Exam 9: Risk Management: Controlling Risk

Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____________________ organization would do in similar circumstances.

A cost-benefit analysis is calculated by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy

____ is the choice to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.

A system's exploitable vulnerabilities are usually determined after the system is designed.

The only use of the acceptance strategy that industry practices recognize as valid occurs when the organization has done all but which of the following?

____ feasibility is also referred to as behavioral feasibility.

Communicating new or revised policy to employees is adequate to assure compliance.

Cost Benefit Analysis is determined by calculating the single loss expectancy before new controls minus the annualized loss expectancy after controls are implemented minus the annualized cost of the safeguard._________________________

Common sense dictates that an organization should spend more to protect an asset than its value.

The ____ is the calculation of the value associated with the most likely loss from an attack.

Avoidance of risk is the choice to forgo the use of security measures and accept loss in the event of an attack._________________________

Asset evaluation is the process of assigning financial worth to each information asset._________________________

Which of the following is NOT a valid rule of thumb on risk control strategy selection?

Mitigation depends on the ability to detect and respond to an attack as quickly as possible ._________________________

The Microsoft Risk Management Approach includes four phases: assessing risk,conducting decision support,implementing controls and measuring program effectiveness._________________________

The final choice of a risk control strategy may call for a balanced mixture of controls that provides the greatest value for as many asset-threat pairs as possible.

When a vulnerability (flaw or weakness)exists,you should implement security policies to reduce the likelihood of a vulnerability being exercised._________________________

Step-by-step rules to regain normalcy is covered by which of the following plans in the mitigation control approach?

The Microsoft Risk Management Approach includes four phases.Which of the following is NOT one of them?

____________________ is a risk management framework developed to help organizations to understand,analyze,and measure information risk.The outcomes are more cost-effective information risk management,greater credibility for the information security profession,and a foundation from which to develop a scientific approach to information risk management.