Chat with AI
Deck 7: Risk Management: Controlling Risk
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/60
Play
Full screen (f)
Deck 7: Risk Management: Controlling Risk
1
Application of training and education is a common method of which risk control strategy?
A) mitigation
B) defense
C) acceptance
D) transferal
A) mitigation
B) defense
C) acceptance
D) transferal
B
2
Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
A) incident response plan
B) business continuity plan
C) disaster recovery plan
D) damage control plan
A) incident response plan
B) business continuity plan
C) disaster recovery plan
D) damage control plan
A
3
Unlike other risk management frameworks,FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
True
4
The risk control strategy that attempts to shift risk to other assets,other processes,or other organizations is known as the defense risk controlstrategy.___________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
5
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy,also known as the avoidance strategy.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
6
The only use of the acceptance strategy that is recognized as valid by industry practicesoccurs when the organization has done all but which of the following?
A) Determined the level of risk posed to the information asset
B) Performed a thorough cost-benefit analysis
C) Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
D) Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
A) Determined the level of risk posed to the information asset
B) Performed a thorough cost-benefit analysis
C) Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
D) Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
7
The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
8
In a cost-benefit analysis,the expected frequency of an attack,expressed on a per-year basis is known astheannualized risk of occurrence.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
9
Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
10
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
A) residual risk
B) risk appetite
C) risk assurance
D) risk termination
A) residual risk
B) risk appetite
C) risk assurance
D) risk termination
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
11
The defense risk control strategy may be accomplished by outsourcing to other organizations.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
12
Due care and due diligence occur when an organization adopts a certain minimum level of security-that is,what any prudent organization would do in similar circumstances.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
13
The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident,disaster,or attack through effective contingency planning and preparation is known as themitigationrisk control strategy.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
14
Also known as an economic feasibility study,the formal assessment and presentation of the economic expenditures needed for a particular security control,contrasted with its projected value to the organization is known ascost-benefit analysis (CBA).____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
15
The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as theterminationrisk control strategy.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
16
Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
A) acceptance
B) avoidance
C) transference
D) mitigation
A) acceptance
B) avoidance
C) transference
D) mitigation
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
17
The risk control strategy that indicates the organization is willing to accept the current level of risk.As a result,the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the terminationrisk control strategy.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
18
A benchmark is derived by comparing measured actual performance against established standards for the measured category.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
19
An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources,which include hardware,software,networking,and personnel is known as operationalfeasibility.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
20
The criterion most commonly used when evaluating a strategy to implement InfoSec controlsand safeguards is economic feasibility.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
21
Which of the following is not a step in the FAIR risk management framework?
A) identify scenario components
B) evaluate loss event frequency
C) assess control impact
D) derive and articulate risk
A) identify scenario components
B) evaluate loss event frequency
C) assess control impact
D) derive and articulate risk
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
22
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
A) risk assessment
B) risk treatment
C) risk communication
D) risk determination
A) risk assessment
B) risk treatment
C) risk communication
D) risk determination
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
23
Which of the followingdescribes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
A) feasibility analysis
B) asset valuation
C) cost avoidance
D) cost-benefit analysis
A) feasibility analysis
B) asset valuation
C) cost avoidance
D) cost-benefit analysis
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
24
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
A) qualitative assessment of many risk components
B) quantitative valuation of safeguards
C) subjective prioritization of controls
D) risk analysis estimates
A) qualitative assessment of many risk components
B) quantitative valuation of safeguards
C) subjective prioritization of controls
D) risk analysis estimates
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
25
By multiplying the asset value by the exposure factor,you can calculate which of the following?
A) annualized cost of the safeguard
B) single loss expectancy
C) value to adversaries
D) annualized loss expectancy
A) annualized cost of the safeguard
B) single loss expectancy
C) value to adversaries
D) annualized loss expectancy
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
26
The ____________________ risk control strategy attempts to shift the risk to other assets,processes,or organizations.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
27
Which of the following is NOT an alternative to using CBA to justify risk controls?
A) benchmarking
B) due care and due diligence
C) selective risk avoidance
D) the gold standard
A) benchmarking
B) due care and due diligence
C) selective risk avoidance
D) the gold standard
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
28
The Microsoft Risk Management Approach includes four phases.Which of the following is NOT one of them?
A) conducting decision support
B) implementing controls
C) evaluating alternative strategies
D) measuring program effectiveness
A) conducting decision support
B) implementing controls
C) evaluating alternative strategies
D) measuring program effectiveness
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
29
To keep up with the competition organizations must design and create a ____________ environment in which business processes and procedures can function and evolve effectively.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
30
Which of the following is NOT a valid rule of thumb on risk control strategy selection?
A) When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
B) When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
C) When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
D) When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
A) When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
B) When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
C) When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
D) When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
31
The NIST risk management approach includes all but which of the following elements?
A) inform
B) assess
C) frame
D) respond
A) inform
B) assess
C) frame
D) respond
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
32
The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR,DR and BC plans is ____________________ .
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
33
In which technique does a group rate or rank a set of information,compile the results and repeat until everyone is satisfied with the result?
A) OCTAVE
B) FAIR
C) Hybrid Measures
D) Delphi
A) OCTAVE
B) FAIR
C) Hybrid Measures
D) Delphi
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
34
When a vulnerability (flaw or weakness)exists in an important asset,implement security controls to reduce the likelihood of a vulnerability being ___________.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
35
The goal of InfoSec is not to bring residual risk to zero; rather,it is to bring residual risk in line with an organization's risk ___________.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
36
Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
A) organizational feasibility
B) political feasibility
C) technical feasibility
D) operational feasibility
A) organizational feasibility
B) political feasibility
C) technical feasibility
D) operational feasibility
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
37
What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
A) probability calculation
B) documented control strategy
C) risk acceptance plan
D) mitigation plan
A) probability calculation
B) documented control strategy
C) risk acceptance plan
D) mitigation plan
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
38
Once a control strategy has been selected and implemented,what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
A) analysis and adjustment
B) review and reapplication
C) monitoring and measurement
D) evaluation and funding
A) analysis and adjustment
B) review and reapplication
C) monitoring and measurement
D) evaluation and funding
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
39
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
A) cost-benefit analysis
B) exposure factor
C) single loss expectancy
D) annualized rate of occurrence
A) cost-benefit analysis
B) exposure factor
C) single loss expectancy
D) annualized rate of occurrence
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
40
Which of the following affects the cost of a control?
A) liability insurance
B) CBA report
C) asset resale
D) maintenance
A) liability insurance
B) CBA report
C) asset resale
D) maintenance
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
41
a.defense risk control strategy
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
The formalassessment and presentation of the economic expenditures needed for a particular securitycontrol,contrasted with its projected value to the organization.
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
The formalassessment and presentation of the economic expenditures needed for a particular securitycontrol,contrasted with its projected value to the organization.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
42
What are the four phases of the Microsoft risk management strategy?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
43
What does the result of a CBA determine?What is the formula for the CBA?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
44
a.defense risk control strategy
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
A process of assigning financial value or worth to each information asset.
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
A process of assigning financial value or worth to each information asset.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
45
Once an organization has estimated the worth of various assets,what three questions must be asked to calculate the potential loss from the successful exploitation of a vulnerability?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
46
What are the four stages of a basic FAIR analysis?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
47
Discuss three alternatives to feasibility analysis.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
48
a.defense risk control strategy
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
An examination of how well a particular solution fits within theorganization's strategic planning objectives and goals.
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
An examination of how well a particular solution fits within theorganization's strategic planning objectives and goals.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
49
a.defense risk control strategy
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
A risk control strategy that eliminates all risk associatedwith an information asset by removing it from service.
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
A risk control strategy that eliminates all risk associatedwith an information asset by removing it from service.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
50
a.defense risk control strategy
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
The calculated value associated with themost likely loss from a single attack.
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
The calculated value associated with themost likely loss from a single attack.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
51
a.defense risk control strategy
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
The quantity and nature of risk that organizations are willing to accept.
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
The quantity and nature of risk that organizations are willing to accept.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
52
a.defense risk control strategy
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
A risk control strategy that attempts to reduce the impactof the loss caused by a realized incident,disaster,or attack through effective contingencyplanning and preparation.
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
A risk control strategy that attempts to reduce the impactof the loss caused by a realized incident,disaster,or attack through effective contingencyplanning and preparation.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
53
Describe operational feasibility.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
54
Explain two practical guidelines to follow in risk control strategy selection.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
55
a.defense risk control strategy
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
A risk control strategy that attempts to eliminate or reduceany remaining uncontrolled risk through the application of additional controls and safeguards.
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
A risk control strategy that attempts to eliminate or reduceany remaining uncontrolled risk through the application of additional controls and safeguards.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
56
a.defense risk control strategy
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
A risk control strategy that indicates the organization iswilling to accept the current level of risk and that the organization makes a conscious decisionto do nothing to protect an information asset from risk and to accept the outcome from anyresulting exploitation.
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
A risk control strategy that indicates the organization iswilling to accept the current level of risk and that the organization makes a conscious decisionto do nothing to protect an information asset from risk and to accept the outcome from anyresulting exploitation.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
57
a.defense risk control strategy
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
The financial savings from using the defense risk control strategy to implementa control and eliminate the financial ramifications of an incident.
b.mitigation risk control strategy
c.acceptance risk control strategy
d.termination risk control strategy
e.risk appetite
f.cost-benefit analysis
g.cost avoidance
h.asset valuation
i.organizational feasibility
j.single loss expectancy
The financial savings from using the defense risk control strategy to implementa control and eliminate the financial ramifications of an incident.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
58
Briefly describe the five basic strategies to control risk that result from vulnerabilities.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
59
Describe the use of hybrid assessment to create a quantitative assessment of asset value.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
60
What is the OCTAVE method approach to risk management?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
