Questions and Answers of Managing Risk In Information Systems

A(n) ________ control is used to ensure that users have the rights and permissions they need to perform their jobs and no more.
Controls are often categorized based on how they are implemented. What are the three common methods of implementing controls?A. Preventive, detective, and correctiveB. Administrative, technical, and
What type of control is an intrusion detection system (IDS)?A. PreventiveB. DetectiveC. CorrectiveD. Recovery
What are the primary objectives of a control?A. Prevent, control, and attackB. Prevent, respond, and logC. Prevent, recover, and detectD. Detect, recover, and attack
Controls can be identified based on their function. The functions are preventive, detective, and corrective.A. TrueB. False
A ________ will reduce or eliminate a threat or vulnerability.
An IDS may employ machine learning algorithms to detect unknown malware attacks.A. TrueB. False
Which of the following types of IDSs is installed on a single system?A. Anomaly-based IDSB. Signature-based IDSC. Host-based IDSD. Network-based IDS
An organization is governed by HIPAA and wants to know whether it is in compliance. What would document the differences between what is required and what is currently implemented?A. Gap analysisB.
A business wants to identify whether any of the discovered vulnerabilities can be exploited. What should be performed?A. AuditB. Transaction and applications testC. Functionality testD. Exploit
A business wants to know whether its users are granted the rights and permissions needed to do their job only and no more. A(n) ________ test should be performed.
An organization wants to check compliance with internal rules and guidelines to ensure that existing policies are being followed. What should be performed?A. Threat assessmentB. Gap analysisC. Audit
What is a common drawback or weakness of a vulnerability scanner?A. A high false-positive error rateB. A high false-negative error rateC. A low false-positive error rateD. A low false-negative error
What is the name of a common tool used to perform an automated vulnerability assessment scan?A. WiresharkB. SuperscanC. NessusD. VA Scanner
Who should perform vulnerability assessments?A. Internal security professionals working as employeesB. External security professionals hired as consultantsC. Either internal or external security
A ________ assessment is used to identify vulnerabilities within an organization.
Which of the following choices is not considered a best practice when identifying threats?A. Verifying systems operate and are controlled as expectedB. Limiting the scope of the assessmentC.
What are some sources of internal threats? (Select all that apply.)A. Disgruntled employeeB. Equipment failureC. Software failureD. Data loss
Which of the following methods can be used to identify threats?A. Reviewing historical dataB. Performing threat modelingC. Both A and BD. Neither A nor B
A threat is any activity that represents a possible danger, with the potential to affect confidentiality, integrity, or accessibility.A. TrueB. False
The two major categories of threats are human and ________.
Ensuring that a service is operational 99.999 percent of the time is possible even if a server needs to be regularly rebooted.A. TrueB. False
What is a single point of failure?A. Any single part of a system that can failB. Any single part of a system that can cause the entire system to fail if it failsC. Any single part of a system that
When identifying the assets in an organization, what would be included?A. HardwareB. SoftwareC. PersonnelD. Only A and BE. A, B, and C
When identifying hardware assets in an organization, what information should be included?A. Model number and manufacturerB. Serial numberC. LocationD. Only A and CE. A, B, and C
An organization may use a ________ rotation policy to help discover dangerous shortcuts or fraudulent activity.
What type of data should be included when identifying an organization’s data or information assets?A. Organizational dataB. Customer dataC. Intellectual propertyD. A and B onlyE. A, B, and C
What is a data warehouse?A. A database used in a warehouseB. A database used to identify the location of products in a warehouseC. A database created by combining multiple databases into a central
What is data mining?A. The process of retrieving relevant data from a data warehouseB. A database used in metal mining operationsC. A database created by combining multiple databases into a central
What can an asset management system be compared with to ensure an entire organization is covered?A. Hardware and software assetsB. Software assetsC. Personnel and data assetsD. The seven domains
When updating an organization’s business continuity plans, only ________ systems should be included.
Which of the following is a privacy regulation that may impact data sourced from the European Economic Area?A. HIPAAB. GDPRC. PCI DSSD. FOIP
What should an organization use if it wants to determine what the impact would be if a specific IT server fails?A. BIAB. BCPC. DRPD. BCC
What should an organization use if it wants to ensure it can continue mission-critical operations in the event of a disaster?A. BIAB. BCPC. DRPD. BCC
What should an organization use if it wants to ensure it can recover a system in the event of a disaster?A. BIAB. BCPC. DRPD. BCC
A BCP and a DRP are two different things.A. TrueB. False
A company is beginning a risk assessment for a system. Both the ____________ characteristics and the mission of the system should be defined in the early stages of the risk assessment.A. TacticalB.
Which of the following should be identified during a risk assessment?A. AssetsB. ThreatsC. VulnerabilitiesD. ControlsE. All of the above
Of the following choices, which would be considered an asset?A. HardwareB. SoftwareC. PersonnelD. Data and informationE. All of the above
When defining the system for the risk assessment, what should be included?A. Only the title of the systemB. The current configuration of the systemC. A list of possible attacksD. A list of previous
Which of the following is not included in a risk assessment?A. Organizational missionB. PeopleC. NationsD. Risk managementE. None of the above
Which type of assessment can be performed to identify weaknesses in a system without exploiting the weaknesses?A. Vulnerability assessmentB. Risk assessmentC. Exploit assessmentD. Penetration test
An acceptable use policy is an example of a(n) ________ control.
An organization requires users to log on with tokens. This is an example of a(n) ________ control.
Video cameras are used to monitor the entrance of secure areas of a building. This is an example of a(n) ________ control.
Which of the following should be matched with a control to mitigate a relevant risk?A. ThreatsB. VulnerabilitiesC. Threat/vulnerability pairD. Residual risk
What does a qualitative risk assessment use to prioritize a risk?A. Probability and impactB. SLE, ARO, and ALEC. Safeguard valueD. Cost-benefit analysis
What does a quantitative risk assessment use to prioritize a risk?A. Probability and impactB. SLE, ARO, and ALEC. Safeguard valueD. Cost-benefit analysis
An organization purchased a control and installed it on several servers. This control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the
What is included in a risk assessment that helps justify the cost of a control?A. Probability and impactB. ALEC. CBAD. POAM
One of the challenges facing risk assessments is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data?A. Probability
An IT security team leader is working on a qualitative risk assessment for her company. She is thinking about the final report. What should the IT security team leader consider when providing the
Of the following, what would be considered a best practice when performing risk assessments?A. Starting with clear goals and a defined scopeB. Enlisting support of senior managementC. Repeating the
A _______ risk assessment is subjective. Itrelies on the opinions of experts.
A _______ risk assessment is objective. It uses data that can be verified.
What must be defined when performing a qualitative risk assessment?A. Formulas used for ALEB. Scales used to define probability and impactC. Scales used to define SLE and ALED. Acceptable levels of
A primary benefit of a _______ risk assessment is that it includes details for a cost-benefit analysis.
A primary benefit of a _______ risk assessment is that it can be completed more quickly than other methods.
Qualitative analysis is less time consuming than quantitative analysis.A. TrueB. False
What elements are included in a quantitative analysis?A. SLE, ALE, and AROB. ALE, ARO, and ARPC. Probability and impactD. Threats and vulnerabilities
What elements are included in a qualitative analysis?A. SLE, ALE, and AROB. ALE, ARO, and ARPC. Probability and impactD. Threats and vulnerabilities
A _______ risk assessment uses SLE.
Risk assessments are a static process.A. TrueB. False
_______ describes the loss that will happen to the asset as a result of the threat, which is expressed as a percentage value.
What can be used to help quantify risks?A. SLEB. AROC. Risk assessmentD. Risk mitigation planE. All of the above
What are valid contents of a risk management plan?A. ObjectivesB. ScopeC. RecommendationsD. POAME. All of the above
What should be included in the objectives of a risk management plan?A. A list of threatsB. A list of vulnerabilitiesC. Costs associated with risksD. Cost-benefit analysisE. All of the above
What will the scope of a risk management plan define?A. ObjectivesB. POAMC. RecommendationsD. Boundaries
What problem can occur if the scope of a risk management plan is not defined?A. Excess boundariesB. Stakeholder lossC. Scope creepD. SSCP
What is a stakeholder?A. A mark that identifies critical stepsB. An individual or a group that has an interest in the projectC. A critical process or procedureD. Another name for the risk management
A key stakeholder should have authority to make decisions about a project, including authority to provide additional resources.A. TrueB. False
A risk management plan project manager oversees the entire plan. What is the project manager responsible for? (Select two.)A. Ensuring costs are controlledB. Ensuring the project stays on scheduleC.
A risk management plan includes steps to mitigate risks. Who is responsible for choosing what steps to implement?A. The project managerB. ManagementC. The risk management teamD. The POAM manager
A risk management plan includes a list of findings in a report. The findings identify threats and vulnerabilities. What type of diagram can document some of the findings?A. Gantt chartB. Critical
What three elements should be included in the findings of the risk management report?A. Causes, criteria, and effectsB. Threats, causes, and effectsC. Criteria, vulnerabilities, and effectsD. Causes,
What is a primary tool used to identify the financial significance of a mitigation tool?A. Ishikawa diagramB. Fishbone diagramC. CBAD. POAM
A fishbone diagram can link causes with effects.A. TrueB. False
A fishbone diagram is also known as a(n):A. Risk management frameworkB. Program management toolC. Ishikawa diagramD. NIST core plan
What is the NIST Risk Management Framework?A. The planning phase of the systems life cycleB. A process that combines security and risk management as part of a systems development life cycleC. A
A POAM is used to track the progress of a project. What type of chart is commonly used to assist with tracking?A. Fishbone chartB. Cause and effect chartC. Gantt chartD. POAM chart
Which of the following are accurate pairings of threat categories? (Select two.)A. External and internalB. Natural and supernaturalC. Intentional and accidentalD. Computer and user
What can be done to manage risk? (Select three.)A. Accept itB. Transfer itC. Avoid itD. Migrate it
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?A. NeverB. QuarterlyC. AnnuallyD. Every three years
Which law applies to organizations handling health care information?A. SOXB. GLBAC. FISMAD. HIPAA
CEOs and CFOs can go to jail if financial statements are inaccurate. Which law is this from?A. SOXB. GLBAC. FISMAD. HIPAA
Which law requires schools and libraries to limit offensive content on their computers?A. FERPAB. HIPAAC. CIPAD. SSCP
Employees in some companies are often required to take an annual vacation of at least five consecutive days. The purpose is to reduce fraud and embezzlement. What is this called?A. Job rotationB.
Fiduciary refers to a relationship of trust.A. TrueB. False
Merchants that handle credit cards are expected to implement data security. Which standard should they follow?A. GAISPB. CMMIC. COBITD. PCI DSS
NIST published Special Publication 800-30. What does this cover?A. Risk assessmentsB. Maturity levelsC. A framework of good practicesD. Certification and accreditation
The COBIT framework refers to IT governance. Of the following choices, which best describes IT governance?A. IT-related lawsB. IT-related regulationsC. Processes to manage IT resourcesD. Processes to
This standard is focused on maintaining a balance between benefits, risk, and asset use and is based on five principles and comprises seven components. Which standard is described?A. COBITB. ITILC.
Which of the following ISO standards can be used to verify that an organization meets certain requirements? Part I identifies objectives and controls, and part II is used for certification.A. ISO 73
Which of the following ISO documents provides generic guidance on risk management?A. ISO 73 Risk Management—VocabularyB. ISO 27002 Information Technology Security TechniquesC. ISO 31000 Risk
Which law aims to protect the privacy data for citizens in the EU and EEA?A. GLBAB. HIPAAC. GDRPD. D. GDPR
In the CMMI, level ______ indicates the highest level of maturity.
The DIACAP is a risk management process applied to IT systems. What happens after a system has been accredited?A. It is certified.B. It is decommissioned.C. It is validated.D. It receives authority
What is a security policy?A. A document with a rigid set of rules created so that people follow it explicitly to be effective and avoid technical problemsB. A technical control used to enforce
What should be used to ensure that users are granted only the rights to perform actions required for their jobs?A. Principle of least privilegeB. Principle of need to knowC. Principle of limited
What should be used to ensure that the amount spent on mitigating a risk (such as buying insurance) is proportional to the risk?A. Principle of least privilegeB. Principle of proportionalityC.

Showing 100 - 200 of 225