IS3110 CHAP 6

Question 1

You are beginning an RA for a system. You should define both the operational characteristics and the mission of the system in the early stages of the RA.
TRUE OR FALSE

Answer 1

TRUE

Question 2

Which of the following should you identify during a risk assessment?

1. Assets
2. Threats
3. Vulnerabilities
4. Countermeasure
5. All the above

Answer 2

Assets
Threats
Vulnerabilities
Countermeasure

Question 3

Of the following choices, what would be considered an asset?

1. Hardware
2. Software
3. Personnel
4. Data and information
5. All the above

Answer 3

Hardware
Software
Personnel
Data and information

Question 4

When defining the system for the risk assessment, what should you ensure is included?

1. Only the title of the system
2. The current configuration of the system
3. A list of possible attacks
4. A list of previous risk assessments

Answer 4

The current configuration of the system

Question 5

What can you use to identify relevant vulnerabilities?

1. Historical data
2. Threat modeling
3. CBA
4. A and B only
5. None of the above

Answer 5

None of the above

Question 6

Which type of assessment can you perform to identify weaknesses in a system without exploiting the weaknesses?

1. Vulnerability assessment
2. Risk assessment
3. Exploit assessment
4. Penetration test

Answer 6

Vulnerability assessment

Question 7

An acceptable use policy is an example of an ___ security control.

Answer 7

Administrative

Question 8

Your organization requires users to log on with smart cards. This is an example of a ___ security control.

Answer 8

Technical

Question 9

You use video cameras to monitor the entrance of secure areas of your building. This is an example of a ___ security control.

Answer 9

Physical

Question 10

Which of the following should you match with a control to mitigate a relevant risk?

1. Threats
2. Vulnerabilities
3. Threat/vulnerability pair
4. Residual risk

Answer 10

Threat/vulnerability pair

Question 11

What does a qualitative RA use to prioritize a risk?

1. Probability and impact
2. SLE, ARO, and ALE
3. Safeguard value
4. Cost-benefit analysis

Answer 11

Probability and impact

Question 12

What does a quantitative RA use to prioritize a risk?

1. Probability and impact
2. SLE, ARO, and ALE
3. Safeguard value
4. Cost-benefit analysis

Answer 12

SLE, ARO, and ALE

Question 13

Your organization purchased a control and installed it on several servers. This control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased?

1. The cost and time to implement the control
2. The operational impact of the control
3. The in-place and planned controls
4. The impact of the risk

Answer 13

The operational impact of the control

Question 14

What is included in an RA that helps justify the cost of a control?

1. Probability and impact
2. ALE
3. CBA
4. POAM

Answer 14

CBA

Question 15

What is created with a risk assessment to track the implementation of the controls?

1. CBA
2. POAM
3. ALE
4. SLE

Answer 15

POAM

Question 16

Control in place from the rules and guidelines directed by upper-level management.

Answer 16

Administrative security control

Question 17

A list used in a spam filter to block email. It is a list of email addresses or email domains. You add the addresses or domains to the list to ensure that email from these sources is always marked as spam.

Answer 17

Blacklist

Question 18

A security control or safeguard. It is put into place to reduce a risk. It reduces the risk by reducing the vulnerability or threat impact.

Answer 18

Countermeasure

Question 19

An attempt to discover what vulnerabilities an attacker can exploit. Exploit assessments are also called penetration tests.

Answer 19

Exploit assessment

Question 20

An automated management tool. You can configure a setting once and it will apply to all users or computers equally. It is much more efficient than configuring the setting on individual computers.

Answer 20

Group Policy

Question 21

A measure that is currently installed. Countermeasures can be in place or planned.

Answer 21

In-Place countermeasure

Question 22

The effect of a security control on operations. It frequently consumes resources. These resources can impact normal operations if not controlled.

Answer 22

Operational impact

Question 23

Controls the physical environment. It includes locks and guards to restrict physical access. It also includes heating and cooling systems to control the environment.

Answer 23

Physical security control

Question 24

This is planned to be added at some point in the future and can be in place or planned.

Answer 24

Planned countermeasure

Question 25

A control that uses computers or software to protect systems and provides automation.

Answer 25

Technical security control

Question 26

A process used to identify possible threats on a system. Threat modeling attempts to look at a system from the attacker’s perspective.

Answer 26

Threat modeling

Question 27

A process used to discover weaknesses in a system. The assessment will then prioritize the vulnerabilities to determine which weaknesses are relevant.

Answer 27

Vulnerability assessment

Question 28

A list used in a spam filter to allow email. It is a list of email addresses or email domains. You add the addresses or domains to ensure that email from these sources is not marked as spam.

Answer 28

Whitelist