Chat with AI
Deck 7: Risk Management: Controlling Risk
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/60
Play
Full screen (f)
Deck 7: Risk Management: Controlling Risk
1
Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
A) acceptance
B) avoidance
C) transference
D) mitigation
A) acceptance
B) avoidance
C) transference
D) mitigation
D
2
The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.
True
3
An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources,which include hardware,software,networking,and personnel is known as operational feasibility.____________
False
technical
technical
4
The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
5
The defense risk control strategy may be accomplished by outsourcing to other organizations.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
6
Due care and due diligence occur when an organization adopts a certain minimum level of security-that is,what any prudent organization would do in similar circumstances.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
7
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
A) residual risk
B) risk appetite
C) risk assurance
D) risk termination
A) residual risk
B) risk appetite
C) risk assurance
D) risk termination
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
8
The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident,disaster,or attack through effective contingency planning and preparation is known as the mitigation risk control strategy.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
9
The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
A) Determined the level of risk posed to the information asset
B) Performed a thorough cost-benefit analysis
C) Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
D) Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
A) Determined the level of risk posed to the information asset
B) Performed a thorough cost-benefit analysis
C) Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
D) Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
10
In a cost-benefit analysis,the expected frequency of an attack,expressed on a per-year basis is known as the annualized risk of occurrence.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
11
The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
12
Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
13
The risk control strategy that attempts to shift risk to other assets,other processes,or other organizations is known as the defense risk control strategy.___________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
14
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy,also known as the avoidance strategy.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
15
The risk control strategy that indicates the organization is willing to accept the current level of risk.As a result,the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
16
Unlike other risk management frameworks,FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
17
Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
A) incident response plan
B) business continuity plan
C) disaster recovery plan
D) damage control plan
A) incident response plan
B) business continuity plan
C) disaster recovery plan
D) damage control plan
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
18
A benchmark is derived by comparing measured actual performance against established standards for the measured category.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
19
Also known as an economic feasibility study,the formal assessment and presentation of the economic expenditures needed for a particular security control,contrasted with its projected value to the organization is known as cost-benefit analysis (CBA).____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
20
Application of training and education is a common method of which risk control strategy?
A) mitigation
B) defense
C) acceptance
D) transferal
A) mitigation
B) defense
C) acceptance
D) transferal
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
21
What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
A) probability calculation
B) documented control strategy
C) risk acceptance plan
D) mitigation plan
A) probability calculation
B) documented control strategy
C) risk acceptance plan
D) mitigation plan
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
22
The ____________________ risk control strategy attempts to shift the risk to other assets, processes,or organizations.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
23
The Microsoft Risk Management Approach includes four phases.Which of the following is NOT one of them?
A) conducting decision support
B) implementing controls
C) evaluating alternative strategies
D) measuring program effectiveness
A) conducting decision support
B) implementing controls
C) evaluating alternative strategies
D) measuring program effectiveness
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
24
Once a control strategy has been selected and implemented,what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
A) analysis and adjustment
B) review and reapplication
C) monitoring and measurement
D) evaluation and funding
A) analysis and adjustment
B) review and reapplication
C) monitoring and measurement
D) evaluation and funding
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
25
Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
A) organizational feasibility
B) political feasibility
C) technical feasibility
D) operational feasibility
A) organizational feasibility
B) political feasibility
C) technical feasibility
D) operational feasibility
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
26
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
A) qualitative assessment of many risk components
B) quantitative valuation of safeguards
C) subjective prioritization of controls
D) risk analysis estimates
A) qualitative assessment of many risk components
B) quantitative valuation of safeguards
C) subjective prioritization of controls
D) risk analysis estimates
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
27
Which of the following is not a step in the FAIR risk management framework?
A) identify scenario components
B) evaluate loss event frequency
C) assess control impact
D) derive and articulate risk
A) identify scenario components
B) evaluate loss event frequency
C) assess control impact
D) derive and articulate risk
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
28
When a vulnerability (flaw or weakness)exists in an important asset,implement security controls to reduce the likelihood of a vulnerability being ___________.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
29
Which of the following affects the cost of a control?
A) liability insurance
B) CBA report
C) asset resale
D) maintenance
A) liability insurance
B) CBA report
C) asset resale
D) maintenance
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
30
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
A) risk assessment
B) risk treatment
C) risk communication
D) risk determination
A) risk assessment
B) risk treatment
C) risk communication
D) risk determination
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
31
The goal of InfoSec is not to bring residual risk to zero; rather,it is to bring residual risk in line with an organization's risk ___________.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
32
The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR,DR and BC plans is ____________________ .
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
33
To keep up with the competition organizations must design and create a ____________ environment in which business processes and procedures can function and evolve effectively.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
34
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
A) cost-benefit analysis
B) exposure factor
C) single loss expectancy
D) annualized rate of occurrence
A) cost-benefit analysis
B) exposure factor
C) single loss expectancy
D) annualized rate of occurrence
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
35
Which of the following is NOT an alternative to using CBA to justify risk controls?
A) benchmarking
B) due care and due diligence
C) selective risk avoidance
D) the gold standard
A) benchmarking
B) due care and due diligence
C) selective risk avoidance
D) the gold standard
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
36
Which of the following is NOT a valid rule of thumb on risk control strategy selection?
A) When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
B) When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
C) When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
D) When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
A) When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
B) When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
C) When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
D) When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
37
Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
A) feasibility analysis
B) asset valuation
C) cost avoidance
D) cost-benefit analysis
A) feasibility analysis
B) asset valuation
C) cost avoidance
D) cost-benefit analysis
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
38
By multiplying the asset value by the exposure factor,you can calculate which of the following?
A) annualized cost of the safeguard
B) single loss expectancy
C) value to adversaries
D) annualized loss expectancy
A) annualized cost of the safeguard
B) single loss expectancy
C) value to adversaries
D) annualized loss expectancy
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
39
In which technique does a group rate or rank a set of information,compile the results and repeat until everyone is satisfied with the result?
A) OCTAVE
B) FAIR
C) Hybrid Measures
D) Delphi
A) OCTAVE
B) FAIR
C) Hybrid Measures
D) Delphi
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
40
The NIST risk management approach includes all but which of the following elements?
A) inform
B) assess
C) frame
D) respond
A) inform
B) assess
C) frame
D) respond
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
41
a. defense risk control strategy
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
The formal assessment and presentation of the economic expenditures needed for a particular security control,contrasted with its projected value to the organization.
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
The formal assessment and presentation of the economic expenditures needed for a particular security control,contrasted with its projected value to the organization.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
42
Describe operational feasibility.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
43
Discuss three alternatives to feasibility analysis.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
44
a. defense risk control strategy
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
A process of assigning financial value or worth to each information asset.
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
A process of assigning financial value or worth to each information asset.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
45
a. defense risk control strategy
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
The quantity and nature of risk that organizations are willing to accept.
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
The quantity and nature of risk that organizations are willing to accept.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
46
a. defense risk control strategy
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
A risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
A risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
47
a. defense risk control strategy
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
48
What does the result of a CBA determine? What is the formula for the CBA?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
49
Once an organization has estimated the worth of various assets,what three questions must be asked to calculate the potential loss from the successful exploitation of a vulnerability?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
50
a. defense risk control strategy
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
51
a. defense risk control strategy
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
A risk control strategy that eliminates all risk associated with an information asset by removing it from service.
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
A risk control strategy that eliminates all risk associated with an information asset by removing it from service.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
52
What is the OCTAVE method approach to risk management?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
53
Describe the use of hybrid assessment to create a quantitative assessment of asset value.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
54
a. defense risk control strategy
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
The calculated value associated with the most likely loss from a single attack.
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
The calculated value associated with the most likely loss from a single attack.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
55
a. defense risk control strategy
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
A risk control strategy that indicates the organization is willing to accept the current level of risk and that the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
A risk control strategy that indicates the organization is willing to accept the current level of risk and that the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
56
What are the four stages of a basic FAIR analysis?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
57
a. defense risk control strategy
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
A risk control strategy that attempts to reduce the impact of the loss caused by a realized incident,disaster,or attack through effective contingency planning and preparation.
b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy
A risk control strategy that attempts to reduce the impact of the loss caused by a realized incident,disaster,or attack through effective contingency planning and preparation.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
58
Briefly describe the five basic strategies to control risk that result from vulnerabilities.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
59
What are the four phases of the Microsoft risk management strategy?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
60
Explain two practical guidelines to follow in risk control strategy selection.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
