Exam 7: Risk Management: Controlling Risk

The only use of the acceptance strategy that is recognized as valid by industry practicesoccurs when the organization has done all but which of the following?

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?

The Microsoft Risk Management Approach includes four phases.Which of the following is NOT one of them?

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

The risk control strategy that attempts to shift risk to other assets,other processes,or other organizations is known as the defense risk controlstrategy.___________

In a cost-benefit analysis,the expected frequency of an attack,expressed on a per-year basis is known as​theannualized risk of occurrence.____________

The calculated value associated with themost likely loss from a single attack.

The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident,disaster,or attack through effective contingency planning and preparation is known as the mitigation risk control strategy.____________

Once a control strategy has been selected and implemented,what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?

What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?

The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.

The criterion most commonly used when evaluating a strategy to implement InfoSec controlsand safeguards is economic feasibility.

The formalassessment and presentation of the economic expenditures needed for a particular securitycontrol,contrasted with its projected value to the organization.

The defense risk control strategy may be accomplished by outsourcing to other organizations.

The quantity and nature of risk that organizations are willing to accept.

Unlike other risk management frameworks,FAIR relies on the qualitative assessment of many risk components using scales with value ranges.

A risk control strategy that attempts to eliminate or reduceany remaining uncontrolled risk through the application of additional controls and safeguards.

Which of the followingdescribes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?

Also known as an economic feasibility study,the formal assessment and presentation of the economic expenditures needed for a particular security control,contrasted with its projected value to the organization is known ascost-benefit analysis (CBA).____________

Discuss three alternatives to feasibility analysis.