Course 5: Assets Threats and Vulnerabilities

Question 1

What is the definition of risk?

Answer 1

Def: anything that can impact the confidentiality, integrity, or availability of an asset.

Question 2

True or False: Risk is the same for every organization

Answer 2

False: Risk differs by organization

Question 3

Interpret risk by:

Answer 3

Effects and Events: interpret risk by considering the potential effects that negative events can have on a business

Question 4

What is the formula for calculating risk?

Answer 4

Likelihood x Impact = Risk

Question 5

Name 4 reasons why we calculate risk in this field

Answer 5

-Prevent costly and disruptive events

-Identify improvements that can be made to systems and processes

-Determine which risks can be tolerated

-Prioritize the critical assets that require attention

Question 6

What are the 3 risk categories

Answer 6

-Damage
-Disclosure
-Loss of information

Question 7

What 5 questions should you ask to determine impact in a risk calculation?

Answer 7

-How would the business be affected?

-What’s the financial harm to the business and its customers?

-Can important operations or services be impacted?

-Are there regulations that can be violated?

-What is the reputational damage to the company’s standing?

Question 8

What 3 questions should you ask to determine likelihood in a risk calculation?

Answer 8

-Could the risk happen once a day?

-Could the risk happen once a month?

-Could the risk happen once in a year?

Question 9

What is the definition of an asset?

Answer 9

Def: an item perceived as having value to an organization

Question 10

Give 4 examples of an asset

Answer 10

-buildings
-equipment
-data
-people

Question 11

What is the definition of a threat?

Answer 11

Def: any circumstance or event that can negatively impact assets

Question 12

What are the two types of threats?

Answer 12

1. intentional - ex. a malicious hacker who gains access to sensitive information by targeting a misconfigured application
2. unintentional - ex. an employee who holds the door open for an unknown person and grants them access to a restricted area

Question 13

What is a vulnerability?

Answer 13

Def: a weakness that can be exploited by a threat/flaws within an asset (analogy: a weak lock on a front door)

Question 14

What are the 2 categories of vulnerabilities?

Answer 14

-technical - ex. misconfigured software that might give an unauthorized person access to important data

-human - ex. a forgetful employee who loses their access card in a parking lot

Question 15

What is the definition of asset management?

Answer 15

Def: The process of tracking assets and the risks that affect them

Question 16

True or False: You can only protect the things you account for

Answer 16

True

Question 17

What is the definition of Asset Inventory?

Answer 17

Def: A catalog of assets that need to be protected

Question 18

What is the definition of Asset Classification?

Answer 18

Def: The practice of labeling assets based on sensitivity and importance to an organization

Question 19

Asset classification determines whether an asset can be ____, ____, or ____

Answer 19

disclosed, altered or destroyed

Question 20

True or False: information can have multiple classification values at the same time

Answer 20

True

Question 21

What are the 4 levels of asset classification?

Answer 21

Public, Internal-only, Confidential, and Restricted

Question 22

Describe the public level of asset classification

Answer 22

1. Lowest level
2. Can be shared with anyone
3. No negative consequences if released

Question 23

Describe the internal-only level of asset classification

Answer 23

1. Second level
2. Asset can be shared w/ anyone within the organization (i.e. employees and business partners)

Question 24

Describe the confidential level of asset classification

Answer 24

1. Third level
2. Asset should only be accessed by those working on a specific project.
3. Disclosure may lead to a significant negative impact

Question 25

Describe the restricted level of asset classification

Answer 25

1. Fourth and Highest level
2. Asset is highly sensitive and must be protected.
3. need-to-know information (i.e.. intellectual property, health/payment information)

Question 26

What are the 4 things you must know to determine the sensitivity and importance of an asset?

Answer 26

1. What you have
2. Where it is
3. Who owns it
4. How important it is

Question 27

What are four different kinds of assets?

Answer 27

1. Digital Assets
2. Information Systems that process data
3. Physical Assets
4. Intangible Assets

Question 28

Give an example of a digital asset

Answer 28

customer data or financial records

Question 29

Give an example of an information system that processes data

Answer 29

network or software

Question 30

Give an example of a physical asset

Answer 30

facilities, equipment, or supplies

Question 31

Give an example of an intangible asset

Answer 31

brand reputation or intellectual property

Question 32

What is the definition of Data?

Answer 32

Def: information that is translated, processed, or stored by a computer

Question 33

What are the 3 states of data?

Answer 33

1. In use
2. In transit
3. At rest

Question 34

Describe data that is in the state of “in use”

Answer 34

It is data being accessed by one or more users

Question 35

Describe data that is “in transit”

Answer 35

It is data traveling from one point to another

Question 36

Describe data that is “at rest”

Answer 36

It is data not currently being access

Question 37

What is the definition of Information Security (InfoSec)

Answer 37

Def: the practice of keeping data in all states away from unauthorized users.

Question 38

What are the 3 cloud-based services?

Answer 38

1. Software as a Service (SaaS)
2. Platform as a Service (PaaS)
3. Infrastructure as a Service (IaaS)

Question 39

What is Software as a Service (SaaS)?

Answer 39

front-end applications that users access via a web browser. The service providers host, manage, and maintain all of the back-end systems for those applications.