Chapter 1 Measuring and Weighing Risk

Question 1

Threat Vectors

pg.8

Answer 1

A way in which an attacker poses a threat

Question 2

Mean Time Between Failures

pg.8

Answer 2

The measures of anticipated incidence of failure for a system or component

Question 3

Mean time to failure

pg.8

Answer 3

the average time to failure for a non repairable system

Question 4

Mean Time to Restore

pg.8

Answer 4

the measure for how long it takes to repair a system or component once a failure occurs

Question 5

Recovery Time Objective

pg.9

Answer 5

the maximum amount of time that a process or service is allowed to be down and the consequences still be considered acceptable

Question 6

Recovery Point Objective

pg.9

Answer 6

similar to RTO, but it defines the point at which the system needs to be restored

Question 7

Risk Avoidance

pg.9

Answer 7

involves identifying a risk and making the decision not to engage any longer in the actions associated with the risk

Question 8

Risk Transference

pg.9

Answer 8

share some of the burden of the risk completely to another entity

Question 9

Risk Migration

pg.9

Answer 9

accomplished any time you take steps to reduce risk

Question 10

Risk Deterrence

pg.10

Answer 10

understanding the enemy and letting them know the harm that can come their way if they cause harm to you

Question 11

Risk Acceptance

pg.10

Answer 11

often the choice you must make when the cost for implementing any of the four choices exceeds there value for the harm that would occur if the risk came to fruition

Question 12

Cloud computing

pg.17

Answer 12

Hosting services and data on the internet instead of hosting it locally

Question 13

Platform as a service

pg.17

Answer 13

vendors allow apps to be created and run on the infrastructure

Question 14

Software as service

pg.17

Answer 14

applications are remotely run over the web

Question 15

Infrastructure as a service

pg.17

Answer 15

utilizes virtualization and the clients pay an outsourcer for resources used

Question 16

Regulatory Compliance

pg.18

Answer 16

Agency rules with which you must comply

Question 17

User Privileges

pg.18

Answer 17

allowing access to data to which they would not otherwise have the access and cause harm to it

Question 18

Data Integration/segregation

pg.18

Answer 18

keeping data on secure servers/ makes sure that your data is not co mingled beyond your expectiations

Question 19

Virtualization

pg.19

Answer 19

allowing one set of hardware to host multiplying virtual machines

Question 20

Network and security controls can Intermingle

pg.19

Answer 20

tool used to administer the virtual machine monitor

Question 21

Standard

pg.21

Answer 21

deals with specific issues or aspects of a business/ derived from policies

Question 22

Roles and Responsibilities

pg.21

Answer 22

section of document outlines who is responsible for implementing, monitoring, and maintaining the standard

Question 23

Reference Documents

pg.21

Answer 23

how the standard relates to the organizations different policies/ connecting the standard to the underlying policies that have been put in place

Question 24

Performance Criteria

pg.21

Answer 24

outlines how to accomplish the task

Question 25

Guidelines

pg.22

Answer 25

is to help users comply with policies and maintain the standard

Question 26

Scope and Purpose

pg.22

Answer 26

the “whom it applies to /for” and the “why it exists”

Question 27

Guideline Statements

pg.23

Answer 27

step by step instructions on how to accomplish a specific task in a specific manner

Question 28

Operational Considerations

pg.23

Answer 28

specify and identify what duties are required and at what intervals

Question 29

Separation of Duties Policies

pg.24

Answer 29

designed to reduce the risk of fraud and to prevent other losses in an organization

Question 30

Collusion

pg.24

Answer 30

an agreement between two or more parties established for the purpose of committing deception or fraud

Question 31

Privacy Policies

pg.24

Answer 31

what controls are required to implement and maintain the sanctity of data privacy in the work environment

Question 32

Acceptable Use Policies

pg.24

Answer 32

describes how the employees in an organization can use company systems and resources.

Question 33

Security Policies

pg.25

Answer 33

what controls are required to implement and maintain the security of systems, users, and networks

Question 34

Mandatory Vacations

pg.26

Answer 34

requires all users to take time away from work to refresh

Question 35

Job Rotation

pg.26

Answer 35

intervals at which employees must rotate through poositions

Question 36

Least Privilege

pg.26

Answer 36

should be used when assigning permission

Question 37

Single Point of Failure

pg.30

Answer 37

build an infrastructure that has more than one network and services

Question 38

Contingency Plan

pg.30

Answer 38

a plan for the “what if’s”

Question 39

High Availability

pg.32

Answer 39

the measures used to keep services and systems operational during an outage

Question 40

Redundancy

pg.32

Answer 40

systems that either are duplicated or fail over to other systems int he event of malfunction

Question 41

Fail over

pg.32

Answer 41

the process of reconstructing a system or switching over to other systems when a failure is detected

Question 42

Fault Tolerance

pg.33

Answer 42

the ability of a system to sustain operations in the event of a component failure

Question 43

Redundant Array of Independent Disk (RAID)

pg.34

Answer 43

technology that uses multiple disks to provide fault tolerance

Question 44

RAID

pg.34

Answer 44

Level 0- disk striping- uses multiple drives and maps them together as a single physical drive

Level 1-disk mirroring- 100% redundancy- everything stored on 2 disk
disk duplexing- the same data is stored on both disks simultaneously

Level 3- disk striping with a parity disk

Level 5-disk striping with parity

Question 45

Backups

Answer 45

duplicate copies of information