Domain 3 Flashcards
(39 cards)
Which of the following formulas is used to calculate Risk?
a) Risk {due to a threat} = Vulnerability x Threat {to that vulnerability}
b) Risk {due to a vulnerability} = Vulnerability x Threat {to that vulnerability}
c) Risk {due to a threat} = Threat x Vulnerability {to that threat}
d) Risk {due to a vulnerability} = Threat x Vulnerability {to that threat}
Risk {due to a threat} = Threat x Vulnerability {to that threat}
In the formula displayed below, what does ‘Vulnerability’ represent? Risk = Threat x Vulnerability
a) Vulnerability to that specific threat
b) Vulnerability to threats in general
c) Vulnerability to unknown threats
d) Vulnerability to known threats
Vulnerability to that specific threat
Which of the following choices specifies a certain way in which something should be done or a certain brand or type of equipment that must be used?
a) Standard
b) Baseline
c) Policy
d) Procedure
Standard
After you install a well-configured firewall, a web site inside your perimeter is defaced by an outside attack. Which security principal has NOT been addressed?
a) Defense-in-Depth
b) Deny all, then allow as needed
c) Least possible privilege
d) Know your system
Defense-in-Depth
When a threat connects to its vulnerability, what is the result?
a) Reduced risk
b) Possible system compromise
c) Increased impact
d) Increased uncertainty
Possible system compromise
Which of the following is the most common defense tactic?
a) Establishing a strong security policy
b) Applying software patches as soon as possible
c) Deploying perimeter defenses such as firewalls
d) Replacing hubs with switches
Deploying perimeter defenses such as firewalls
The Risk Management option to “accept the risk” is most reasonable after which of the following steps has been taken?
a) Perform penetration testing
b) Identify the probable threats
c) Deploy a perimeter defense
d) Mitigate or reduce the risk
Mitigate or reduce the risk
Of the following, which best describes the ‘insurance model’ of Risk Management?
a) Pass the risk over to a third-party.
b) Redirect the cost of insurance into Risk Avoidance efforts.
c) Follow best practices to insure security.
d) Ignore the risk
Pass the risk over to a third-party
In the formula displayed below, what does the “Exposure Factor” represent? Single Loss Expectancy = Asset Values X Exposure Factor
a) The degree to which an asset is vulnerable to attack.
b) The percentage of loss a threat event would have on the asset.
c) The cost to reduce the risk that an asset is subject to.
d) The likelihood that a threat would escalate into an event.
The percentage of loss a threat event would have on the asset
Which of the following are the two common approaches to risk assessment?
a) Proactive and Reactive
b) In-house and vendor provided
c) Open Source and Closed Source
d) Qualitative and Quantitative
Qualitative and Quantitative
Which of the following methods of risk assessment is the more valuable tool for business decision-making?
a) The Legal exposure method
b) The Human resources method
c) The Quantitative method
d) The Heuristic method
The Quantitative method
Which of the following statements is TRUE?
a) Risk Management is as much about Security as anything.
b) Threats are as much about Risk Management as anything.
c) Vulnerabilities are as much about Security as anything.
d) Security is as much about Risk Management as anything.
Security is as much about Risk Management as anything
Of the following, which best describes the ‘insurance model’ of Risk Management?
a) Redirect the cost of insurance into Risk Avoidance efforts.
b) Follow best practices to insure security.
c) Pass the risk over to a third-party.
d) Escrow adequate funds to insure timely Risk Recovery.
Pass the risk over to a third-party
Which approach to Risk Assessment tries to assign an objective numeric value to describe the degree of risk?
a) The Qualitative approach
b) The Heuristic approach
c) The Elliptical Curve approach
d) The Quantitative approach
The Quantitative approach
Which approach to risk assessment focuses on the more intangible values to describe the degree of risk?
a) The Qualitative approach
b) The Quantitative approach
c) The Ephemeral approach
d) The Consensus approach
The Qualitative approach
A security incident can be thought of in which of the following terms?
a) Confidentiality, integrity and portability
b) Confidentiality, integrity and availability
c) Integrity, privacy and accountability
d) Availability, accountability and authority
Confidentiality, integrity and availability
Why is it that a firewall alone cannot provide acceptable security?
a) Threats can come in different forms and sources.
b) A firewall can be compromised or bypassed.
c) A firewall cannot defend against most malware.
d) Threats can come from malicious insiders.
Threats can come in different forms and sources
Which of the following is MOST required in order to reduce or prevent vulnerabilities?
a) You must know about the vulnerabilities.
b) You must have proper authorization.
c) Authenticated vendor patches, hot fixes or alerts
d) Consensus from top management
You must know about the vulnerabilities
Which of the following is NOT one of the three Risk Choices?
a) Accept the risk as is.
b) Mitigate or reduce the risk.
c) Transfer the risk.
d) Reject the risk as is.
Reject the risk as is
Which of the following is required before deciding between accepting, mitigating, or transferring a risk?
a) Our legal department should be consulted.
b) The threat should first be mitigated or reduced.
c) We should understand the risk and how it affects us.
d) Eliminate all uncertainty associated with the risk.
We should understand the risk and how it affects us
Which of the following is NOT a benefit of security awareness?
a) Measurable reduction in unauthorized actions attempted by personnel
b) Increases the effectiveness of protection controls
c) Reduces the layers of ‘defense-in-depth’ to a more manageable level
d) Helps to avoid fraud, waste and abuse of computing resources
Reduces the layers of ‘defense-in-depth’ to a more manageable level
Which of the following terms is best defined by the statement below? ‘General, collective awareness of an organization’s personnel of the importance of security and security controls. ‘
a) Security Posture
b) Security Awareness
c) Security Management
d) Security Measurement
Security Awareness
Regarding ‘Data Classification Roles’, an ‘Owner’ can be described any of the following, except one. Which of the following does NOT describe a data ‘owner’?
a) An executive or manager of an organization
b) Responsible for the asset of information that must be protected
c) Has the final corporate responsibility of data protection
d) Verifies the data’s integrity
Verifies the data’s integrity
When talking about ‘Data Classification Roles’, a ‘custodian’ is concerned with all of the following except which one?
a) Running regular backups and routinely testing the validity of the backup.
b) Performing data restoration from the backups when necessary.
c) Maintaining those retained records in accordance with the established information classification policy.
d) Determining the data’s value to the organization and the threshold beyond which obsolete data is purged.
Determining the data’s value to the organization and the threshold beyond which obsolete data is purged
