Ch1 Risk Management

Question 1

The CIA of cyber security stands for

Answer 1

Confidentiality; Integrity; Availability

Question 2

a threat is defined as

Answer 2

an action or event that exploits a vulnerability

Question 3

risk = ___ x ___

Answer 3

threat x vulnerability

Question 4

priority risk management addresses high ___ and high ___ first

Answer 4

high impact and high vulnerability

Question 5

impact is defined as

Answer 5

actual harm caused by a threat

Question 6

for risk assessment, NIST stands for

Answer 6

national institute of standards and technologies

Question 7

main document used for risk assessment

Answer 7

NIST 800-30

Question 8

4 attributes of threat actors

Answer 8

internal/external; sophistication; resources; intent

Question 9

social media and public records are considered ___ by threat actors

Answer 9

open source intelligence (OSINT)

Question 10

6 types of threat actors

Answer 10

script kiddies; hacktivists; organized crime; nation-states; insiders; competitors

Question 11

2 framework documents used in vulnerability assessment

Answer 11

NIST 800-37 and ISACA Risk IT

Question 12

program used for more detailed vulnerability assessment

Answer 12

Nessus

Question 13

vulnerability assessment done by a 3rd party

Answer 13

penetration (pen) testing

Question 14

4 types of threats in threat assessment

Answer 14

adversarial; accidental; structural; environmental

Question 15

4 responses to risk

Answer 15

mitigate; transfer; accept; avoid

Question 16

a security control is a ____ we apply to ____ problems

Answer 16

mechanism/action; protect against or remediate

Question 17

3 security control categories

Answer 17

administrative; technical; physical

Question 18

5 security control functions

Answer 18

deterrent; preventative; detective; corrective; compensating

Question 19

having two internet service providers for security reasons is an example of…

Answer 19

vendor diversity

Question 20

layered security uses diversity and ____

Answer 20

redundancy

Question 21

defense in depth uses what 2 types of diversity?

Answer 21

vendor; combining security control categories (physical, technical, administrative)

Question 22

4 levels governing IT security

Answer 22

laws and regulations; [industry] standards; best practices; common sense/experience

Question 23

roles and responsibilities are assigned by an organizations _____

Answer 23

policies

Question 24

step by step instructions for implementing policy are ___

Answer 24

procedures

Question 25

_______ policy governs what you can store on a company computer

Answer 25

acceptable use

Question 26

______ policy governs categories of data

Answer 26

data sensitivity and classification

Question 27

_______ policy governs password use, fobs, categories you have access to…

Answer 27

access control

Question 28

______ policy governs password requirements (length, complexity…) and how to reset it

Answer 28

password

Question 29

______ policy governs how you maintain company property and when you can use it

Answer 29

care and use of equipment

Question 30

_______ policy governs personal customer information and some company information as well

Answer 30

privacy

Question 31

_____ policy governs background checks, security clearance, job rotation, etc.

Answer 31

personnel

Question 32

national standard for risk management and regulatory framework document

Answer 32

NIST SP800-37

Question 33

6 steps in the NIST SP800-37 framework

Answer 33

categorize; select; implement; assess; authorize; monitor

Question 34

international risk management framework document

Answer 34

ISO 2700

Question 35

asset value calculation adds what values?

Answer 35

replacement/repair cost + lost revenue

Question 36

exposure factor =

Answer 36

% of asset lost due to an incident

Question 37

single loss expectancy (SLE) =

Answer 37

asset value x exposure factor

Question 38

if we expect a flood every 20 years, its ____ is .05

Answer 38

annualized rate of occurrence (ARO)

Question 39

asset value x exposure factor =

Answer 39

single loss expectancy (SLE)

Question 40

annualized loss expectancy (ALE) =

Answer 40

single loss expectancy (SLE) x annualized rate of occurrence (ARO)

Question 41

how much time we expect it to take to repair a component

Answer 41

mean time to repair (MTTR)

Question 42

how much time we expect it to take for a component to fail

Answer 42

mean time to failure (MTTF)

Question 43

total time we expect to pass from one component failure to the next, including repair time

Answer 43

mean time between failures (MTBF)

Question 44

in impact analysis, a ____ is where one thing going down screws up everything else

Answer 44

single point of failure

Question 45

how can single points of failure be addressed in impact analysis?

Answer 45

defense in depth (diversity and redundancy)

Question 46

what are the 4 categories of business impact analysis?

Answer 46

property; financial; life/safety; reputation

Question 47

________ is the amount of time a critical system can be down before substantial impact

Answer 47

recovery time objective (RTO)

Question 48

_______ is the amount of data that can be lost before substantial impact

Answer 48

recovery point objective (RPO)

Question 49

what are the 4 main types of data for security purposes?

Answer 49

public; confidential; private; proprietary

Question 50

data protected by non-disclosure agreements is an example of _____ data

Answer 50

confidential

Question 51

SSN and DOB are examples of ____ data

Answer 51

private

Question 52

trade secrets are examples of ____ data

Answer 52

proprietary

Question 53

medical records are considered ____

Answer 53

protected health information (PHI)

Question 54

information that can be used to reliably identify you is ____

Answer 54

privately identifiable information (PII)

Question 55

the data ___ has all legal responsibility for the data

Answer 55

owner

Question 56

the ____ has the ability to delete an entire collection of data, but doesn’t make other decisions about it

Answer 56

system administrator

Question 57

an ____ makes strategic decisions about a collection of data

Answer 57

executive user

Question 58

a _____ has increased access to data, and can delete some of it

Answer 58

privileged user

Question 59

_____ is when a new employee is introduced to company policies and procedures, perhaps signs an NDA, etc.

Answer 59

onboarding

Question 60

_____ is when an employee’s accounts are closed, and any credentials returned

Answer 60

offboarding

Question 61

document covering Privately Identifying Information (PII)

Answer 61

NIST 800-122

Question 62

the 3 main personnel management controls are:

Answer 62

mandatory vacations; job rotation and separation of duties

Question 63

which 3rd party agreement governs two companies working together, creating financial and management ground rules?

Answer 63

Business Partner’s Agreement (BPA)

Question 64

which 3rd party agreement governs terms and warranties of services provided?

Answer 64

Service Level Agreement (SLA)

Question 65

which 3rd party agreement typically is used in government contracts?

Answer 65

Interconnection Security Agreement (ISA)

Question 66

which 3rd party agreement is not an actual contract, but typically accompanies one?

Answer 66

Memorandum of Understanding/Agreement

Question 67

the _________ implements security controls for a network

Answer 67

system admin

Question 68

the _______ defines access to the data on a system

Answer 68

data owner

Question 69

the ________ decides who will be the system admin

Answer 69

system owner

Question 70

the ______ in a system is the front line in monitoring and reporting security breaches

Answer 70

user

Question 71

the head of accounting would be a _______ in a data system

Answer 71

privileged user

Question 72

a ________ can see all the data in a system, but in read-only format

Answer 72

executive user