination
b. assessing potential loss
c. likelihood and consequences
d. uncertainty

d. uncertainty

The organization can perform risk management using certain risk elements, including all but which of the following?

a. legacy cost of recovery
b. impact (consequence)
c. likelihood of threat event (attack)
d. element of uncertainty

a. legacy cost of recovery

Which of the following is not among the typical columns in the risk rating worksheet?

*a. uncertainty percentage
b. impact
c. risk-rating factor
d. likelihood

*a. uncertainty percentage

48. The identification, analysis, and evaluation of risk in an organization describes which of the following?

a. risk assessment
b. risk determination
c. risk management
d. risk reduction

a. risk assessment

An understanding of the potential consequences of a successful attack on an information asset by a threat is known as:

a. impact
b. likelihood
c. uncertainty
d. tolerance

a. impact

The state of having limited or imperfect knowledge of a situation, making it less likely that the organizations can successfully anticipate future events or outcomes, is known as.______

a. impact
b. likelihood
c. uncertainty
d. tolerance

c. uncertainty

The probability that a specific vulnerability within an organization will be attacked by a threat is known as :

a. impact
b. likelihood
c. uncertainty
d. tolerance

b. likelihood

The risk assessment deliverable titled__________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization.

a. information asset value weighted table analysis
b. risk ranking worksheet
c. threat severity weighted table analysis
d. TVA controls worksheet

c. threat severity weighted table analysis

_______ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact and possibly a measure of uncertainty.

a. information asset value weighted table analysis
b. risk ranking worksheet
c. threat severity weighted table analysis
d. TVA controls worksheet

b. risk ranking worksheet

_______ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization:

a. information asset value weighted table analysis
b. risk ranking worksheet
c. threat severity weighted table analysis
d. TVA controls worksheet

a. information asset value weighted table analysis

In the area of risk management, process communications is the necessary information flow within and between all of the following except:

a. the corporate change control officer
b. the governance group
c. the RM framework team
d. the RM process team during implementation

a. the corporate change control officer

The evaluation and reaction to risk to the entire organization is known as:

Enterprise risk managment

Sets with similar terms

CIS 348 / Week 6 / Chapter 6 / Exercise / Lab / Qu…

61 terms

robotUnderpants

previous quiz questions

60 terms

beccaaucoin

CRISC

68 terms

joshtodd07

INFO Ch 5

30 terms

tazmania671

Sets found in the same folder

ISA 3300 Chapter 5

44 terms

BaharMirzai

Management of Information Security Chapter 9

60 terms

Linsey_Earley

Management of Information Security Chapter 12

66 terms

Linsey_Earley

Chapter 8

143 terms

Eddy_Blandon9

Other sets by this creator

Digital forensics chapter 10

15 terms

BaharMirzai

ISA 4820

34 terms

BaharMirzai

Digital Forensics Chapters 7-12

95 terms

BaharMirzai

ISA 3300 Chapter 2

32 terms

BaharMirzai

Other Quizlet sets

Fraud Examination Exam 1

52 terms

MengyaoW

Natural Resources Final Exam - First Half Material

24 terms

kllumsden13

BUS 320, OP #8 part 2

16 terms

vrio5

FIN 360 - Exam 1

69 terms

kylie_servidas7

Related questions

QUESTION

After you've opened a call, you should immediately ask Problem Questions to uncover needs.

15 answers

QUESTION

Jordan struggles in his diverse workplace because he isn't willing to learn from people who are different from him and has a hard time coming to grips with the fact that people everywhere aren't the same. Jordan lacks:

5 answers

QUESTION

The discipline of planning, organizing, and managing resources to bring about the successful completion of specific project goals and objectives.

5 answers

QUESTION

The right to be told about side effects, adverse effects, or negative consequences that could occur as a result of a treatment, medication, or procedures is called

10 answers

Is an evaluation of the threats to information assets including a determination of their potential to endanger the organization?

What is the formula to evaluate the risk for each information asset?

What is risk evaluation in security?

What is the term used to describe the process allowing threats to be evaluated to determine their associated probability impact and ease of identification?