In some instances, risk is acknowledged as being part of an organization’s business process.

Management Information Systems ch 7 - 12

If an organization deals successfully with change and has created procedures and systems that can be adjusted to the environment, the existing security improvement program will probably continue to work well.

An effective information security governance program requires no ongoing review once it is well established.

Documentation procedures are not required for configuration and change management processes.

Intelligence for external monitoring can come from a number of sources: vendors, CERT organizations, public network sources, and membership sites.

The target selection step of Internet vulnerability assessment involves using the external monitoring intelligence to configure a test engine (such as Nessus) for the tests to be performed.

All systems that are mission critical should be enrolled in platform security validation (PSV) measurement.

In some instances, risk is acknowledged as being part of an organization's business process.

Rehearsal adds value by exercising the procedures, identifying shortcomings, and providing security personnel the opportunity to improve the security plan before it is needed.

For configuration management and control, it is important to document the proposed or actual changes in the system security plan.

CM assists in streamlining change management processes and prevents changes that could detrimentally affect the security posture of a system before they happen.

The basic function of the external monitoring process is to monitor activity, report results, and escalate warnings.

Organizations should have a carefully planned and fully populated inventory of all their network devices, communication channels, and computing devices.

An example of the type of vulnerability exposed via traffic analysis occurs when an organization is trying to determine if all its device signatures have been adequately masked.

WLAN stands for "____ local area network.

The best method of remediation in most cases is to repair a vulnerability.

When possible, major incident response plan elements should be rehearsed.

An _____ is used as permission to search for evidentiary material at a specified location and/or to seize items to return to an investigator's lab for examination after being signed by an approving authority.

A(n) __________ item is a hardware or software item that is to be modified and revised throughout its life cycle.
a. revision b. update
c. change d. configuration

To maintain optimal performance, one typical recommendation suggests that when the memory usage associated with a particular CPU-based system averages __________% or more over prolonged periods, you should consider adding more memory. a. 40 b. 60
c. 10 d.

Control __________ baselines are established for network traffic and for firewall performance and IDPS performance.
a. system b. application
c. performance d. environment

The __________ is a center of Internet security expertise and is located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
a. US-CERT b. Bugtraq
c. CM-CERT d. CERT/CC

The __________ commercial site focuses on current security tool resources.
a. Nmap-hackerz b. Packet Storm
c. Security Laser d. Snort-SIGs

The optimum approach for escalation is based on a thorough integration of the monitoring process into the __________.
a. IDE b. CERT
c. ERP d. IRP

A process called __________ examines the traffic that flows through a system and its associated devices to identify the most frequently used devices.
a. difference analysis b. traffic analysis
c. schema analysis d. data flow assessment

__________ is used to respond to network change requests and network architectural design proposals.
a. Network connectivity RA b. Dialed modem RA
c. Application RA d. Vulnerability RA

The __________ process is designed to find and document vulnerabilities that may be present because there are misconfigured systems in use within the organization.
a. ASP b. ISP
c. SVP d. PSV

Common vulnerability assessment processes include:
a. Internet VA b. wireless VA
c. intranet VA d. all of these

A step commonly used for Internet vulnerability assessment includes __________, which occurs when the penetration test engine is unleashed at the scheduled time using the planned target list and test selection.
a. scanning b. subrogation
c. delegation d.

The __________ vulnerability assessment is a process designed to find and document selected vulnerabilities that are likely to be present on the organization's internal network.
a. intranet b. Internet
c. LAN d. WAN

Technical controls alone, when properly configured, can secure an IT environment.

A firewall is any device that prevents a specific type of information from moving between the untrusted network and the trusted network.

The KDC component of Kerberos knows the secret keys of all clients and servers on the network.

A _____ is an authentication component, similar to a dumb card, that contains a computer chip to verify and validate several pieces of information instead of just a PIN.

____ controls regulate the admission of users into trusted areas of the organization.

A ____ host is a device placed between an external, untrusted network and an internal, trusted network.

A packet filtering firewall is a networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration

The ___ level is a predefined assessment level of an IDPS that triggers a predetermined response when surpassed.

In an IDPS, a sensor is a piece of software that resides on a system and reports back to a management server.

In wireless networking, the ___ is the geographic area in which there is sufficient signal strength to make a network connection.

In e-commerce situations, some cryptographic tools can be used for ___ in order to assure that parties to the transaction are authentic, and that they cannot later deny having participated in a transaction.

Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area?
a. identification b. authentication
c. authorization d. accountability

Which of the following characteristics currently used for authentication purposes is the LEAST unique?
a. fingerprints b. iris
c. retina d. face geometry

Which of the following is a commonly used criterion for comparing and evaluating biometric technologies?
a. false accept rate b. crossover error rate
c. false reject rate d. valid accept rate

Which of the following biometric authentication systems is the most accepted by users?
a. keystroke pattern recognition b. fingerprint recognition
c. signature recognition d. retina pattern recognition

Which type of firewall keeps track of each network connection established between internal and external systems?
a. packet filtering b. stateful packet inspection
c. application layer d. cache server

The combination of a system's TCP/IP address and a service port is known as a __________.
a. portlet b. NAT
c. packet d. socket

The intermediate area between trusted and untrusted networks is referred to as which of the following?
a. unfiltered area b. semi-trusted area
c. demilitarized zone d. proxy zone

Which technology employs sockets to map internal private network addresses to a public address using one-to-many mapping?
a. network-address translation b. screened-subnet firewall
c. port-address translation d. private address mapping

In the _________ firewall architecture, a single device configured to filter packets serves as the sole security point between the two networks.
a. state-managed firewall b. screened-subnet firewall
c. single-homed firewall d. single bastion host

Which of the following is NOT one of the administrative challenges to the operation of firewalls?
a. training b. uniqueness
c. replacement d. responsibility

Which type of IDPS is also known as a behavior-based intrusion detection system?
a. network-based b. anomaly-based
c. host-based d. signature-based

Which type of IDPS works like antivirus software?
a. network-based b. anomaly-based
c. host-based d. signature-based

What is the next phase of the pre-attack data gathering process after an attacker has collected all of an organization's Internet addresses?
a. footprinting b. content filtering
c. deciphering d. fingerprinting

What is an application that entices individuals who are illegally perusing the internal areas of a network by providing simulated rich content areas while the software notifies the administrator of the intrusion?
a. port scanner b. sacrificial host
c. hon

When an information security team is faced with a new technology, which of the following is NOT a recommended approach?
a. Determine if the benefits of the proposed technology justify the expected costs.
b. Include costs for any additional risk control re

In which cipher method are values rearranged within a block to create the ciphertext?
a. permutation b. Vernam
c. substitution d. monoalphabetic

Which technology has two modes of operation: transport and tunnel?
a. Secure Hypertext Transfer Protocol b. Secure Shell
c. IP Security Protocol d. Secure Sockets Layer

Which of the following is a Kerberos service that initially exchanges information with the client and server by using secret keys?
a. authentication server b. authentication client
c. key distribution center d. ticket granting service

The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption is known as __________.
a. cryptanalysis b. cryptology
c. cryptography d. nonrepudiation

The Hartford insurance company estimates that, on average, __________ businesses that don't have a disaster plan go out of business after a major loss like a fire, a break-in, or a storm.

When a disaster renders the current business location unusable, which plan is put into action?

According to NIST's SP 800-34, Rev. 1, which of the following is NOT one of the stages of the business impact assessment?

Calculate asset valuation and combine with the likelihood and impact of potential attacks in a TVA worksheet.

The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption, including all impact considerations, is known as __________.

maximum tolerable downtime (MTD)

A hot site is a fully configured computing facility that includes all services, communications links, and physical plant operations.

In a cold site there are only rudimentary services, with no computer hardware or peripherals.

Which of the following is a responsibility of the crisis management team?

keeping the public informed about the event and the actions being taken

Which of the following is a "possible" indicator of an actual incident, according to Donald Pipkin?

unusual consumption of computing resources

After an incident, but before returning to its normal duties, the CSIRT must do which of the following?

Conduct an after-action review.

The simplest kind of validation, the desk check, involves distributing copies of the appropriate plans to all individuals who will be assigned roles during an actual incident or disaster.

Which of the following NIST Cybersecurity Framework (CSF) stages relates to reacting to an incident?

In most organizations, the COO is responsible for creating the IR plan.

Which of the following is a part of the incident recovery process?

identifying the vulnerabilities that allowed the incident to occur and spread

A slow-onset disaster occurs over time and gradually degrades the capacity of an organization to withstand its effects. __________

In which contingency plan testing strategy do individuals participate in a role-playing exercise in which the CP team is presented with a scenario of an actual incident or disaster and expected to react as if it had occurred?

Which of the following is true about a hot site?

It duplicates computing resources, peripherals, phone systems, applications, and workstations.

Which of the following is an organizational CP philosophy for overall approach to contingency planning reactions?

The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster are known as __________.

Which of the following is a backup method that uses bulk batch transfer of data to an off-site facility and is usually conducted via leased lines or secure Internet connections?

Which of the following is NOT a stage in the NIST Cybersecurity Framework (CSF)?

Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster.

What is the final stage of the business impact analysis when using the NIST SP 800-34 approach?

Identify recovery priorities for system resources.

The steps in IR are designed to:

stop the incident, mitigate incident effects, provide information for recovery from the incident

Which of the following is the best example of a rapid-onset disaster?

The team responsible for designing and managing the IR plan by specifying the organization's preparation, reaction, and recovery from incidents is known as the __________.

computer security incident response team (CSIRT)

At what point in the incident life cycle is the IR plan initiated?

when an incident is detected that affects the organization

The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources and supported business processes is known as __________.

recovery time objective (RTO)

Which of the following is the first major task in the BIA, according to NIST SP 800-34, Rev. 1?

Determine mission/business processes and recovery criticality.

A(n) wrap-up review is a detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery.

In information security, a security blueprint is a framework or security model customized to an organization, including implementation details.

Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.

Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data at the organization's competitors.

In information security, a framework or security model customized to an organization, including implementation details, is known as a ___.

The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called ___ of duties.

A ___ monitor is a conceptual piece of the system within the trusted computer base that manages access controls�in other words, it mediates all access to objects by subjects.

The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know.

A security clearance is an access control model in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access.

In information security, a framework or security model customized to an organization, including implementation details, is a _________.
a. security standard b. methodology
c. security policy d. blueprint

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a __________.
a. framework b. security plan
c. security standard d. blu

When the ISO 27002 standard was first proposed, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems; which of the following is NOT one of them?
a. It was not as complete as oth

One of the most widely referenced InfoSec management models, known as Information Technology�Code of Practice for Information Security Management, is also known as __________. a. ISO 27002 b. IEC 27100
c. NIST SP 800-12 d. IEEE 801

The managerial tutorial equivalent of NIST SP 800-12, providing overviews of the roles and responsibilities of a security manager in the development, administration, and improvement of a security program, is NIST __________.
a. SP 800-100: Information Sec

This NIST publication provides information on the elements of InfoSec, key roles and responsibilities, an overview of threats and vulnerabilities, a description of the three NIST security policy categories, and an overview of the NIST RM Framework and its

Although COBIT was designed to be an IT __________ and management structure, it includes a framework to support InfoSec requirements and assessment needs.
a. governance b. policy
c. auditing d. awareness

The COSO framework is built on five interrelated components. Which of the following is NOT one of them?
a. control environment b. risk assessment
c. control activities d. InfoSec governance

The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices primarily for __________.
a. managing the development and operation of IT infrastructures
b. operation of IT control systems to improve security
c. managing

Which piece of the Trusted Computing Base's security system manages access controls?
a. trusted computing base b. reference monitor
c. covert channel d. verification module

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?
a. Bell-LaPadula b. TCSEC
c. ITSEC d. Common Criteria

Under the Common Criteria, which term describes the user-generated specifications for security requirements?
a. Target of Evaluation (ToE) b. Protection Profile (PP)
c. Security Target (ST) d. Security Functional Requirements (SFRs)

What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them?
a. need-to-know b. eyes only
c. least privilege d. separation of duties

Which access control principle limits a user's access to the specific information required to perform the currently assigned task?
a. need-to-know b. eyes only
c. least privilege d. separation of duties

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?
a. preventative b. deterrent
c. corrective d. compensating

Which control category discourages an incipient incident�e.g., video monitoring?
a. preventative b. deterrent
c. remitting d. compensating

Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information?
a. confidential b. secret
c. top secret d. for official use only

Which of the following specifies the authorization level that each user of an information asset is permitted to access, subject to the need-to-know principle?
a. discretionary access controls b. task-based access controls c. security clearances d. sensiti

Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?
a. access control list b. capabilities table
c. access matrix d. sensitivity level

In which form of access control is access to a specific set of information contingent on its subject matter?
a. content-dependent access controls
b. constrained user interfaces
c. temporal isolation
d. none of these

A time-release safe is an example of which type of access control?
a. content-dependent b. constrained user interface
c. temporal isolation d. nondiscretionary

Which of the following is NOT a change control principle of the Clark-Wilson model?
a. no changes by unauthorized subjects
b. no unauthorized changes by authorized subjects
c. no changes by authorized subjects without external validation
d. the maintenanc

Which of the following policies requires that two individuals review and approve each other's work before the task is considered complete?

Which of the following is NOT one of the types of InfoSec performance measures used by organizations?

those that evaluate the frequency with which employees access internal security documents

A company striving for "best security practices" makes every effort to establish security program elements that meet every minimum standard in their industry.

A standard of due process is a legal standard that requires an organization and its employees to act as a "reasonable and prudent" individual or organization would under similar circumstances.

A security metric is an assessment of the performance of some action or process against which future performance is assessed.

Collusion is the requirement that every employee be able to perform the work of at least one other employee.

One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured.

The InfoSec measurement development process recommended by NIST is divided into two major activities. Which of the following is one of them?

identification and definition of the current InfoSec program

A requirement that all employees take time off from work, which allows the organization to audit the individual's areas of responsibility, is known as a mandatory vacation policy.

If a temporary worker (temp) violates a policy or causes a problem, what is the strongest action that the host organization can usually take, depending on the SLA?

Terminate the relationship with the individual and request that he or she be censured.

Performance measurements are seldom required in today's regulated InfoSec environment.

Which of the following is NOT a phase in the NIST InfoSec performance measures development process?

Identify relevant stakeholders and their interests in InfoSec measurement.

Employees pay close attention to job __________, and including InfoSec tasks in them will motivate employees to take more care when performing these tasks.

One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?

Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people?

Are the user accounts of former employees immediately removed on termination?

Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?

Measurements must be useful for tracking non-compliance by internal personnel.

The benefits of ISO certification to organizations include all of the following EXCEPT:

increased opportunities for government contracts

Incorporating InfoSec components into periodic employee performance evaluations can __________.

heighten InfoSec awareness

Two-person control is the requirement that all critical tasks can be performed by multiple individuals.

NIST recommends the documentation of performance measurements in a standardized format to ensure ____________.

the repeatability of measurement development, customization, collection, and reporting activities

Which of the following is NOT a consideration when selecting recommended best practices?

same certification and accreditation agency or standard

A(n) credit check can uncover past criminal behavior or other information that suggests a potential for future misconduct or a vulnerability that might render a job candidate susceptible to coercion or blackmail.

The requirement that every employee be able to perform the work of at least one other employee.

The data or the trends in data that may indicate the effectiveness of security countermeasures or controls�technical and managerial�implemented in the organization.

Which of the following policies makes it difficult for an individual to violate InfoSec and is quite useful in monitoring financial affairs?

Temporary workers�often called temps�may not be subject to the contractual obligations or general policies that govern other employees.

Contract employees�or simply contractors�should not be allowed to do what?

Wander freely in and out of facilities.

When hiring security personnel, which of the following should be conducted before the organization extends an offer to any candidate, regardless of job level?

One of the fundamental challenges in InfoSec performance measurement is defining what?

What do you call the legal requirements that an organization must adopt a standard based on what a prudent organization should do, and then maintain that standard?

due care and due diligence

According to NIST SP 800-37, the first step in the security controls selection process is to ____.

In security management, ____________________ is the authorization of an IT system to process, store, or transmit information.

Best security practices (BSPs) balance the need for information access with the need for adequate protection while simultaneously demonstrating social responsibility.

Maintaining an acceptable level of secure controls over time indicates that an organization has met the standard of ____.

In most cases, simply listing the measurements collected does not adequately convey their ____.

Best security practices balance the need for information ____________________ with the need for adequate protection while simultaneously demonstrating fiscal responsibility.

The second step in the NIST SP 800-37 model for security certification and accreditation is to select the appropriate minimum security ____________________ for the system.

The first phase in the NIST performance measures methodology is to collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets.

Which of the following is the first phase in the NIST process for performance measures implementation?

Prepare for data collection

One of the most popular of the many references that support the development of process improvement and performance measures is The Capability Maturity Model Integrated (CMMI) designed specifically to integrate an organization's process improvement activit

Organizations typically use three types of performance measures, including those that assess the impact of a(n) ____________________ or other security event on the organization or its mission.

Designing the performance measures collection process requires thoughtful consideration of the ____ of the metric along with a thorough knowledge of how production services are delivered.

Performance measurement is an ongoing, continuous improvement operation.

In the NIST performance measures implementation process, the comparison of observed measurements with target values is known as a ____ analysis.

A problem with benchmarking is that recommended practices are a(n) ____________________; that is, knowing what happened a few years ago does not necessarily tell you what to do next.

During Phase 2 of the NIST performance measures development process, the organization will identify and document the information security performance ____ that would guide security control implementation for the information security program of a specific

One of the priorities in building an information security measures program is determining whether these measures will be macro-focus or micro-focus.

Problems with benchmarking include all but which of the following?

Baseline data provides little value to evaluating progress in improving security

A(n) baseline is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared.

Security Certification & Accreditation offers several benefits. Which of the following is NOT one of them?

More consistent, comparable, and repeatable certifications of InfoSec programs

One of the critical tasks in the measurement process is to assess and ___ what will be measured.

Which of the following is NOT a factor critical to the success of an information security performance program?

Practical InfoSec budgets and resources for the program

Another problem with benchmarking is that no two organizations are similar.

While the terms may be interchangeable in some organizations, typically the term ____ is used for more granular, detailed measurement, while the term ____ is used for aggregate, higher-level results.

Accreditation is the authorization of an IT system to process, store, or transmit information.

It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of ___ .

Industries that are regulated by governmental agencies are required to meet government guidelines in their security practices.

NIST recommends the documentation of each performance measure in a customized format to ensure repeatability of measures development, tailoring, collection, and reporting activities.

NIST recommends the documentation of performance measures in a format to ensure ____ of measures development, tailoring, collection, and reporting activities.

Security efforts that seek to provide a superior level of performance in the protection of information are called ____.

The benefits of using information security performance measures include all but which of the following?

Increasing efficiency for InfoSec performance

Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.

The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.

The ISO 27005 Standard for InfoSec Risk Management has a five-stage management methodology that includes risk treatment and risk communication.

The risk treatment strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the ___ risk treatment strategy.

The risk treatment strategy that indicates the organization is willing to accept the current level of risk and do nothing further to protect an information asset is known as the ___ risk treatment strategy.

In a cost-benefit analysis, the expected frequency of an attack expressed on a per-year basis is known as the annualized risk of ___.

An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel, is known as ___ feasibility.

Due care and due diligence occur when an organization adopts a certain minimum level of security�that is, what any prudent organization would do in similar circumstances.

Treating risk begins with which of the following?
a. an understanding of risk treatment strategies
b. applying controls and safeguards that eliminate risk
c. understanding the consequences of choosing to ignore certain risks
d. rethinking how services are

Each of the following is a recommendation from the FDIC when creating a successful SLA EXCEPT:
a. determining objectives b. forecasting objects
c. defining requirements d. setting measurements

Which of the following risk treatment strategies describes an organization's efforts to reduce damage caused by a realized incident or disaster?
a. acceptance b. avoidance
c. transference d. mitigation

The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
a. determined the level of risk posed to the information asset
b. performed a thorough cost-ben

The goal of InfoSec is not to bring residual risk to __________; rather, it is to bring residual risk in line with an organization's risk appetite.

Which of the following is NOT a valid rule of thumb on risk treatment strategy selection?

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls.

When vulnerabilities have been controlled to the degree possible, what is the remaining risk that has not been completely removed, shifted, or planned for?
a. residual risk b. risk appetite
c. risk assurance d. risk tolerance

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization, is known as ___

cost-benefit analysis (CBA)

Which of the following affects the cost of a control?
a. liability insurance b. CBA report
c. asset resale d. maintenance

By multiplying the asset value by the exposure factor, you can calculate which of the following?

What is the result of subtracting the postcontrol annualized loss expectancy and the annualized cost of the safeguard from the precontrol annualized loss expectancy?

Which of the following determines acceptable practices based on consensus and relationships among the communities of interest?
a. organizational feasibility b. political feasibility
c. technical feasibility d. operational feasibility

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as ___

Each of the following is an item that affects the cost of a particular risk treatment strategy EXCEPT:

cost of IT operations (keeping systems operations during the period of treatment strategy development)

Which of the following determines how well a proposed treatment will address user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders?

Which of the following determines how well the proposed InfoSec treatment alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization?

organizational feasibility

Which of the following is NOT an alternative to using CBA to justify risk controls?
a. benchmarking b. due care and due diligence
c. selective risk avoidance d. the gold standard

In which technique does a group rate or rank a set of information, compile the results, and repeat until everyone is satisfied with the result?

The Microsoft Risk Management Approach includes four phases; which of the following is NOT one of them?
a. conducting decision support b. implementing controls
c. evaluating alternative strategies d. measuring program effectiveness

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

qualitative assessment of many risk components

Which international standard provides a structured methodology for evaluating threats to economic performance in an organization and was developed using the Australian/New Zealand standard AS/NZS 4360:2004 as a foundation?
a. ISO 27001 b. ISO 27005
c. NIS

NIST's Risk Management Framework follows a three-tiered approach, with most organizations working from the top down, focusing first on aspects that affect the entire organization, such as ___

Are components of the security triple?

Which of the following is designed to find and document vulnerabilities that may be present in the organization's public network?

What is the primary objective of the readiness and review domain of the maintenance model?

Is a center of Internet security expertise and is located at the Software Engineering Institute?