IS 3110 CHAP 5 Flashcards
What can you use to help quantify risks?
- SLE
- ARE
- Risk assessment
- Risk mitigation plan
- All the above
ALL SLE ARE Risk assessment Risk mitigation plan
A risk ___ is a major component of a risk management plan.
Assessment
Risk assessments are a continuous process.
TRUE OR FALSE
FALSE
A ___ ___ ___ uses SLE.
Quantitative risk assessment
What elements are included in a qualitative analysis
- SLE, ALE, ARO
- ALE, ARO, ARP
- Probability and impact
- Threats and vulnerabilities
Probability and impact
What elements are included in a quantitative analysis?
- SLE, ALE, ARE
- ALE, ARO, SAP
- Probability, impact and money
- Threats, vulnerabilities and reputation
SLE, ALE, ARE
Qualitative analysis is more time consuming than quantitative analysis.
TRUE OR FALSE
FALSE
You are trying to decide what type of risk assessment methodology to use. A primary benefit of a ___ risk assessment is that it can be complete quicker than other methods.
Qualitative
You are trying to decide what type of risk assessment methodology to use. A primary benefit of a ___ risk assessment is that it includes details for a cost-benefit analysis.
Quantitative
What must you define when performing a qualitative risk assessment?
- Formulas used for ALE
- Scales used to define probability and impact
- Scales used to define SLE and ALE
- Acceptable levels of risk
Scales used to define probability and impact
A ___ risk assessment is objective. It uses data that can be verified.
Quantitative
A ___ risk assessment is subjective. It relies on the opinions of experts.
Qualitative
One of the challenges facing risk assessments is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data?
- Probability statement
- Accuracy scale
- Validity level
- Uncertainty level
Uncertainty level
You are working on a qualitative risk assessment for your company. You are thinking about the final report. What should you consider when providing the results and recommendations? (Select two)
- Resource allocation
- SLE and ARO
- Risk acceptance
- SLE and ALE
Resource allocation
Risk acceptance
Of the following, what would be considered a best practice when performing risk assessments?
- Start with clear goals and a defined support
- Ensure support of senior management
- Repeat the risk assessment regularly
- Provide clear recommendations
- All of the above
ALL Start with clear goals and a defined support Ensure support of senior management Repeat the risk assessment regularly Provide clear recommendations
Total expected loss from a given risk for a year and is calculated by multiplying SLE X ARO. It is also part of a quantitative risk assessment.
Annual loss expectancy (ALE)
Number of times loss from a given threat is expected to occur in a year. It is used with the SLE to calculate the ALE and is part of a quantitative risk assessment.
Annualized rate of occurrence (ARO)
The amount of the loss resulting from a threat expiating a vulnerability. The loss can be expressed in monetary terms or a relative value. It identifies the severity of the loss and is derived from the opinions of experts.
Impact
Used in qualitative risk assessment. It refers to the likelihood that a risk will occur. A risk occurs when a threat exploits a vulnerability. It is derived from the opinions of experts.
Probability
A subjective method used for RAs. It uses relative values based on opinions from experts. It can be completed quickly and does not have predefined formulas.
Qualitative Risk assessment
An objective method used for RAs. It uses numbers such as actual dollar values. It requires a significant amount of data that can sometime be difficult to obtain. The data is then entered into a formula.
Quantitative Risk assessment
This is an acronym for redundant array of independent disks. It is also called redundant array of inexpensive disks. Multiple disks are used together to provide fault tolerance. A fault can occur with a disk and the system can tolerate it and continue to operate.
RAID (redundant array of independent disks)
A process used to identify and evaluate risks based on an analysis of threats and vulnerabilities to assets. Quantified based on their importance or impact severity and can be prioritized.
Risk assessment (RA)
Another term for a control. Used with controls to mitigate risk. They can mitigate the risk by reducing the impact of the threat. They can also mitigate the risk but reduce the vulnerabilities.
Safeguard
The actual cost of control. This data can be used to complete a cost benefit analysis.
Safeguard value
Total loss resulting from a single incident. It is expressed as a dollar value. It will include the value of hardware, software, and data. It is used to help calculate ALE (ALE= SLE X ARO). It is a part of quantitative risk assessment.
Single loss expectancy (SLE)
The failure of any single component that can result in the total loss of a system. It is typically addressed by adding redundancy. EX. a disk drive can be protected with a RAID configuration. In addition, failover clusters remove servers as a point of failure.
Single point of failure (SPOF)
A method of indicating the accuracy of data. Data consistency is evaluated to determine a level of certainty. You can then calculate the uncertainty level as 100 minus the percentage of certainty.
Uncertainty level
