Indicate whether the statement is true or false.

Similar documents
Risk Management: Assessing and Controlling Risk

Security Risk Management

Post-Class Quiz: Information Security and Risk Management Domain

13.1 Quantitative vs. Qualitative Analysis

4.1 Risk Assessment and Treatment Assessing Security Risks

RISK MANAGEMENT. Budgeting, d) Timing, e) Risk Categories,(RBS) f) 4. EEF. Definitions of risk probability and impact, g) 5. OPA

Comparison of Risk Analysis Methods: Mehari, Magerit, NIST and Microsoft s Security Management Guide

HUBTOWN LIMITED REVISED RISK MANAGEMENT POLICY. (Effective from December 1, 2015)

IT Security Plan Governance and Risk Management Processes Address Cybersecurity Risks ID.GV-4

Cost Risk Assessment Building Success and Avoiding Surprises Ken L. Smith, PE, CVS

Strategic Security Management: Risk Assessments in the Environment of Care. Karim H. Vellani, CPP, CSC

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Managing Project Risk DHY

Applying Risk-based Decision-making Methods/Tools to U.S. Navy Antiterrorism Capabilities

Introduction to Risk for Project Controls

Project Risk Management. Prof. Dr. Daning Hu Department of Informatics University of Zurich

RISK MANAGEMENT MADE EASY. Susan Parente Project Management Symposium.

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

Risk Management Policy

Risk Management Policy & Procedures. Premier Ltd.

RISK MANAGEMENT POLICY

Information security management systems

Risk Management FUN! Humor Me

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

Running Head: Information Security Risk Assessment Methods, Frameworks and Guidelines

Risk Management Plan for the <Project Name> Prepared by: Title: Address: Phone: Last revised:

RISK MANAGEMENT ON USACE CIVIL WORKS PROJECTS

IT Risk in Credit Unions - Thematic Review Findings

0470_022817_03_chap01.fm Page 11 Wednesday, September 8, :29 PM. Part I The basics of project risk management

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Risk Management Made Easy. I. S. Parente 1

How to Compile and Maintain a Risk Register

Understanding Enterprise Risk Management: An Overview

Brought to you by Physicians Insurance A Mutual Company April 24, 2012 Presented by: Chris Apgar, CISSP

RISK M A N A G E M E N T P L A N

LCS International, Inc. PMP Review. Chapter 6 Risk Planning. Presented by David J. Lanners, MBA, PMP

HIPAA SECURITY RISK ANALYSIS

Security Shifts in Thinking

CRISC. Isaca CRISC Certified in Risk and Information Systems Control Version: 1.0

PRINCE2 Sample Papers

Certified in Risk and Information Systems Control

Enterprise Risk Management Program

U.S. Department of the Interior Office of Inspector General. Advisory Letter. Critical Infrastructure Assurance Program, Department of the Interior

Identification & Assessment of Risks Authors: Ali Basharat & Zeenoor Sohail Sheikh

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

Procedure: Risk management

Risk Assessment Mitigation Phase Risk Mitigation Plan Lessons Learned (RAMP B) November 30, 2016

White Paper: Incident Management. By Michael Miora, CISSP President & CEO ContingenZ Corporation

Senior Director, Fire Life Safety & Risk Management

For the PMP Exam using PMBOK Guide 5 th Edition. PMI, PMP, PMBOK Guide are registered trade marks of Project Management Institute, Inc.

USF System Compliance & Ethics Program. Risk Assessment Process. Enterprise-Wide Risk Assessment

Cost Risk Assessments Planning for Project or Program Uncertainty with Confidence Brian Bombardier, PE

Northwest Regional Data Center

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

MINDA INDUSTRIES LIMITED RISK MANAGEMENT POLICY

Risk Management Made Easy 1, 2

ARE YOU HIP WITH HIPAA?

Guidance for Analysis Required by COMAR Hazardous Material Security

Risk Management. Webinar - July 2017

Fundamentals of Risk Management

Department of Defense INSTRUCTION

University Data Policies

Classify each risk as a Threat or Opportunity. Most risks will be classified as Threats.

Connecting Risk and Levels of Service at the Region of Peel BY LEANNE BRANNIGAN, THE REGION OF PEEL

UNITED NATIONS JOINT STAFF PENSION FUND. Enterprise-wide Risk Management Policy

Risk Management at the Deutsche Bundesbank March 2011

Risk Management at Central Bank of Nepal

Adaptation Assessment: Economic Analysis of Adaptation Measures

Project Risk Management

Cyber Security Liability:

Technical Line Financial reporting development

NYISO Capital Budgeting Process. Draft 01/13/03

January 23, Yours sincerely, (Mrs. Tarisa Watanagase) Governor

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

LOCAL HAZARD MITIGATION PLAN UPDATE CHECKLIST

Project Management for the Professional Professional Part 3 - Risk Analysis. Michael Bevis, JD CPPO, CPSM, PMP

Webinar: Deep Dive into Risk, High Risk and Risk Assessments in the GDPR

Project Integration Management

Project Management in ICT. Prof. Dr. Harald Wehnes

MERCER SENTINEL SERVICES

Qualitative versus Quantitative Analysis. two types of assessments Qualitative and Quantitative.

Risk Management Policy

METHODOLOGY For Risk Assessment and Management of PPP Projects

Chapter 7: Risk. Incorporating risk management. What is risk and risk management?

The Proactive Quality Guide to. Embracing Risk

RISK MANAGEMENT STANDARDS FOR P5M

HIPAA Compliance Guide

Auditor s Letter. Timothy M. O Brien, CPA Denver Auditor Annual Audit Plan

M_o_R (2011) Foundation EN exam prep questions

Information Security Risk Management

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

Risk and Risk Management. Risk and Risk Management. Martin Schedlbauer, Ph.D., CBAP, OCUP Version 1.1

Risk-Incidents: Same Playground, Different Castles. Brian C. McIlravey

Intro Public-Private Partnership (P3) Finance Course

TABLE OF CONTENTS INTRODUCTION:... 2

Project Management Certificate Program

Measuring Mitigation': Methodologies for Assessing Natural Hazard Risks and the Net Benefits of Mitigation

Identification & Assessment of Risks

Risk Management Process-02. Lecture 06 By: Kanchan Damithendra

AN INTRODUCTION TO RISK CONSIDERATION

Transcription:

Indicate whether the statement is true or false. 1. Baselining is the comparison of past security activities and events against the organization s current performance. 2. To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited. 3. A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on it. 4. Some information security experts argue that it is virtually impossible to determine the true value of information and information-bearing assets. 5. Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets. 6. You should adopt naming standards that do not convey information to potential system attackers. 7. When determining the relative importance of each asset, refer to the organization s mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts. 8. Process-based measures are performance measures that are focused on numbers and less strategic than metric-based measures. 9. According to Sun Tzu, if you know your self and know your enemy you have an average chance to be successful in an engagement. Page 1

10. Cost Benefit Analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended. 11. In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization, 12. Know yourself means identifying, examining, and understanding the threats facing the organization. 13. You cannot use qualitative measures to rank information asset values. 14. Residual risk is the risk that that has not been removed, shifted, or planned for after vulnerabilities have been completely resolved. 15. The threats-vulnerabilities-assets (TVA) worksheet is a document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings. 16. If the acceptance strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and portray an apathetic approach to security in general 17. Operational feasibility is an assessment of whether the organization can acquire the technology necessary to implement and support the proposed control. 18. A best practice proposed for a small to medium business will be similar to one used to help design control strategies for a large multinational company. Page 2

19. Risk control is the application of mechanisms to reduce the potential for loss or change to an organization s information assets. 20. Within a data classification scheme, comprehensive means that an information asset should fit in only one category. 21. Organizations should communicate with system users throughout the development of the security program, letting them know that change are coming, and reduce resistance to expected change through communication, education, and involvement. 22. The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment. 23. A data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict the number of people who can access it. 24. The defense control strategy is the risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards, but is not the preferred approach to controlling risk. 25. In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack, with the SLE being the product of the asset s value and the annualized loss expectancy. 26. When it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the value incurred from the cost of protecting the information. 27. The value of information to the organization's competition should influence the asset's valuation. Page 3

28. One advantage to benchmarking is that best practices change very little over time. 29. Best business practices are often called recommended practices. 30. The upper management of an organization must structure the IT and information security functions to defend the organization s information assets. Indicate the answer choice that best completes the statement or answers the question. 31. The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n). a. ARO b. CBA c. ALE d. SLE 32. The first phase of risk management is. a. risk identification b. design c. risk control d. risk evaluation 33. The concept of competitive refers to falling behind the competition. a. disadvantage b. drawback c. failure d. shortcoming 34. plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the flood waters recede. a. IR b. DR c. BC d. BR 35. A(n) is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.. a. security clearance scheme b. data recovery scheme c. risk management scheme d. data classification scheme 36. Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered 'National Security Information', data is the lowest level classification. a. Sensistive b. Confidential c. Unclassified d. Public 37. A(n) is an authorization issued by an organization for the repair, modification, or update of a piece of equipment. a. IP b. FCO c. CTO d. HTTP Page 4

38. The is the difference between an organization s observed and desired performance. a. performance gap b. objective c. issue delta d. risk assessment 39. When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as. a. baselining b. best practices c. benchmarking d. standards of due care 40. Risk defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. a. benefit b. appetite c. acceptance d. avoidance 41. is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures. a. Qualitative assessment b. Metric-centric model c. Quantitative assessment d. Value-specific constant 42. Management of classified data includes its storage and. a. distribution b. portability c. destruction d. All of the above 43. The plan specifies the actions an organization can and should take while an adverse event (that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization) is in progress. a. BC b. DR c. IR d. BR 44. The strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. a. defense b. transfer c. mitigation d. acceptance 45. equals the probability of a successful attack times the expected loss from a successful attack plus an element of uncertainty. a. Loss Magnitude b. Risk c. Loss Frequency d. Loss 46. In a(n), assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria and then summing and ranking those scores. a. threat assessment b. risk management program c. weighted factor analysis d. data classification scheme Page 5

47. assigns a status level to employees to designate the maximum level of classified data they may access. a. security clearance scheme b. data recovery scheme c. risk management scheme d. data classification scheme 48. is simply how often you expect a specific type of attack to occur. a. ARO b. CBA c. ALE d. SLE 49. The control strategy attempts to shift risk to other assets, other processes, or other organizations. a. transfer b. defend c. accept d. mitigate 50. The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range is called the. a. loss frequency b. annualized loss expectancy c. likelihood d. benefit of loss 51. There are individuals who search trash and recycling a practice known as to retrieve information that could embarrass a company or compromise information security. a. shoulder surfing b. dumpster diving c. pretexting d. corporate espionage 52. The control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. a. termination b. defense c. transfer d. mitigate 53. Risk is the application of security mechanisms to reduce the risks to an organization s data and information systems. a. management b. control c. identification d. security 54. feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization s stakeholders. a. Organizational b. Technical c. Operational d. Political 55. addresses are sometimes called electronic serial numbers or hardware addresses. a. HTTP b. IP c. DHCP d. MAC Page 6

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback