Application of training and education is a common method of which risk control strategy?

Successfully reported this slideshow.

Your SlideShare is downloading. ×

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

More Related Content

1. 1. Name: Class: Date: Chapter 07 - Risk Management: Controlling Risk Copyright Cengage Learning. Powered by Cognero. Page 1 1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. a. True b. False ANSWER: True 2. The defense risk control strategy may be accomplished by outsourcing to other organizations. a. True b. False ANSWER: False 3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility. a. True b. False ANSWER: True 4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. a. True b. False ANSWER: True 5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication. a. True b. False ANSWER: True 6. The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. ____________ ANSWER: False - defense 7. A benchmark is derived by comparing measured actualperformance against established standards for the measured category. ____________ ANSWER: False - baseline 8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________ ANSWER: True 9. The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy. ___________ ANSWER: False - transference
2. 2. Name: Class: Date: Chapter 07 - Risk Management: Controlling Risk Copyright Cengage Learning. Powered by Cognero. Page 2 10. An examination of how well a particular solution is supportable given the organization’s current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility. ____________ ANSWER: False - technical 11. The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy. ANSWER: False - acceptance 12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost–benefit analysis (CBA). ____________ ANSWER: True 13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy. ANSWER: True 14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________ ANSWER: True 15. In a cost–benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as the annualized risk of occurrence. ____________ ANSWER: False - rate 16. Application of training and education is a common method of which risk control strategy? a. mitigation b. defense c. acceptance d. transferal ANSWER: b 17. Which of the following describes an organization’s efforts to reduce damage caused by a realized incident or disaster? a. acceptance b. avoidance c. transference d. mitigation ANSWER: d 18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach? a. incident response plan b. business continuity plan c. disaster recovery plan d. damage control plan ANSWER: a 19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following? a. Determined the level of risk posed to the information asset
3. 3. Name: Class: Date: Chapter 07 - Risk Management: Controlling Risk Copyright Cengage Learning. Powered by Cognero. Page 3 b. Performed a thorough cost-benefit analysis c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset d. Assessed the probability of attack and the likelihood of a successfulexploitation of a vulnerability ANSWER: c 20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. residual risk b. risk appetite c. risk assurance d. risk termination ANSWER: b 21. Which of the following is NOT a valid rule of thumb on risk control strategy selection? a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. c. When the attacker’s potential gain is less than the costs of attack:Apply protections to decrease the attacker’s cost or reduce the attacker’s gain, by using technical or operational controls. d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non- technical protections to limit the extent of the attack, thereby reducing the potential for loss. ANSWER: c 22. Which of the following affects the cost of a control? a. liability insurance b. CBA report c. asset resale d. maintenance ANSWER: d 23. By multiplying the asset value by the exposure factor, you can calculate which of the following? a. annualized cost of the safeguard b. single loss expectancy c. value to adversaries d. annualized loss expectancy ANSWER: b 24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy? a. cost-benefit analysis b. exposure factor c. single loss expectancy d. annualized rate of occurrence ANSWER: a 25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest. a. organizational feasibility b. political feasibility c. technical feasibility d. operational feasibility ANSWER: b 26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
4. 4. Name: Class: Date: Chapter 07 - Risk Management: Controlling Risk Copyright Cengage Learning. Powered by Cognero. Page 4 a. conducting decision support b. implementing controls c. evaluating alternative strategies d. measuring program effectiveness ANSWER: c 27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? a. qualitative assessment of many risk components b. quantitative valuation of safeguards c. subjective prioritization of controls d. risk analysis estimates ANSWER: a 28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result? a. OCTAVE b. FAIR c. Hybrid Measures d. Delphi ANSWER: d 29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk? a. analysis and adjustment b. review and reapplication c. monitoring and measurement d. evaluation and funding ANSWER: c 30. Which of the following is not a step in the FAIR risk management framework? a. identify scenario components b. evaluate loss event frequency c. assess control impact d. derive and articulate risk ANSWER: c 31. What should each information asset–threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed? a. probability calculation b. documented control strategy c. risk acceptance plan d. mitigation plan ANSWER: b 32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident? a. feasibility analysis b. asset valuation c. cost avoidance d. cost-benefit analysis ANSWER: c 33. Which of the following is NOT an alternative to using CBA to justify risk controls? a. benchmarking b. due care and due diligence c. selective risk avoidance d. the gold standard ANSWER: c 34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
5. 5. Name: Class: Date: Chapter 07 - Risk Management: Controlling Risk Copyright Cengage Learning. Powered by Cognero. Page 5 a. risk assessment b. risk treatment c. risk communication d. risk determination ANSWER: d 35. The NIST risk management approach includes all but which of the following elements? a. inform b. assess c. frame d. respond ANSWER: a 36. The risk control strategy that seeks to reduce the impact of a successfulattack through the use of IR, DR and BC plans is ____________________ . ANSWER: mitigation mitigate 37. The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations. ANSWER: transference transfer 38. To keep up with the competition organizations must design and create a ____________ environment in which business processes and procedures can function and evolve effectively. ANSWER: secure 39. The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization’s risk ___________. ANSWER: appetite 40. When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________. ANSWER: exploited 41. Briefly describe the five basic strategies to control risk that result from vulnerabilities. ANSWER: Defense—Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk Transference—Shifting risks to other areas or to outside entities Mitigation—Reducing the impact to information assets should an attacker successfully exploit a vulnerability Acceptance—Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control Termination—Removing or discontinuing the information asset from the organization’s operating environment 42. Discuss three alternatives to feasibility analysis. ANSWER: --Benchmarking is the process of seeking out and studying the practices used in other organizations that produce the results you desire in your organization. When benchmarking, an organization typically uses either metrics-based or process-based measures. --Due care and due diligence occur when an organization adopts a certain minimum level of security as what
6. 6. Name: Class: Date: Chapter 07 - Risk Management: Controlling Risk Copyright Cengage Learning. Powered by Cognero. Page 6 any prudent organization would do in similar circumstances. --Best business practices are considered those thought to be among the best in the industry, balancing the need to access information with adequate protection. --The gold standard is for those ambitious organizations in which the best business practices are not sufficient. They aspire to set the standard for their industry, and are thus said to be in pursuit of the gold standard. --Government recommendations and best practices are useful for organizations that operate in industries regulated by governmental agencies. Government recommendations, which are, in effect, requirements, can also serve as excellent sources for information about what some organizations may be doing, or are required to do, to control information security risks. --A baseline is derived by comparing measured actualperformance against established standards for the measured category. 43. Explain two practical guidelines to follow in risk control strategy selection. ANSWER: - When a vulnerability (flaw or weakness) exists: Implement security controls to reduce the likelihood of a vulnerability being exercised. - When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. - When the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the attacker’s cost, or reduce the attacker’s gain, by using technical or managerial controls. - When the potential loss is substantial: Apply design principles, architectural designs, and technical and non- technical protections to limit the extent of the attack, thereby reducing the potential for loss. 44. Once an organization has estimated the worth of various assets, what three questions must be asked to calculate the potential loss from the successfulexploitation of a vulnerability? ANSWER: What damage could occur, and what financial impact would it have? What would it cost to recover from the attack, in addition to the financial impact of damage? What is the single loss expectancy for each risk? 45. What does the result of a CBA determine? What is the formula for the CBA? ANSWER: The CBA determines whether the benefit from a control alternative is worth the associated cost of implementing and maintaining the control. The formula for calculating the CBA is: CBA = ALE (precontrol) - ALE (postcontrol)- ACS where ALE (precontrol) = ALE of the risk before the implementation of the control ALE (postcontrol) = ALE examined after the control has been in place for a period of time ACS = annual cost of the safeguard 46. Describe operational feasibility. ANSWER: Operational feasibility refers to user acceptance and support, management acceptance and support, and the system’s compatibility with the requirements of the organization’s stakeholders. Operational feasibility is also known as behavioral feasibility. An important aspect of systems development is obtaining user buy-in on projects. If the users do not accept a new technology, policy, or program, it will inevitably fail. 47. Describe the use of hybrid assessment to create a quantitative assessment of asset value. ANSWER: The hybrid assessment, tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures. Hybrid assessment uses scales rather than specific estimates. For example, a scale might range from 0, representing no chance of occurrence, to 10, representing almost certain occurrence. 48. What is the OCTAVE method approach to risk management?
7. 7. Name: Class: Date: Chapter 07 - Risk Management: Controlling Risk Copyright Cengage Learning. Powered by Cognero. Page 7 ANSWER: The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method, is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls. This process can enable an organization to measure itself against known or accepted good security practices and then establish an organization-wide protection strategy and InfoSec risk mitigation plan. 49. What are the four phases of the Microsoft risk management strategy? ANSWER: 1. Assessing risk 2. Conducting decision support 3. Implementing controls 4. Measuring program effectiveness 50. What are the four stages of a basic FAIR analysis? ANSWER: Stage 1—Identify Scenario Components Stage 2—Evaluate Loss Event Frequency (LEF) Stage 3—Evaluate Probable Loss Magnitude (PLM) Stage 4—Derive and Articulate Risk a. defense risk control strategy b. mitigation risk control strategy c. acceptance risk control strategy d. termination risk control strategy e. risk appetite f. cost-benefit analysis g. cost avoidance h. asset valuation i. organizational feasibility j. single loss expectancy 51. The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization. ANSWER: f 52. A risk control strategy that indicates the organization is willing to accept the current level of risk and that the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation. ANSWER: c 53. A risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. ANSWER: a 54. A process of assigning financial value or worth to each information asset. ANSWER: h 55. The quantity and nature of risk that organizations are willing to accept. ANSWER: e
8. 8. Name: Class: Date: Chapter 07 - Risk Management: Controlling Risk Copyright Cengage Learning. Powered by Cognero. Page 8 56. An examination of how well a particular solution fits within the organization’s strategic planning objectives and goals. ANSWER: i 57. A risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation. ANSWER: b 58. The calculated value associated with the most likely loss from a single attack. ANSWER: j 59. The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident. ANSWER: g 60. A risk control strategy that eliminates all risk associated with an information asset by removing it from service. ANSWER: d

What are three common approaches to implement the defense risk treatment strategy?

What five strategies for controlling risk are described in this course?

Which of the following risk treatment strategies describes an Organizationâ s efforts to reduce damage caused by a realized incident or disaster?

What does fair rely on to build the risk management framework?