Chapter 1 Risk Management

Question 1

A script kiddie is a classic example of a

Answer 1

threat actor

Question 2

Risk is often considered formulaically as

Answer 2

Risk=Probability x Impact

Question 3

A company makes a document called “Acceptable Use” that defines what the company allows users to do and not to do on their work systems. The company requires new employees to read and sign this. What is this type of document called?

Answer 3

Policies are normally written documents that define an organization’s goals and actions. Acceptable use policies are very common.

Question 4

A__________is a description of a complex process, concentrating on major steps and the flows between the steps.

Answer 4

framework

Question 5

A no Trespassing sign is an example of a _________ control.

Answer 5

deterrent control

Question 6

A lock on the door of a building is an example of a _________ control.

Answer 6

preventative control

Question 7

An asset’s exposure factor is measured in __________.

Answer 7

Exposure factor is measured in terms of a percentage of loss to the value of that asset.

Question 8

What is the equation for Single Loss Expectancy?

Answer 8

Single Loss Expectancy = Asset Value x Exposure Factor

Question 9

Financial is one type of business impact. Which of the following names another? 
A. Pride
B. Technical
C. Device
D. Reputation

Answer 9

Reputation is a common business impact

Question 10

Which of the following represents the component manufacturer's best guess (based on historical data) regarding how much time will pass between major failures of that component?
A. MTTR
B. MTBF
C.MTMB
D.MOAB

Answer 10

Mean Time Between Failures (MTBF)

Question 11

Combining and administrative control with a technical control is an example of?

Answer 11

Control diversity

Question 12

Using several vendors for equipment and services is referred to as

Answer 12

Vendor Diversity

Question 13

What are the NIST SP 800-30 Rev 1 four-step risk assessment process

Answer 13

1. Prepare for assessment
2. conduct assessment; Id threat, vulnerability,
3. Communicate results
4. Maintain assessment

Question 14

an ongoing process of identifying each vulnerabilities and then applying some form of security control to mitigate risk that vulnerability exposes is

Answer 14

Risk Management

Question 15

Threat sources, likelihood of occurrence, and impact describe

Answer 15

Concepts of Risk Assessment

Question 16

NIST Special Publication 800-30 Rev 1

Answer 16

Guide for Conducting Risk Assessments

Question 17

Risk assessment references can be found in what two publications

Answer 17

NIST 800-30 Rev 1 and ISACA

Question 18

To combine different types of controls to provide better security is an example of

Answer 18

Control diversity

Question 19

Fences, door locks, elevator floor blockers, and bio-metric scanners are examples of

Answer 19

Physical controls

Question 20

What is the greatest weakness in all IT infrastructures?

Answer 20

Network Users

Question 21

How often should user training be conducted?

Answer 21

Initial and throughout their association

Question 22

What does user training cover?

Answer 22

password usage, personal security, and the ability to recognize attacks.

Question 23

How can security control strategies be more effective?

Answer 23

Combining security controls to work together, you get better security

Question 24

How many types of security controls?

Answer 24

There are 3 types of security controls

Question 25

What are the 3 types of control types?

Answer 25

Technical, administrative, and physical

Question 26

Requiring all edge routers must be able to communicate on SNMPv3 is what type of control?

Answer 26

Technical Control

Question 27

All users must log off their workstations every time they leave their office is what type of control?

Answer 27

Administrative Control

Question 28

Deterrent Controls are defined as

Answer 28

deterring a potential attacker from even attempting an attack.

Question 29

Preventative Controls are defined as

Answer 29

attempts to keep an active attack from succeeding.

Question 30

Mitigation

Answer 30

reducing threats posed against an organization and their impact

Question 31

EXAM TIP know U.S. laws such as HIPAA, SOX, and PCI-DSS.

Answer 31

A single IT infrastructure would never have more than one chief security officer.

Question 32

Quantitative Assessment is defined as

Answer 32

based on objective data typically, numerical data.

Question 33

What are the four categories of Risk Response techniques?

Answer 33

Mitigate, Transfer, Accept, and Avoid

Question 34

A business impact analysis (BIA) is designed to mitigate the effects of an incident, not to prevent an incident.

Answer 34

A BIA is part of a field of study in IT Security called contingency planning or CP that goes hand in hand with CompTIA Security +

Question 35

BIA looks at what 5 types of impact

Answer 35

Frpps - Financial, reputation, property, privacy, safety/life

Question 36

stop page 33

Answer 36

stop 33