Upgrade to remove ads Show
Only ₩37,125/year
Review terms and definitions
Focus your studying with a path
Take a practice test
Get faster at matching terms Terms in this set (57)Having an established risk management program means that an organization's assets are completely protected. a. True The IT community
often takes on the leadership role in addressing risk. a. True MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof. a. True Likelihood is the overall rating of the probability
that a specific vulnerability will be exploited or attacked. *a. True Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. *a. True When operating any kind of organization, a certain amount of debt is
always involved. a. True Risk identification, risk analysis, and risk evaluation are part of a single function known as risk protection. a. True Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. a. True The recognition, enumeration and documentation of risks to an organization's information assets is known as risk control. a. True An evaluation of the threats to information assets, including a determination of their potential to endanger the organization,
is known as exploit assessment. a. True A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as data categorization scheme. a. True The
probability that a specific vulnerability within an organization will be the target of an attack is known as risk a. True THe information technology management community of interest often takes on the leadership role in addressing risk. a. True A
prioritized list of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. a. True The degree to which a current control can reduce risk is also subject to a calculation error. a. True For an
organization to manage its infosec risk properly, managers should understand how information is: *d. all of these are needed The risk management framework includes all of the following except: *c. process contingency planning Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization's risk management efforts? a. RM framework *a. RM framework which of these denotes the identification, analysis,
evaluation and treatment of risk to information assets? *b. RM process Factors that affect the external context and impact the risk management process, it's goals and it's objectives include the following except: *a. the organization's governance structure Which of the following is not a role of managers within the communities interest in controlling risk? *c. legal management must develop corporate-wide standards Which of the following is not a task performed by the governance group during the framework design phase, in cooperation with the framework team? a. ensuring compliance
with all legal and regulatory statutes and mandates d. specifying who will supervise and perform the RM process The _________
converts the instructions and perspectives provided to the risk management framework team into cohesive guidance that structures and directs all subsequent risk management efforts. *a. risk management policy Once the members of the risk management framework team have been identified, the governance group should communicate all of the following for the overall risk management program EXCEPT: a. its personnel structure *a. its personnel structure A well-defined risk appetite should have the following characteristics EXCEPT: *a. It is not limited by stakeholder expectations. The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between security and unlimited accessibility is known as: b. risk appetite What is the risk to information assets that remains even after current controls have been applied? *a. residual risk *a. residual risk According to the Corporate Governance Task Force, which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? a. Initiating a. initiating What is the assessment of the amount of risk an organization is willing to accept for a particular information asset? c. risk tolerance Which of the following activities is part of the risk identification process? a. determining the likelihood that vulnerable systems will be attacked by specific threats
*c. assigning a value to each information asset Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset identification using this attribute difficult? a. part number d. IP address Factors that affect the internal context and impact the risk management process, it's goals and its objectives include the following except: a. The organization's governance structure *d. The threat environment—threats, known vulnerabilities, attack vectors Which of the following attributes does NOT apply to software information assets? a. serial number d. product dimensions Which of the following is an attribute of a network device built into the network interface? a. serial number b. MAC address Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components? a. name d. Manufacturer's model or part number Data classification schemes should categorize information assets based on which of the following? a. value and uniqueness b. sensitivity and security needs Classification categories must be mutually exclusive and which of the following? a. repeatable
*c. comprehensive What is the final step in the risk identification process? a. assessing values for information assets d. ranking assets in order of importance Once an information asset is identified, categorized, and classified, what must be assigned to it? a.. asset tag b. relative value What should you be armed with to adequately assess potential weaknesses in each information asset? a. properly classified inventory a. properly classified inventory Which of the following is an example of a technological obsolescence threat? a. hardware equipment failure *c. outdated servers Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often: a. create a subjective ranking based on anticipated recovery costs *a. create a subjective ranking based on anticipated recovery costs What is defines as specific avenues that threat agents can exploit to attack an information asset? a. liabilities c. vulnerabilities which of the following activities is part of the risk evaluation process? a. creating an inventory of information assets d. calculating the severity of risks to which assets are exposed in their current setting What should the prioritized list of assets and their vulnerabilities and prioritized list of threats facing the organization be combined to create? a. risk exposure report b. threats-vulnerabilities-assets worksheet An estimate made by the manager using good judgement and experience can account for which factor of risk assessment? a. risk determination d. uncertainty The organization can perform risk management using certain risk elements, including all but which of the following? a. legacy cost of recovery a. legacy cost of recovery Which of the following is not among the typical columns in the risk rating worksheet? *a. uncertainty percentage *a. uncertainty percentage 48. The identification, analysis, and evaluation of risk in an organization describes which of the following? a. risk assessment a. risk assessment An understanding of the potential consequences of a successful attack on an information asset by a threat is known as: a. impact a. impact The state of having limited or imperfect knowledge of a situation, making it less likely that the organizations can successfully anticipate future events or outcomes, is known as.______ a. impact c. uncertainty The probability that a specific vulnerability within an organization will be attacked by a threat is known as : a. impact b. likelihood The risk assessment deliverable titled__________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization. a. information asset value weighted table analysis c. threat severity weighted table analysis _______ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact and possibly a measure of uncertainty. a. information asset value weighted table analysis b. risk ranking worksheet _______ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization: a. information asset value
weighted table analysis a. information asset value weighted table analysis In the area of risk management, process communications is the necessary information flow within and between all of the following except: a. the corporate change control officer a. the corporate change control officer The evaluation and reaction to risk to the entire organization is known as: Enterprise risk managment Sets with similar termsCIS 348 / Week 6 / Chapter 6 / Exercise / Lab / Qu…61 terms robotUnderpants previous quiz questions60 terms beccaaucoin CRISC68 terms joshtodd07 INFO Ch 530 terms tazmania671 Sets found in the same folderISA 3300 Chapter 544 terms BaharMirzai Management of Information Security Chapter 960 terms Linsey_Earley Management of Information Security Chapter 1266 terms Linsey_Earley Chapter 8143 terms Eddy_Blandon9 Other sets by this creatorDigital forensics chapter 1015 terms BaharMirzai ISA 482034 terms BaharMirzai Digital Forensics Chapters 7-1295 terms BaharMirzai ISA 3300 Chapter 232 terms BaharMirzai Other Quizlet setsFraud Examination Exam 152 terms MengyaoW Natural Resources Final Exam - First Half Material24 terms kllumsden13 BUS 320, OP #8 part 216 terms vrio5 FIN 360 - Exam 169 terms kylie_servidas7 Related questionsQUESTION After you've opened a call, you should immediately ask Problem Questions to uncover needs. 15 answers QUESTION Jordan struggles in his diverse workplace because he isn't willing to learn from people who are different from him and has a hard time coming to grips with the fact that people everywhere aren't the same. Jordan lacks: 5 answers QUESTION The discipline of planning, organizing, and managing resources to bring about the successful completion of specific project goals and objectives. 5 answers QUESTION The right to be told about side effects, adverse effects, or negative consequences that could occur as a result of a treatment, medication, or procedures is called 10 answers Is an evaluation of the threats to information assets including a determination of their potential to endanger the organization?An evaluation of the threats to information assets, including a determination of their potential to endanger the organization, is known as exploit assessment.
What is the formula to evaluate the risk for each information asset?Risk = Threat x Vulnerability x Asset
Although risk is represented here as a mathematical formula, it is not about numbers; it is a logical construct. For example, suppose you want to assess the risk associated with the threat of hackers compromising a particular system.
What is risk evaluation in security?A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities. Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker's perspective.
What is the term used to describe the process allowing threats to be evaluated to determine their associated probability impact and ease of identification?Risk determination assesses threats and vulnerabilities to consider the likelihood that known threat sources will be able to exploit identified vulnerabilities to cause one or more adverse events and the consequences if such events occur.
|