Chat with AI
Deck 6: Risk Management: Identifying and Assessing Risk
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/60
Play
Full screen (f)
Deck 6: Risk Management: Identifying and Assessing Risk
1
Two of the activities involved in risk management include identifying risks and assessing risks.Which of the following activities is part of the risk identification process?
A) Determining the likelihood that vulnerable systems will be attacked by specific threats
B) Calculating the severity of risks to which assets are exposed in their current setting
C) Assigning a value to each information asset
D) Documenting and reporting the findings of risk identification and assessment
A) Determining the likelihood that vulnerable systems will be attacked by specific threats
B) Calculating the severity of risks to which assets are exposed in their current setting
C) Assigning a value to each information asset
D) Documenting and reporting the findings of risk identification and assessment
C
2
MAC addresses are considered a reliable identifier for devices with network interfaces,since they are essentially foolproof.
False
3
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment.____________
False
qualitative
qualitative
4
Some threats can manifest in multiple ways,yielding multiple vulnerabilities for an asset-threat pair.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
5
The InfoSec community often takes on the leadership role in addressing risk.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
6
Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest,which includes all but which of the following?
A) General management must structure the IT and InfoSec functions
B) IT management must serve the IT needs of the broader organization
C) Legal management must develop corporate-wide standards
D) InfoSec management must lead the way with skill, professionalism, and flexibility
A) General management must structure the IT and InfoSec functions
B) IT management must serve the IT needs of the broader organization
C) Legal management must develop corporate-wide standards
D) InfoSec management must lead the way with skill, professionalism, and flexibility
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
7
Having an established risk management program means that an organization's assets are completely protected.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
8
The secretarial community often takes on the leadership role in addressing risk.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
9
The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
10
Some threats can manifest in multiple ways,yielding multiple exploits for an asset-threat pair. ____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
11
A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
12
The identification and assessment of levels of risk in an organization describes which of the following?
A) Risk analysis
B) Risk identification
C) Risk management
D) Risk reduction
A) Risk analysis
B) Risk identification
C) Risk management
D) Risk reduction
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
13
The probability that a specific vulnerability within an organization will be the target of an attack is known as risk.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
14
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
A) Creating an inventory of information assets
B) Classifying and organizing information assets into meaningful groups
C) Assigning a value to each information asset
D) Calculating the severity of risks to which assets are exposed in their current setting
A) Creating an inventory of information assets
B) Classifying and organizing information assets into meaningful groups
C) Assigning a value to each information asset
D) Calculating the severity of risks to which assets are exposed in their current setting
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
15
Which of the following is a network device attribute that may be used in conjunction with DHCP,making asset-identification using this attribute difficult?
A) Part number
B) Serial number
C) MAC address
D) IP address
A) Part number
B) Serial number
C) MAC address
D) IP address
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
16
A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
17
The information technology management community of interest often takes on the leadership role in addressing risk. ____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
18
The recognition,enumeration,and documentation of risks to an organization's information assets.is known as risk control.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
19
An evaluation of the threats to information assets,including a determination of their potential to endanger the organization is known as exploit assessment.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
20
An approach to combining risk identification,risk assessment,and risk appetite into a single strategy.is known as risk protection.___________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
21
Determining the cost of recovery from an attack is one calculation that must be made to identify risk,what is another?
A) Cost of prevention
B) Cost of litigation
C) Cost of detection
D) Cost of identification
A) Cost of prevention
B) Cost of litigation
C) Cost of detection
D) Cost of identification
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
22
Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
A) Uncertainty percentage
B) Asset impact
C) Risk-rating factor
D) Vulnerability likelihood
A) Uncertainty percentage
B) Asset impact
C) Risk-rating factor
D) Vulnerability likelihood
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
23
Which of the following is an example of a technological obsolescence threat?
A) Hardware equipment failure
B) Unauthorized access
C) Outdated servers
D) Malware
A) Hardware equipment failure
B) Unauthorized access
C) Outdated servers
D) Malware
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
24
Data classification schemes should categorize information assets based on which of the following?
A) Value and uniqueness
B) Sensitivity and security needs
C) Cost and replacement value
D) Ease of reproduction and fragility
A) Value and uniqueness
B) Sensitivity and security needs
C) Cost and replacement value
D) Ease of reproduction and fragility
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
25
Once an information asset is identified,categorized,and classified,what must also be assigned to it?
A) Asset tag
B) Relative value
C) Location ID
D) Threat risk
A) Asset tag
B) Relative value
C) Location ID
D) Threat risk
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
26
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
A) Risk exposure report
B) Threats-vulnerabilities-assets worksheet
C) Costs-risks-prevention database
D) Threat assessment catalog
A) Risk exposure report
B) Threats-vulnerabilities-assets worksheet
C) Costs-risks-prevention database
D) Threat assessment catalog
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
27
Which of the following is an attribute of a network device is physically tied to the network interface?
A) Serial number
B) MAC address
C) IP address
D) Model number
A) Serial number
B) MAC address
C) IP address
D) Model number
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
28
What is defined as specific avenues that threat agents can exploit to attack an information asset?
A) Liabilities
B) Defenses
C) Vulnerabilities
D) Weaknesses
A) Liabilities
B) Defenses
C) Vulnerabilities
D) Weaknesses
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
29
Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
30
The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.
A) Vulnerability mitigation controls
B) Risk assessment estimate factors
C) Exploit likelihood equation
D) Attack analysis calculation
A) Vulnerability mitigation controls
B) Risk assessment estimate factors
C) Exploit likelihood equation
D) Attack analysis calculation
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
31
Classification categories must be mutually exclusive and which of the following?
A) Repeatable
B) Unique
C) Comprehensive
D) Selective
A) Repeatable
B) Unique
C) Comprehensive
D) Selective
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
32
As each information asset is identified,categorized,and classified,a ________ value must also be assigned to it.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
33
Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
34
Which of the following attributes does NOT apply to software information assets?
A) Serial number
B) Controlling entity
C) Manufacturer name
D) Product dimensions
A) Serial number
B) Controlling entity
C) Manufacturer name
D) Product dimensions
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
35
Classification categories must be ____________________ and mutually exclusive.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
36
What should you be armed with to adequately assess potential weaknesses in each information asset?
A) Properly classified inventory
B) Audited accounting spreadsheet
C) Intellectual property assessment
D) List of known threats
A) Properly classified inventory
B) Audited accounting spreadsheet
C) Intellectual property assessment
D) List of known threats
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
37
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
A) Name
B) MAC address
C) Serial number
D) Manufacturer's model or part number
A) Name
B) MAC address
C) Serial number
D) Manufacturer's model or part number
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
38
An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
A) Risk determination
B) Assessing potential loss
C) Likelihood and consequences
D) Uncertainty
A) Risk determination
B) Assessing potential loss
C) Likelihood and consequences
D) Uncertainty
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
39
As part of the risk identification process,listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
40
What is the final step in the risk identification process?
A) Assessing values for information assets
B) Classifying and categorizing assets
C) Identifying and inventorying assets
D) Listing assets in order of importance
A) Assessing values for information assets
B) Classifying and categorizing assets
C) Identifying and inventorying assets
D) Listing assets in order of importance
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
41
How should the initial inventory be used when classifying and categorizing assets?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
42
Why is threat identification so important in the process of risk management?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
43
.a. risk management
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
An approach to combining risk identification,risk assessment,and risk appetite into a single strategy.
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
An approach to combining risk identification,risk assessment,and risk appetite into a single strategy.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
44
What strategic role do the InfoSec and IT communities play in risk management? Explain.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
45
.a. risk management
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
An evaluation of the dangers to information assets,including a determination of their potential to endanger the organization.
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
An evaluation of the dangers to information assets,including a determination of their potential to endanger the organization.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
46
What are the included tasks in the identification of risks?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
47
List the stages in the risk identification process in order of occurrence.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
48
.a. risk management
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
The process of identifying risk,assessing its relative magnitude,and taking steps to reduce it to an acceptable level.
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
The process of identifying risk,assessing its relative magnitude,and taking steps to reduce it to an acceptable level.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
49
Briefly describe any three standard categories of information asset and their respective risk management components.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
50
.a. risk management
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
51
.a. risk management
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
Labels that must be comprehensive and mutually exclusive.
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
Labels that must be comprehensive and mutually exclusive.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
52
Discuss the trends in frequency of attacks and how that plays into a risk management strategy.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
53
.a. risk management
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
54
Describe the use of an IP address when deciding which attributes to track for each information asset.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
55
What does it mean to 'know the enemy' with respect to risk management?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
56
.a. risk management
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
The quantity and nature of risk that organizations are willing to accept.
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
The quantity and nature of risk that organizations are willing to accept.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
57
.a. risk management
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
58
.a. risk management
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
The recognition,enumeration,and documentation of risks to an organization's information assets.
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
The recognition,enumeration,and documentation of risks to an organization's information assets.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
59
.a. risk management
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
Remains even after current control has been applied.
b. risk analysis
c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. ranked vulnerability risk worksheet
Remains even after current control has been applied.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
60
For the purposes of relative risk assessment how is risk calculated?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
