Management of Information Security Notes Chapter 9 — Controlling Risk – Flashcards

Unlock all answers in this set

Unlock answers
question
Once a control strategy has been selected and implemented, controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk.
answer
monitored and measured
question
The four categories of controlling risk include avoidance, mitigation, transference and _____.
answer
acceptance
question
The ____________________ assessment, tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures.
answer
hybrid
question
Risk ____________________ defines the quantity and nature of risk that an organization is willing to accept.
answer
appetite
question
Mitigation depends on the ability to detect and respond to an attack as quickly as possible .
answer
True
question
____________________ is a risk management framework developed to help organizations to understand, analyze, and measure information risk.The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.
answer
Factor Analysis of Information Risk
question
A cost-benefit analysis is conducted by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy
answer
annualized cost of the safeguard
question
Reducing the impact of a successful attack on an organization's system falls under the ____ risk control strategy.
answer
mitgation
question
Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the ____ consequences of the vulnerability.
answer
economic and non-economic
question
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
answer
Building executive consensus
question
The ____________________ Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.
answer
OCTAVE
question
Cost Benefit Analysis is determined by calculating the single loss expectancy before new controls minus the annualized loss expectancy after controls are implemented minus the annualized cost of the safeguard.
answer
False
question
Economic and non-economic effects of a weakness must be evaluated after a strategy for dealing with a particular vulnerability has been selected.
answer
False
question
Common sense dictates that an organization should spend more to protect an asset than its value.
answer
False
question
OCTAVE is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detective controls.
answer
True
question
Residual risk is a combined function of all but which of the following?
answer
Residual risk less a factor of error
question
____________________ is a is a combined function of (1) a threat less the effect of threat-reducing safeguards; (2) a vulnerability less the effect of vulnerability-reducing safeguards; and (3) an asset less the effect of asset value-reducing safeguards.
answer
Residual risk
question
Avoidance of risk is accomplished through the application of procedures, training and education and the implementation of technical security controls and safeguards.
answer
False
question
One of the most common methods of obtaining user acceptance and support is via user
answer
involvement
question
Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____________________ organization would do in similar circumstances.
answer
prudent
question
An alternate set of possible risk control strategies includes all but which of the following?
answer
Obscurity: Hiding critical security assets in order to protect them from attack
question
Behavioral feasibility refers to user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders.
answer
True
question
Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____ organization would do in similar circumstances.
answer
prudent
question
According to the Microsoft Risk Management Approach, risk management is not a stand-alone subject and should be part of a general governance program to allow the organization's management to evaluate the organization's operations and make better, more informed decisions.
answer
True
question
A system's exploitable vulnerabilities are usually determined after the system is designed.
answer
True
question
Asset valuation must account for value _____.
answer
All of these
question
Economic feasibility is a standard that is commonly used when evaluating a project that implements information security safeguards.
answer
True
question
The final choice of a risk control strategy may call for a balanced mixture of controls that provides the greatest value for as many asset-threat pairs as possible.
answer
True
question
___ feasibility determines acceptable practices based on consensus and relationships among the communities of interest.
answer
Political
question
The goal of information security is to bring residual risk in line with an organization's risk appetite.
answer
True
question
The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge was designed for large organizations with 300 or more users, while OCTAVE-Allegro was designed for smaller organizations of about 100 users.
answer
True
question
The effectiveness of controls should be ____________________ and measured regularly once a control strategy has been selected.
answer
monitored
question
A single loss expectancy is calculated by multiplying the asset value by the ____.
answer
exposure factor
question
A cost benefit analysis (CBA) result is obtained from the difference between the pre-control and the ____________________ annualized loss expectancy (ALE).
answer
post-control
question
The ____ is the indication of how often you expect a specific type of attack to occur.
answer
ARO
question
In the Cost-Benefit Analysis Formula presented in the text, ALE is calculated by ____.
answer
SLE * ARO
question
The Single Loss Expectancy (SLE) is the result of the asset's value (AV) multiplied by the ____________________ factor.
answer
esposure
question
The risk control strategy of avoidance means understanding the consequences and avoiding risk by not placing a system in a situation that could result in a loss..
answer
False
question
The element of remaining risk after vulnerabilities have been controlled is referred to as ____________________ risk.
answer
residual
question
Avoidance of risk is the choice to forgo the use of security measures and accept loss in the event of an attack.
answer
False
question
In an economic feasibility study, the ____________________ is the value to the organization of using controls that prevent losses related to a particular vulnerability.
answer
benefit
question
The Annualized Loss Expectancy in the CBA formula is determined as ____.
answer
SLE * ARO
question
Some organizations document the outcome of the control strategy for each information asset-threat pair in a(n) _____, which includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual.
answer
action plan
question
Risk appetite (also known as risk tolerance) is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
answer
True
question
Mitigation of risk involves applying safeguards that eliminate or reduce the remaining uncontrolled risks.
answer
False
question
An organization that chooses to outsource its risk management practice to independent consultants is taking the ____ control approach.
answer
transference
question
The goal of information security is to bring residual risk to zero.
answer
False
question
At a minimum, each information asset-threat pair should have a(n) ____ that clearly identifies any residual risk that remains after the proposed strategy has been executed.
answer
documented control strategy
question
Which of the following is not an example of a disaster recovery plan?
answer
Information gathering procedures
question
____ is the process of assigning financial value or worth to each information component.
answer
Asset valuation
Get an explanation on any task
Get unstuck with the help of our AI assistant in seconds
New