Chapter 1 Risk Management

Question 1

An item of value to an institution, such as data, hardware, software, or physical property. An asset is an item or collection of items that has a quantitative (numeric) or qualitative (subjective) value to a company.

Answer 1

Asset

Question 2

The probability or likelihood of the occurrence or realization of a threat.

Answer 2

Risk

Question 3

A weakness in hardware, software, or components that may be exploited in order for a threat to destroy, damage, or compromise an asset.

Answer 3

Vulnerability

Question 4

Any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset.

Answer 4

Threat

Question 5

Probability of occurrence or the odds that the event will actually occur.

Answer 5

Likelihood of Threat

Question 6

Driving force behind the activity.

Answer 6

Motivation

Question 7

What are some common motivations of risk activities such as hacking?

Answer 7

prestige, money, fame, and challenge

Question 8

What are some examples of Internal Risk?

Answer 8

• disgruntled employee
• failed hard drive

Question 9

What are some examples of External Risk?

Answer 9

• Natural disasters such as floods
• Person-made events such as strikes and protests

Question 10

Internal or external cause of risk

Answer 10

Risk Source

Question 11

Events over which we have no control, such as bad weather (hurricanes, snowstorms, tornadoes), fires, floods, earthquakes, and tsunamis, but could also include global events like pandemics.

Answer 11

Natural Disaster

Question 12

All forms of damaging programs, such as viruses, worms, Trojans, keyloggers, and so forth. This software is distinguishable in that it is developed to damage, alter, expose, or destroy a system or data. For example, viruses are executable programs that can replicate and attach to and infect other executable objects. Some viruses also perform destructive or discreet activities (payload) after replication and infection are accomplished.

Answer 12

Malicious Code

Question 13

Instigated by a trusted insider or an untrusted outsider. Intruders, vandals, and thieves remove sensitive information, destroy data, or physically damage or remove hardware such as hard drives and mobile devices.

Answer 13

Breach of Physical Security

Question 14

Stolen, lost, damaged, or modified data. Loss or damage to an organization’s data can be a critical threat if there are no backups or external archiving of the data as part of the organization’s data recovery and business continuity plan. Also, if the compromised data is of a confidential nature, this can also be a critical threat to the organization, depending on the potential damage that can arise from this compromise.

Answer 14

Hacker Attack

Question 15

Attack on a network or web-based system is designed to bring down the network or prevent access to a particular device by flooding it with useless traffic. Can be launched in several ways. What was done manually with simple tools before is now automated and coordinated, on a massive scale with multiple systems.

Answer 15

Distributed Denial of Service (DDoS) Attack

Question 16

When attackers use computers, Internet communications, and other cyber tools to penetrate and disrupt critical national infrastructures such as water, electric, and gas plants; oil and gasoline refineries; nuclear power plants; waste management plants; and so on.

Answer 16

Cyberterrorism

Question 17

Identify weaknesses and gaps in the deployment of controls and to identify more accurately what areas require the highest level of protection.

Answer 17

Risk Assessment

Question 18

Process of identifying all of the organization’s assets.

Answer 18

Asset Identification

Question 19

What are the two types of assets?

Answer 19

Tangible and Intangible

Question 20

What are some types of tangible assets?

Answer 20

Documentation, Data, Hardware, Software

Question 21

What are some types of intangible assets?

Answer 21

Reputation, Services, Knowledge

Question 22

What are the 5 aspects of the Risk Assessment Process?

Answer 22

1. Asset Identification
2. Information Classification
3. Risk Assessment
4. Risk Analysis
5. Implementing Controls

Question 23

What is the CIA Security Triad?

Answer 23

Confidentiality, Integrity, and Availability

Question 24

Strengthens the organization in many ways. Labeling information secret or strictly confidential helps employees see the value of the information and give it a higher standard of care.

Answer 24

Information Classification

Question 25

Specifies how employees are to handle specific information. For example, company policy might state, “All sensitive documents must be removed from the employee’s desk when leaving work. We support a clean desk policy.”

Answer 25

Information Classification

Question 26

What are the two widely used classification systems?

Answer 26

Government Classification System and Commercial Classification System

Question 27

Which aspect of the CIA Triad does the Government Classification System focus on?

Answer 27

Confidentiality

Question 28

Which aspect of the CIA Triad does the Commerical Classification System focus on?

Answer 28

Integrity

Question 29

What are the four categories of the Government Classification System?

Answer 29

Unclassified, Confidential, Secret, and Top Secret

Question 30

Which Governmental Information Classification, if disclosed, would cause grave damage to national security.

Answer 30

Top Secret

Question 31

Which Governmental Information Classification, if disclosed, would be expected to cause serious damage to national security.

Answer 31

Secret

Question 32

Which Governmental Information Classification, if disclosed, could cause damage to national security and should be safeguarded against.

Answer 32

Confidential

Question 33

Which Governmental Information Classification, does not have sensitive information and need not be protected unless For Official Use Only (FOUO) is appended to the classification.

Answer 33

Unclassified

Question 34

Information that would not normally cause damage, but over time FOUO information could be compiled to deduce information of a higher classification.

Answer 34

Unclassified Information

Question 35

Which Commercial Information Classification has the most sensitive rating.

Answer 35

Confidential

Question 36

Which Commercial Information Classification includes the information that keeps a company competitive.

Answer 36

Confidential

Question 37

Which Commercial Information Classification includes information that is internal use only, but its release or alteration could seriously affect or damage a corporation.

Answer 37

Confidential

Question 38

Which Governmental Information Classification includes information that requires the highest level of control.

Answer 38

Top Secret

Question 39

Which Governmental Information Classification includes information that may divulge significant scientific, technological, operational, and logistical as well as many other developments.

Answer 39

Secret

Question 40

Which Commercial Information Classification includes restricted information that is considered personal in nature and might include medical records or human resource information.

Answer 40

Private

Question 41

Which Commercial Information Classification includes information that requires controls to prevent its release to unauthorized parties. Damage could result from its loss of confidentiality or its loss of integrity.

Answer 41

Sensitive

Question 42

Which Commercial Information Classification includes information, if disclosed, that could result in damage to the company due to loss of confidentiality or loss of integrity.

Answer 42

Sensitive

Question 43

Which Commercial Information Classification includes information similar to unclassified information in that its disclosure or release would cause no damage to the corporation.

Answer 43

Public

Question 44

Step of the Risk Assessment Process where potential risks and threats are identified and their impact determined.

Answer 44

Risk Assessment

Question 45

Responsible for identifying and analyzing risks. Its members should consist of managers and employees from across the company.

Answer 45

Risk Management Team

Question 46

What are the two techniques of Risk Analysis?

Answer 46

Quantitative and Qualitative

Question 47

Method of the Risk Assessment Process that assigns a cost (monetary value) to the elements of risk assessment and the assets and threats of a risk analysis.

Answer 47

Quantitative

Question 48

Method of the Risk Assessment Process that ranks threats by nonmonetary value and is based on scenario, intuition, and experience.

Answer 48

Qualitative

Question 49

What are the two most widely used Quantitative Risk Assessment formulas?

Answer 49

1. SLE = AV x EF
2. ALE = ARO x SLE

Question 50

What does SLE stand for in the SLE = AV x EF formula?

Answer 50

Single Loss Expectancy

Question 51

What does AV stand for in the SLE = AV x EF formula?

Answer 51

Asset Value

Question 52

What does EF stand for in the SLE = AV x EF formula?

Answer 52

Exposure Factor

Question 53

What does ALE stand for in the ALE = ARO x SLE formula?

Answer 53

Annualized Loss Expectancy

Question 54

What does ARO stand for in the ALE = ARO x SLE formula?

Answer 54

Annualized Rate of Occurrence

Question 55

What does SLE stand for in the ALE = ARO x SLE formula?

Answer 55

Single Loss Expectancy

Question 56

What are some examples of the resulting loss of a threat or vulnerabiity?

Answer 56

• Financial loss
• Danger or injury to staff, clients, or customers
• Breach of confidence or violation of law
• Exposure of confidential information
• Theft of equipment, hardware, or software

Question 57

What are the quantifiable steps to calculate a loss?

Answer 57

1. Determine the asset value (AV) for each information asset.
2. Identify threats to the asset.
3. Determine the exposure factor (EF) for each information asset in relation to each threat.
4. Calculate the single loss expectancy (SLE).
5. Calculate the annualized rate of occurrence (ARO).
6. Calculate the annualized loss expectancy (ALE).

Question 58

What is the strength of a quantitative risk assessment?

Answer 58

It assigns dollar values and dollar values are easy to understand.

Question 59

What is the primary disadvantage of a quantitative risk assessment?

Answer 59

Because it is dollar-based, the team must attempt to compute a dollar value for all elements, which can be time consuming.

Question 60

Type of risk assessment that is scenario-based and does not attempt to assign dollar values to the components of the risk analysis.

Answer 60

Qualitative

Question 61

Risk assessment method that ranks the potential of a threat and sensitivity of assets by grade or scale such as low, medium, or high

Answer 61

Qualitative

Question 62

Potential impact level assigned for risks that are a minor inconvenience.

Answer 62

Low

Question 63

Potential impact level assigned for risks that can result in damage to an organization, cost a moderate amount of money to repair, and result in negative publicity.

Answer 63

Medium

Question 64

Potential impact level assigned for risks that will result in a loss of goodwill between the company and client or employee.

Answer 64

High

Question 65

Potential impact level assigned for risks that may result in a large legal action or fine or cause the company to lose significant revenue or earnings.

Answer 65

High

Question 66

Potential impact level assigned for risks that can be tolerated for a short period of time but will not result in financial loss.

Answer 66

Low

Question 67

What is a disadvantage of Qualitative Risk Assessments?

Answer 67

It does not provide cost values.

Question 68

What are some examples of Qualitative assessment techniques?

Answer 68

ISAM, Delphi, and FRAP

Question 69

What does ISAM stand for?

Answer 69

INFOSEC Assessment Methodology

Question 70

Provides nongovernment organizations with the ability to complete a qualitative assessment that ranks assets as critical, high, medium, or low and to determine the impact based on CIA.

Answer 70

ISAM or INFOSEC Assessment Methodology

Question 71

Group assessment process that allows individuals to contribute anonymous opinions and is often used to forecast the likelihood and outcomes of different types of events.

Answer 71

Delphi Technique

Question 72

What does FRAP stand for?

Answer 72

Facilitated Risk Assessment Process

Question 73

Subjective process that obtains results by asking a series of questions. It is designed to be completed in a matter of hours, making it a quick process to perform.

Answer 73

FRAP or Facilitated RIsk Assessment Process

Question 74

What are the two assessment techniques used to study failures?

Answer 74

1. Failure modes and effects analysis (FMEA)
2. Failure mode, effects, and criticality analysis (FMECA).

Question 75

What does FMEA stand for?

Answer 75

failure modes and effects analysis (FMEA)

Question 76

What does FMECA stand for?

Answer 76

failure mode, effects, and criticality analysis (FMECA)

Question 77

What is the next step after a quantitative or qualitative risk assessment is complete?

Answer 77

Make a risk determination and decide which security controls should be applied.

Question 78

What is an assessment technique that can assist with examining loss and impact?

Answer 78

Risk Ranking using Aggregate Score

Question 79

The total amount of risk the company is willing to accept.

Answer 79

Risk Appetite

Question 80

Which alternative for handling potential risk eliminates the risk, to withdraw from the practice, or to not become involved. This may be a viable option; there may also be an opportunity cost associated with avoiding the activity.

Answer 80

Avoid

Question 81

Which alternative for handling potential risk means that it is understood and has been evaluated. Senior management has made the decision that the benefits of moving forward outweigh the risk. If those in charge have not been provided with good data on risk or have made invalid assumptions, poor choices may be made. This can give rise to disasters with global impact (BP, Fukushima, Chernobyl, Challenger, and so on).

Answer 81

Accept

Question 82

Which alternative for handling potential risk deflects it to a third party. For example, insurance is obtained. Instead of managing the risk directly, the organization incurs an ongoing continual cost from that third party.

Answer 82

Transfer

Question 83

Which alternative for handling potential risk uses a control to reduce the risk. For example, installing a firewall is one method by which risk can be mitigated.

Answer 83

Mitigate

Question 84

The risk that remains after your organization has taken proper precautions and implemented appropriate controls.

Answer 84

Residual Risk

Question 85

Recognizes the areas where you are not compliant in regard to laws, policies, or regulations.

Answer 85

Risk Exception

Question 86

Having some process, policy, or system in place that discourages others from exploiting a vulnerability that, if exploited, would realize the risk.

Answer 86

Risk Deterrence

Question 87

What does AATM stand for?

Answer 87

Avoid, Accept, Transfer, Mitigate

Question 88

What is the next step of the Risk Assessment Process after a decision has been made on how to handle identified risk?

Answer 88

Implement Controls

Question 89

What document drives the process of Implementing Controls?

Answer 89

Risk Assessment Report

Question 90

What is contained in the Risk Assessment Report

Answer 90

Findings, information, assessments, and recommendations

Question 91

What are the three types of security controls?

Answer 91

Physical, Technical, and Operational

Question 92

What types of security controls include locks, fences, CCTV, lights, gates, and guards.

Answer 92

Physical

Question 93

What types of security controls include encryption, VPNs, security protocols (IPsec, SSL, TLS, and so on), VLANs, firewalls, and IDSs and are based on CIA requirements and organizational policies?

Answer 93

Technical

Question 94

What types of security controls include hiring practices, security awareness training, employment practices, termination practices, business continuity, and disaster testing and training.

Answer 94

Operational

Question 95

What are some of the purposes that security controls serve?

Answer 95

Prevention, deterrence, correction, mitigation

Question 96

What is the purpose of implementing controls?

Answer 96

Address identified risks, threats, and vulnerabilities.

Question 97

What is put in place to determine what controls are needed and determines total cost of an asset or countermeasure?

Answer 97

Total Cost or Ownership (TCO) Report

Question 98

What types of costs are included in the TCO Report?

Answer 98

Purchase price, maintenance fees, updates, insruance, etc. All costs are included.

Question 99

Used to verify that the employee has a clean background and that any negative history is uncovered before employment.

Answer 99

Background Check

Question 100

Act of verifying someone’s educational background.

Answer 100

Education Verification

Question 101

Defines what employees, contractors, and third parties are authorized to do on the organization’s IT infrastructure and its assets.

Answer 101

Acceptable Use Policy (AUP)

Question 102

Contract that establishes confidentiality between two parties—the owner of the information and the recipient of that information.

Answer 102

Non-disclosure Agreement (NDA)

Question 103

What issues does an employee handbook address?

Answer 103

• Security practices, policies, and procedures
• Paid holiday and vacation policy
• Work schedule and overtime policy
• Moonlighting and outside employment
• Employee evaluations
• Disaster response and emergency procedures
• Disciplinary procedures for noncompliance

Question 104

Just because an employee is cleared to access a particular file, document, or physical location, this doesn’t mean that they should be able to do so.

Answer 104

The principle of lease privilege

Question 105

What are some common employee controls?

Answer 105

• Mandatory Vacations
• Job Rotation
• Dual Control
• Separation of Duties
• Least Privilege

Question 106

Which employee control uncovers misuse and gives the organization a time to audit the employee while they are not at work.

Answer 106

Mandatory Vacations

Question 107

Which employee control rotates employees to new areas of assignment.

Answer 107

Job Rotation

Question 108

What are the benefits of Job Rotation?

Answer 108

*Helps ensure backup if an employee is not available.
*Reduces fraud or misuse by providing the company with a means of moving people to prevent an individual from having too much control over an area.

Question 109

Where is the Mandatory Vacation control most widely used?

Answer 109

Financial firms or applied to job roles where money is handled.

Question 110

Which employee control requires employees to work together to complete critical actions, thereby forcing employees who are planning anything illegal to collude with others. A common example is that of a combination or code for a safe. Two employees are required to open it successfully.

Answer 110

Dual Control

Question 111

Which employee control is closely related to Dual Control, where an activity, such as cryptographic recovery, is divided up among several individuals so that no one person acting alone can perform the entire key recovery process?

Answer 111

M of N Concept

Question 112

Which employee control limits what one employee can do. For example, one employee may be able to write a check, but another must approve it.

Answer 112

Separation of Duties

Question 113

Which employee control restricts the employee’s access to only what is needed to do the job and nothing more. This control is closely related to need to know.

Answer 113

Least Privilege

Question 114

What are some common training methods?

Answer 114

• Apprenticeship programs
• Classroom training
• Continuing education programs
• Degree programs
• In-house training
• On-the-job training
• Vendor training

Question 115

Technique used to determine whether a planned action is or is not acceptable.

Answer 115

Cost-benefit Analysis

Question 116

What common way to determine cost-benefit analysis is calculated by dividing net profits by total assets?

Answer 116

Return on Investment (ROI)

Question 117

Maintaining control over your inventory, which must be identified, managed, and continually monitored to derive a reliable return on investment.

Answer 117

Asset Management

Question 118

Determines how much time will lapse before accrued benefits will overtake accrued and continuing costs.

Answer 118

Payback Analysis

Question 119

What are the three steps of cost-benefit analysis?

Answer 119

1. calculate costs
2. calculate benefits
3. compare the results

Question 120

Purchase price of an asset plus the cost of operation; commonly overlooked when evaluating intangible benefits in a cost-benefit analysis.

Answer 120

Total Cost of Ownership (TCO)

Question 121

What all is included in the TCO?

Answer 121

purchase price, cost of operations (costs of environmental modifications, compatibility with other countermeasures, maintenance costs, testing costs, support contracts, etc.)

Question 122

Allows organizations to evaluate the operating effectiveness of controls on or near a real-time basis.

Answer 122

Continuous Monitoring

Question 123

What should continuous monitoring include?

Answer 123

• Configuration management
• Control processes
• Security impact analyses
• Assessment of selected security
• Security status reporting
• Active involvement of asset owners

Question 124

What should continuous monitoring address?

Answer 124

• Reporting progress
• Addressing vulnerabilities
• Describing how the information system owner intends to address those vulnerabilities

Question 125

Risks continously reviewed, assessed, and monitored as new assets are identified.

Answer 125

Risk Management Lifecycle

Question 126

Involved at nearly every step of the risk management process; contains each risk as it is identified, assessed, owned by someone, responded to, and ultimately reassessed and monitored.

Answer 126

Risk Register

Question 127

Processes used to plan, allocate, and control information security resources; used for IT governance and include people, processes, and technologies.

Answer 127

Enterprise Security Architecture (ESA) Framework

Question 128

What are two examples of Enterprise Security Architecture (ESA) Frameworks?

Answer 128

Enterprise Architecture (EA) and Sherwood Applied Business Security Architecture (SABSA)

Question 129

ESA framework that is used by the federal government to ensure that business strategy and IT investments are aligned.

Answer 129

Enterprise Architecture (EA)

Question 130

ESA framework that is a strategy based on an architectural viewpoint.

Answer 130

Sherwood Applied Business Security Architecture (SABSA)

Question 131

What are defined metrics are typically included in an ESA framework?

Answer 131

• Strategic alignment
• Effective risk management
• Value delivery
• Resource management
• Performance measurement
• Process assurance integration

Question 132

What are some of the most popular ESA frameworks?

Answer 132

11.FISMA risk management framework
COSO Enterprise Risk Management Framewor*k
ISO 31000 for Risk Management

Question 133

What is the Prudent Person Rule?

Answer 133

Legal principle that is used to restrict the choices of the financial manager of an account to the types of investments that a person seeking reasonable income and preservation of capital might buy for their own portfolio.

Question 134

Defines a company’s primary goal.

Answer 134

Mission Statement

Question 135

Formation of a plan for what to do should the business suffer an interruption.

Answer 135

Business Continuity Planning (BCP)

Question 136

Formal process designed to identify mission-essential functions in an organization and facilitate the identification of the critical systems that support those functions that must be continued during an emergency.

Answer 136

Business Impact Analysis

Question 137

Any event that has the potential to disrupt an organization’s business.

Answer 137

Disaster

Question 138

Triggered by an event that has the potential to disrupt an organization’s business; identifies and prioritizes the risks posed to the facility by an internal or external disaster.

Answer 138

Disaster Recovery Plan

Question 139

What are the two key concepts in business continuity planning?

Answer 139

Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

Question 140

Set duration of time that a business can still function and process information after experiencing a significant interruption to its operations. That is the time that the business has to recover operations.

Answer 140

Recovery Point Objective (RPO)

Question 141

Amount of actual time (duration) since the beginning of the interruption that is deemed tolerable before the interruption is considered intolerable to the business.

Answer 141

Recovery Time Objective (RTO)

Question 142

Percentage measurement (0–100 percent) of how much computing power is needed. This is based on a percentage of the production system that you will need during an emergency.

Answer 142

Recovery Service Level (RSL)

Question 143

The length of time between an interruption and the recovery from that interruption.

Answer 143

Mean Time to Recovery (MTTR)

Question 144

Measure of the reliability of a system or component. It’s a crucial element of maintenance management, representing the average time that a system or component will operate before it fails.

Answer 144

Mean Time Between Failure (MTBF)

Question 145

What are the four types of Disaster Recovery Sites?

Answer 145

Cold Site, Warm Site, Hot Site, Mobile Site

Question 146

Cheapest Disaster Recovery Site that will require the most time to have running. Likely initial steps involve opening boxes, equipment is available to set up but partial setup and configuration are not done.

Answer 146

Cold Site

Question 147

Disaster Recovery site that is probably already running but still requires considerable effort to resume operations. Likely initial steps involve restoring backups, equipment is set up and configured and ready to turn on.

Answer 147

Warm Site

Question 148

Disaster Recovery site that with minimal efforts to resume operations. Likely initial steps involve assuring minimal data loss since the disaster event place with equipment setu up and running as a copy to the lost data center.

Answer 148

Hot Site

Question 149

A Disaster Recovery site that can be moved or mobilized to a new location. Picture a truck trailer filled with equipment to mirror your data center.

Answer 149

Mobile Site

Question 150

What are some methods to review and evaluate the effectiveness of existing security controls?

Answer 150

Gap Analysis, Audits, Vulnerability Assessments, and Ethical Hacking

Question 151

Security control evaluation method that involves an examination of an area or environment designed to report the difference between “where we are” and “where we want to be.”

Answer 151

Gap Analysis

Question 152

Security control evaluation method that is typically a review of a company’s technical, physical, and administrative controls.

Answer 152

Information Security Audit

Question 153

Security control evaluation method that utilizes tools and scanners to provide information on vulnerabilities within a targeted application or system or an entire network.

Answer 153

Vulnerability Assessment Tools

Question 154

How are vulnerabilities ussally graded in a vulnerability assessment tool?

Answer 154

High, Medium, or Low

Question 155

Security control evaluation method that is the process of looking at a network in the same way as an attacker would.

Answer 155

Ethical Hacking

Question 156

What is the goal of the Ethical Hacker evaluation method?

Answer 156

Attempting to determine what the attacker can access and obtain, what an attacker can do with that information, and whether anyone would notice what the attacker is doing.

Question 157

What is another name for Ethical Hacking?

Answer 157

Penetration Testing

Question 158

What is the purpose of Lessons Learned?

Answer 158

Determine the effectiveness of processes, identify improvements, and provide insights and recommendations for when these processes are repeated.

Question 159

Written contract that specifies the levels of service that will be provided by the vendor and what the customer can do if the vendor fails to meet the terms.

Answer 159

Service Level Agreement (SLA)

Question 160

What is another name for Lessons Learned?

Answer 160

After Action Review

Question 161

A method of measuring something, or the results obtained from this.

Answer 161

Metrics

Question 162

Help an organization better measure important metrics such as scalability, availability, and reliability.

Answer 162

Key Performance Indicator (KPI)

Question 163

Metrics that predict potential risks that can negatively impact businesses.

Answer 163

Key Risk Indicators (KRI)

Question 164

Accomplishment of a given task measured against preset known standards of accuracy, completeness, cost, and speed.

Answer 164

Performance

Question 165

One of the most well-known types of SLAs that detail the agreed-on amount of uptime. For example, they can be used for network services such as a WAN link or equipment like servers.

Answer 165

Uptime Agreements

Question 166

The percentage of help-desk or response calls answered within a given time.

Answer 166

Time Service Factor

Question 167

The number of callers who hang up while waiting for a service representative to answer.

Answer 167

Abandon Rate

Question 168

The number of resolutions that are made on the first call and do not require the user to call back to the help desk to follow up or seek additional measures for resolution.

Answer 168

First Call Resolution

Question 169

Delay; determine how long it takes an application to respond or even the amount of delay in a WAN network.

Answer 169

Latency

Question 170

The ability of a program, application, or network to continue to function as scale, volume, or throughput is changed.

Answer 170

Scalability

Question 171

The ability to meet or achieve a specific goal.

Answer 171

Capability

Question 172

The extent to which a product can be used by specified users to achieve specified goals.

Answer 172

Usability

Question 173

Must meet the criteria of usability to be viable and effective.

Answer 173

Security Requirements

Question 174

Identify problems that demand finding a balance between different factors, such as the time and cost.

Answer 174

Trade-off Analysis

Question 175

Defines the capability to restore systems to the exact point in time at which the failure occurred.

Answer 175

Recoverability

Question 176

Usable through the expected time of use.

Answer 176

Maintainability

Question 177

The functional state of a system and, in the networking world, is often simplified to uptime.

Answer 177

Availability

Question 178

Total operating time divided by the number of failures

Answer 178

mean time between failure (MTBF)

Question 179

The amount of time it takes to restore a system if and when a failure occurs.

Answer 179

mean time to recovery (MTTR)

Question 180

First step in prevention that provide a planned approach to practice procedures, such as those drafted for disaster recovery.

Answer 180

Testing Plans

Question 181

What are five types of Testing Plans?

Answer 181

Walk-through, Checklist, Tabletop Exercise, Parallel and Simulation Tests, and Full Interruption Test

Question 182

Straightforward exercise where you manually perform and analyze the steps of disaster recovery without causing any real disruption.

Answer 182

Walk-through

Question 183

The easiest form of testing; read through procedures and steps toward disaster recovery. Any glaring gaps or concerns are analyzed further.

Answer 183

Checklist

Question 184

Raise situational awareness in the context of information security, foster discussion of incident response, demonstrate scenarios that are most likely to occur.

Answer 184

Tabletop Exercise

Question 185

Simulates a disaster recovery by running through all the steps alongside the disaster recovery systems and processes.

Answer 185

Parallel Test

Question 186

Going through all motions in the disaster recovery process but leaving production systems running.

Answer 186

Simulation Test

Question 187

True test of confidence in disaster recovery planning. Production systems are temporarily taken offline once disaster recovery systems are set up and ready to assume the place of the shutdown systems.

Answer 187

Full Interruption Test

Question 188

Audit conducted to improve an entity’s operations; monitors the operations of the organization regarding the improvement of effectiveness, control, governance processes, and risk management.

Answer 188

Internal Audit

Question 189

Audit of the organization by an independent audit firm, which is not controlled by the organization that it is auditing

Answer 189

External Audit

Question 190

Why are external audits performed?

Answer 190

Statutory requirements to verify whether security controls, processes, and documentation are in accordance with acceptable standards and regulatory requirements.

Question 191

Why are internal audits performed?

Answer 191

Provide an independent opinion and consultancy to senior management and those charged with governance.

Question 192

You’ve been told there is a problem. Obtain a specific description of the problem.

Answer 192

Define the Problem

Question 193

Ask yourself questions when something fails or is not working properly.

Answer 193

Gather the Facts

Question 194

Think about all the possibilities for why something doesn’t work or why something is behaving in a certain way.

Answer 194

Brainstorm

Question 195

Make a step-by-step list of the possibilities for testing. Test each possibility to see if it corrects the problem.

Answer 195

Implement

Question 196

Think back to what you have done, and then document causes and solutions to the problem.

Answer 196

Evaluate

Question 197

Risk assessment technique that is more subjective, not monetary-based, and uses descriptors such as critical, high, medium, and low.

Answer 197

Qualitative

Question 198

Risk assessment technique that assigns and uses monetary values against known risks.

Answer 198

Quantitative

Question 199

Provide the necessary information about an organization’s IT infrastructure and its assets’ current level of security so that the assessor can provide recommendations for increasing or enhancing that level of security.

Answer 199

Risk and Vulnerability Assessments

Question 200

True or False: Conducting a Risk Assessment is difficult and prone to errors.

Answer 200

True

Question 201

What should the cost of a control not exceed?

Answer 201

The value of the asset.

Question 202

Threats coupled with vulnerabilities can lead to what?

Answer 202

Loss

Question 203

True or False: Business continuity and DR plans must be practiced periodically.

Answer 203

True

Question 204

Formalized approach to risk prioritization that lets an organization conduct reviews in a structured manner.

Answer 204

Risk Assessment

Question 205

Process of applying controls to reduce the probability or impact of a risk.

Answer 205

Risk Mitigation