3 - Risk mitigation, strategies, and controls

Question 1

What is the FISMA definition for confidentiality?

Answer 1

preserving authorized restriction on access and disclosure, including means for protecting personal privacy and proprietary information

Question 2

What is the FISMA definition for integrity?

Answer 2

guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity

Question 3

What is the FISMA definition for availability?

Answer 3

ensuring timely and reliable access to and user of information

Question 4

What is the first step of establishing the aggregate score of CIA?

Answer 4

determine the potential impact of each type of risk

Question 5

Impacts are typically categorized from what list-of-values?

Answer 5

High, moderate, and low

Question 6

Security policies are developed in response to what?

Answer 6

a perceived need of guidance due to some driving force, typically form upper management

Question 7

When senior management provides guidance on a specific topic in the form of a policy, the policy is said to be drafted in what fashion?

Answer 7

top-down

Question 8

A policy is a better candidate for senior executive buy-in when it meet these criteria:

Answer 8

• includes wording presented in a form that makes sense in business terms
• is clearly aligned with the organization’s overall goals and objectives
• can be seen to specifically support these goals and objectives

Question 9

What is the primary objective of policies?

Answer 9

to communicate the goals and objectives with respect to some particular aspect of the business

Question 10

The set of required security controls is dependent upon what?

Answer 10

the aggregate score of security requirements defined by the security category

Question 11

What is the primary toolset for security practitioners to apply in an effort to meet security requirements?

Answer 11

security controls

Question 12

What is the challenge for security professionals with regard to security controls?

Answer 12

to employ the correct set of security controls to provide the level of protection required

Question 13

In what ways can a security control reduce the risk associated with a threat to the enterprise?

Answer 13

• avoid the impact
• transfer the impact to another party
• mitigate the effect of the threat
• accept the risk

Question 14

What are threat actors?

Answer 14

individuals or groups that are responsible for actions - intentional or accidental - that lead to losses for other individuals or organizations.

Question 15

What are threat actors?

Answer 15

individuals or groups that are responsible for actions - intentional or accidental - that lead to losses for other individuals or organizations.

Question 16

What are the two manners of risk analysis?

Answer 16

qualitative or quantitative

in most cases, risk management and analysis activities include elements from both quantitative and quantitative models

Question 17

What manner of risk analysis uses experts judgment and experience to assess the elements of occurrence and impact?

Answer 17

qualitative

Question 18

To assess risk qualitatively, you must do what?

Answer 18

compare the impact of the threat with the probability of occurrence and then assign an impact level and probability level to the risk

Question 19

What manner of risk assessment uses calculation based on historical data associated with risk?

Answer 19

quantitative

Question 20

What manner of risk assessment uses calculation based on historical data associated with risk?

Answer 20

quantitative

Question 21

What is the primary purpose behind making a risk determination?

Answer 21

to provide management with the information needed to make decisions on which threats to address and with what level of resources

Question 22

With regard to a threat, what is the magnitude of impact?

Answer 22

a measure of how much damage a particular threat would cause if it manifested itself

Question 23

The challenge of risk management analysis is:

Answer 23

the determination of the magnitude of impact

Question 24

What is the likelihood of a threat?

Answer 24

a measure of the chance that a threat will actually impact a system

Question 25

An organization’s exposure to natural disasters is affected by the organization’s:

Answer 25

• region
• proximity to threat source
• emergency procedures
• awareness training
• facility structure
• time of the year

Question 26

An organization’s exposure to natural disasters is affected by the organization’s:

Answer 26

• region
• proximity to threat source
• emergency procedures
• awareness training
• facility structure
• time of the year

Question 27

What does trend analysis involve?

Answer 27

performing ongoing research on emerging industry trends to determine the potential and impact of threats that organizations may face

Question 28

What does TCO stand for?

Answer 28

total cost of ownership

Question 29

Calculating the TCO of a security product involves what?

Answer 29

factoring in all the expected costs over the life cycle of the product