Management of Information Security Notes Chapter 8 — Risk Assessment – Flashcards
Unlock all answers in this set
Unlock answersquestion
The inventory should also reflect the ____________________ and security priority assigned to each information asset.
answer
sensitivity
question
Determining the likelihood that vulnerable systems will be attacked by specific threats is part of the risk identification process.
answer
False
question
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
answer
Manufacturer's part number
question
The ultimate goal of risk identification is to assess the circumstances and setting of each information asset to reveal any threats.
answer
False
question
The ____ is an attribute that can be helpful in analyzing threat outbreaks when certain manufacturers announce specific vulnerabilities.
answer
manufacturer name
question
The process of evaluating potential weaknesses in each information asset is known as ____________________ identification.
answer
...
question
As each information asset is identified, ____________________, and classified, a relative value must also be assigned to it.
answer
categorized
question
The final step in the risk identification process is to list the assets in order of importance. This goal can be achieved by using a(n) ____ worksheet.
answer
weighted factor analysis
question
A(n) comprehensive classification of information assets means that all inventoried assets fit into a category.
answer
True
question
Deliberate software attacks include worms, denial of service, macros, and ____.
answer
viruses
question
Assigning a value to each information asset is part of the identification process.
answer
True
question
A well-developed risk management program consists of two formal processes: risk identification and assessment and risk control.
answer
True
question
Weighting criteria can be used to assess the value of information assets or impact evaluation.
answer
True
question
The ____ is an effective attribute for tracking network devices and servers, but rarely applies to software.
answer
IP address
question
Examples of technical software failures or errors include code problems, unknown loopholes, and ____.
answer
bugs
question
Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability
answer
True
question
The amount of danger posed by a threat is sometimes difficult to assess. It may be simply the impact of a threat attacking the organization, or it may reflect the amount of damage that the threat could create or the frequency with which an attack can occur.
answer
True
question
A press release is likely to fall under the ____ data classification scheme.
answer
public
question
The data classification scheme for an information asset could include confidential, internal, and private. Each of these classification categories designates the level of protection needed for a particular information asset.
answer
False
question
Risk Analysis is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be controlled or mitigated.
answer
False
question
The first stage in the Risk Identification process is to develop an inventory of information assets.
answer
False
question
A(n) ____________________ number uniquely identifies a specific device.
answer
serial
question
Classification categories must be ____________________ and mutually exclusive.
answer
comprehensive
question
The sample classification scheme for an information asset of confidential, ____ and public, designates the level of protection needed for a particular information asset.
answer
internal
question
Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.
answer
likelihood
question
Which of the following activities is part of the risk identification process?
answer
Assigning a value to each information asset
question
The standard IT system components include: people, data, networks, hardware, software, and ____________________.
answer
procedures
question
As each information asset is identified, categorized, and ____, a relative value must also be assigned to it.
answer
classified
question
To make the process of analyzing threats less daunting, steps in the threat and vulnerability identification processes should be handled jointly.
answer
False
question
Almost every organization is aware of its image in the local, national, and international spheres. Loss or ____ of some assets would prove especially embarrassing.
answer
...
question
Which of the following activities is part of the risk assessment process?
answer
Calculating the risks to which assets are exposed in their current setting
question
The ____ is also referred to as an electronic serial number.
answer
MAC address
question
Classification categories must be ____ (all inventoried assets fit into a category) and ____ (each asset is found in only one category).
answer
comprehensive, mutually exclusive
question
The relative value of an information asset depends on how much ____ it generates—or, in the case of a nonprofit organization, how critical it is to service delivery.
answer
revenue
question
Assessing risks includes assigning a value to each information asset.
answer
False
question
People are divided into insiders (employees) and outsiders (nonemployees). Outsiders come in two categories: either they hold trusted roles and have correspondingly greater authority and accountability, or they are regular staff without any special privileges.
answer
False
question
Likelihood is the overall rating of the probability that a specific vulnerability will be exploited.
answer
True
question
In a TVA worksheet, along one asset lies the prioritized set of ____, along the other the prioritized set of ____.
answer
assets, threats
question
Piracy and copyright infringement are examples of the threat of compromise to ____________________ property.
answer
intellectual
question
The process of assigning relative values to information assets helps to ensure that assets with higher values are protected first.
answer
True
question
A(n) ____________________ defense is the foundation of any information security program.
answer
layered
question
Knowing the enemy means that the threats facing an organization's information assets should be identified, examined, and ____________________.
answer
understood
question
Risk management is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be
answer
controlled
question
Which of the following is the final step in the risk identification process of information assets?
answer
Listing by order of importance
question
____ elements are divided into three categories: applications, operating systems, or security components.
answer
Software
question
A TVA spreadsheet combines prioritized lists of assets and threats to identify vulnerabilities and provide a prioritized list of efforts relating to the implementation of needed controls.
answer
True
question
One of the calculations that guides corporate spending on controls is the cost of ____ operations if an attack occurs and is successful.
answer
recovery
question
During risk identification, managers identify the organization's information assets, classify and categorize them into useful groups, and prioritize them by their overall importance.
answer
True
question
A ranked vulnerability risk worksheet assigns a ranked value or impact weight to each information asset.
answer
False
question
Risk is the likelihood of the occurrence of a(n) ____ multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability.
answer
vulnerability
