A business may devote significant resources to implementing security controls that are irrelevant to the threats it is trying to mitigate. Which of the following is an example of this sort of mismatch?

Group of answer choices Using firewalls to prevent data theft from applications that areallowed to operate through the firewall

Using standard antivirus tools that are effective only againstpreviously identified threats, to protect against zero-day attacks

Using controls at the operating-system level to detect Application layer attacks

Requiring authorized company-issued ID badges to enter secured spaces.

The first step of risk identification is to identify the threats the organization is exposed to with respect to each function within the organization

True

False

. Which of the following is not typically considered to be an area or type of information asset?

Group of answer choices

Financial Human

Resources Information

Technology Marketing and Sales

Employee Recreation Plan

In the context of information security, risk is something that can impact the availability, confidentiality, or integrity of business or personnel information.

True

False:

Risk is the chance of something adverse happening that has negative consequences on the organization and information security. Group of answer choices

True False

In the context of a security incident, loss can be monetary, business, reputation or customers. Group of answer choices True False Risk is the chance of something adverse happening that has negative consequences on the organization and information security. Group of answer choices True False