Chapter 1 Risk Management Flashcards
A script kiddie is a classic example of a
threat actor
Risk is often considered formulaically as
Risk=Probability x Impact
A company makes a document called “Acceptable Use” that defines what the company allows users to do and not to do on their work systems. The company requires new employees to read and sign this. What is this type of document called?
Policies are normally written documents that define an organization’s goals and actions. Acceptable use policies are very common.
A__________is a description of a complex process, concentrating on major steps and the flows between the steps.
framework
A no Trespassing sign is an example of a _________ control.
deterrent control
A lock on the door of a building is an example of a _________ control.
preventative control
An asset’s exposure factor is measured in __________.
Exposure factor is measured in terms of a percentage of loss to the value of that asset.
What is the equation for Single Loss Expectancy?
Single Loss Expectancy = Asset Value x Exposure Factor
Financial is one type of business impact. Which of the following names another? A. Pride B. Technical C. Device D. Reputation
Reputation is a common business impact
Which of the following represents the component manufacturer's best guess (based on historical data) regarding how much time will pass between major failures of that component? A. MTTR B. MTBF C.MTMB D.MOAB
Mean Time Between Failures (MTBF)
Combining and administrative control with a technical control is an example of?
Control diversity
Using several vendors for equipment and services is referred to as
Vendor Diversity
What are the NIST SP 800-30 Rev 1 four-step risk assessment process
- Prepare for assessment
- conduct assessment; Id threat, vulnerability,
- Communicate results
- Maintain assessment
an ongoing process of identifying each vulnerabilities and then applying some form of security control to mitigate risk that vulnerability exposes is
Risk Management
Threat sources, likelihood of occurrence, and impact describe
Concepts of Risk Assessment
NIST Special Publication 800-30 Rev 1
Guide for Conducting Risk Assessments
Risk assessment references can be found in what two publications
NIST 800-30 Rev 1 and ISACA
To combine different types of controls to provide better security is an example of
Control diversity
Fences, door locks, elevator floor blockers, and bio-metric scanners are examples of
Physical controls
What is the greatest weakness in all IT infrastructures?
Network Users
How often should user training be conducted?
Initial and throughout their association
What does user training cover?
password usage, personal security, and the ability to recognize attacks.
How can security control strategies be more effective?
Combining security controls to work together, you get better security
How many types of security controls?
There are 3 types of security controls
What are the 3 types of control types?
Technical, administrative, and physical
Requiring all edge routers must be able to communicate on SNMPv3 is what type of control?
Technical Control
All users must log off their workstations every time they leave their office is what type of control?
Administrative Control
Deterrent Controls are defined as
deterring a potential attacker from even attempting an attack.
Preventative Controls are defined as
attempts to keep an active attack from succeeding.
Mitigation
reducing threats posed against an organization and their impact
EXAM TIP know U.S. laws such as HIPAA, SOX, and PCI-DSS.
A single IT infrastructure would never have more than one chief security officer.
Quantitative Assessment is defined as
based on objective data typically, numerical data.
What are the four categories of Risk Response techniques?
Mitigate, Transfer, Accept, and Avoid
A business impact analysis (BIA) is designed to mitigate the effects of an incident, not to prevent an incident.
A BIA is part of a field of study in IT Security called contingency planning or CP that goes hand in hand with CompTIA Security +
BIA looks at what 5 types of impact
Frpps - Financial, reputation, property, privacy, safety/life
stop page 33
stop 33