BCS Level 4 Award in Risk Assessment QAN 603/0866/7

Transcription

1 S Level 4 ward in Risk ssessment QN 603/0866/7 Specimen Paper Record your surname/ last/ family name and initials on the nswer Sheet. Specimen paper only. 20 multiple-choice questions 1 mark awarded to each question. Mark only one answer for each question. There are no trick questions. number of possible answers are given for each question, indicated by either... or. Your answers should be clearly indicated on the nswer Sheet. The pass mark is 13/20. This is a specimen examination paper only. The full paper will contain 40 questions with a pass mark for the full paper of 26/40. opying of this paper is expressly forbidden without the direct approval of S, The hartered Institute for IT. opyright S 2016 S Level 4 ward in Risk ssessment Specimen Paper Page 1 of 7

2 1 When considering whether to deploy a control, which of the following factors is NOT considered? Total ost of Ownership. Return on Investment. udget. ISO/IE Which is the EST description of a vulnerability? n individual, whether staff or partner, who is disaffected towards the organisation. weakness in process or technology that exposes an asset to damage. missing security update in a vital element of technology. business-critical asset that is particularly prone to being damaged. 3 Over the last 5 years, an organisation has suffered numerous os attacks, with a total loss estimated at 5.8 million. The rate of effective attacks has been rising by 25% a year. new set of controls has been proposed that would reduce both the number of attacks that were effective by 50% and the average loss during an effective attack by 25%. If the controls were implemented, which of the following would be closest to the saving in nnual Loss Exposure? 0.9 million. 1.2 million. 1.5 million. 2.4 million. 4 Which of the following attacks is USULLY aimed purely at an organisation's people rather than technology? enial of service. Worms (malware). Spear phishing. SQL Injection. opyright S 2016 S Level 4 ward in Risk ssessment Specimen Paper Page 2 of 7

3 5 When using a quantitative risk assessment methodology, which is the MOST comprehensive way to derive the nnual Loss Expectancy? The expected frequency of the risk occurring multiplied by the individual expected loss. The sum of the losses from actuarial event data divided by the number of years the data has been kept. Multiplying the loss from the last year by the expected increase in business for the coming year. Multiplying the threat score by the system or process vulnerability rating. 6 Which of the following is NOT used to present the results of a risk assessment? Financial impact. ashboards. Heat maps. Heatboards. 7 How many steps does the NIST Risk Management Guide for IT Systems (SP800-30) define? When faced with a security risk that poses an existential threat to the organisation's activities, which of the following are valid treatment approaches? a) void the risk. b) Reject the risk. c) Mitigate the risk. d) ccept the risk. a and c only. b and d only. a and b only. c and d only. opyright S 2016 S Level 4 ward in Risk ssessment Specimen Paper Page 3 of 7

4 9 firewall is an example of which type of risk treatment? Transfer. Mitigate. void. ccept. 10 What risk management term OUL be described as the overall amount of risk judged appropriate for an organisation to tolerate, agreed at board level? Risk appetite. Risk index. Residual risk. Risk acceptance. 11 Which of the following steps is NOT a step in generic risk assessment methodologies? Identify the assets. ssess the impact on an organisation. uy insurance. Manage threats and vulnerabilities. 12 Which of the following are security risk assessment methodologies? a) RE b) FIR c) OTVE d) STRIE a and c only. b and d only. a and b only. c and d only. 13 From a risk management perspective, which of the following is NOT a threat? isruptive technology. ybercrime. Natural disaster. Malware. opyright S 2016 S Level 4 ward in Risk ssessment Specimen Paper Page 4 of 7

5 14 Why SHOUL only one information risk assessment framework be used in an organisation? Lower cost of training. heaper to buy software. To provide consistent and comparable results. To simplify the risk analyst's workload. 15 Which of the following is NOT NORMLLY accepted as a valid Threat ctor? Staff. ccidents. Investigative journalists. Internet service providers. 16 Which of the following does a penetration test identify? Network vulnerabilities. Personnel vulnerabilities. Organisation vulnerabilities. usiness vulnerabilities. 17 Which of the following is the EST term for a malicious specifically targeted at an individual, or small group of people within an organisation? Phishing. Social Engineering. Spearphishing. Vishing. opyright S 2016 S Level 4 ward in Risk ssessment Specimen Paper Page 5 of 7

6 18 Using the simple qualitative risk assessment matrix given below, which risks would need to be raised to the Risk Review ommittee (or board) if organisational policy required them to review risks above Medium? a) The loss or theft of an encrypted mobile phone. This is a common occurrence within the business. b) omplete outage of the organisation's network. There is no history of this happening. c) Half of the staff not being able to get in to work because of heavy snow. This has happened three times in the last five years. d) 50,000 fine from the Information ommissioner for a personal data breach. The organisation has been fined once before but at a lower level. a and c only. a and d only. b and c only. b and d only. 19 When selecting a risk assessment framework, which is the EST approach? hoose one the risk analyst likes. reate and agree a set of selection criteria. hoose the cheapest to buy. It doesn t matter, so long as it produces results. opyright S 2016 S Level 4 ward in Risk ssessment Specimen Paper Page 6 of 7

7 20 For a risk to be realised, which of the following factors need to be present: a) Threat b) Vulnerability c) Value d) Impact a, b and c only. a, b and d only. a, c and d only. b, c and d only. -End of Paper- opyright S 2016 S Level 4 ward in Risk ssessment Specimen Paper Page 7 of 7