IS3340 CHAPTER 14 Flashcards
The number of times a threat might affect an organization during a one-year time frame is called ___?
ANNUAL RATE OF OCCURRENCE (ARO)
The amount of loss that an organization can expect to have each year due to a particular risk. (The equation
ALE=SLE x ARO is used) This is called ___?
ANNUALIZED LOSS EXPECTANCY (ALE)
Plans that address the recovery of an organization’s business processes and functions in the event of a disaster. They tend to be comprehensive for returning an organization to normal operating conditions. This is called ___?
BUSINESS CONTINUITY (BC) PLANS
A process that identifies key business operations and the resources used to support those processes. It also identifies maximum tolerable down-time for critical business functions and is called ___?
BUSINESS IMPACT ANALYSIS (BIA)
A basic type of disaster recovery and business continuity test that checks to make sure that supplies and inventory items needed for an organization’s business recovery are on hand is called ___?
CHECKLIST TEXT
A backup site for disaster recovery and business continuity planning purposes that is little more than reserved space. It does not have any hardware or equipment ready for business operations. It will have electrical service, but most likely won’t have network connectivity. It can take weeks to months for an organization ready this site for business operations and is called a ___?
COLD SITE
Any situation where a person’s private interests and professional obligations collide. Independent observers might question whether a person’s private interests improperly influence his or her professional decision. This is called ___?
CONFLICTS OF INTEREST
A sudden, unplanned event that negatively affects the organization’s critical business functions for an unknown period is called a ___?
DISASTER
Plans that address the recovery of an organization’s information technology systems in the event of a disaster is called ___?
DISASTER RECOVERY (DR) PLANS
The percentage of asset loss that is likely to be caused by an identified threat or vulnerability is called ___?
EXPOSURE FACTOR
A disaster recovery and business continuity test where an organization stops all of its normal business operations and transfers those operations to its backup site. This is the most comprehensive form of disaster recovery and business continuity plan test. This is called ____?
FULL INTERRUPTION TEST
An operational backup site for disaster recovery and business continuity planning purposes. It has equipment and infrastructure that is fully compatible with an organization’s main facility. It is not staffed with people. It can become operational within minutes to hours after a disaster and is called ___?
HOT SITE
A contingency plan that helps an organizations respond to attacks against an organization’s information technology infrastructure is called___?
INCIDENT RESPONSE (IR)
The amount of time that critical business processes and resources can be offline before an organization begins to experience irreparable business harm is called ___?
MAXIMUM TOLERABLE DOWNTIME (MTD)
A fully operational backup site for disaster recovery and business continuity planning purposes. This site actively runs an organization’s information technology function in parallel with the organization’s mail processing facility. It is fully staffed and has all necessary data and equipment to continue business operations. This is called ___?
MIRRORED SITE
A disaster recovery and business continuity test where an organization tests its ability to recover its information technology systems and its business data. In this type of test, the organization brings its backup recovery sites online. It will then use historical business data to test the operations of those systems. This is called ___?
PARALLEL TEST
A marketing field that manages an organization’s public image is called ___?
PUBLIC RELATIONS (PR)
A risk analysis method that uses scenarios and ratings systems to calculate risk and potential harm. This analysis does not attempt to assign money value to assets and risk. This is called ___?
QUALITATIVE RISK ANALYSIS
A risk analysis method that uses real money costs and values to determine the potential monetary impact of threats and vulnerabilities is called ___?
QUANTITATIVE RISK ANALYSIS
The loss that an organization has when a potential threat actually occurs is called ___?
REALIZED RISK
A process of identifying threats and vulnerabilities that an organization faces. It can be quantitative, qualitative, or a combination of both and is called ___?
RISK ASSESSMENT (RA)
The process that an organization uses to identify risks, assess them, and reduce them to an acceptable level is called ___?
RISK MANAGEMENT (RM)
A disaster recovery and business continuity test where an organization real-plays a specific disaster scenario. This type of test does not interrupt normal business operations and activities and is called ___?
SIMULTATION TEST
The amount of money that an organization stands to lose every time a specified risk is realized is called ___?
SINGLE LOSS EXPECTANCY (SLE)
A basic type of disaster recovery and business continuity test that reviews a disaster recovery/business continuity plan to make sure that all of the assumptions and tasks stated in the plan are correct. This type of test is sometimes called a tabletop walk-through test or tabletop test but often is called a ___?
WALK-THROUGH TEST
A partially equipped backup site for disaster recovery and business continuity planning purposes. It is a space that contains some, but not all, of the equipment and infrastructure that an organization needs to continue operations in the event of a disaster. It is partially prepared for operations and has electricity and network connectivity. This is called a ___?
WARM SITE
- A parallel test uses current processing data to test IT system operation.
TRUE OR FALSE
FALSE
- Which item is NOT part of the risk management process?
- Risk analysis
- Risk response
- Continuous monitoring
- Training employees
- All the above are parts of the risk management process
All the above are parts of the risk management process
Risk analysis
Risk response
Continuous monitoring
Training employees
- What does a risk assessment do?
A risk assessment identifies the threats and vulnerabilities to IT resources.
- Which type of contingency plan test is the least expensive?
- Full interruption test
- Parallel test
- Simulation test
- Checklist test
- None of the above
Checklist test
- which type of risk analysis uses real numbers to calculate risk?
- Quantitative
- Qualitative
- Quasi-quantitative
- Quasi-qualitative
- None of the above
Quantitative
- The ___ is the percentage of asset loss that is likely to be caused by an identified threat.
Exposure factor
- How is annualized loss expectancy calculated?
The annualized loss expectancy (ALE) is the amount of loss that an organization can expect to have each year due to a particular risk. ALE is often expressed in the equation: ALE=SLE x ARO. SLE is single loss expectancy ARO is annual rate of occurrence
- What is the main benefit of a qualitative risk assessment?
- Measures the money cost of a risk
- Scope of the assessment can be easily changed
- Easy to administer
- All the above
- None of the above
Easy to administer
- Which of the following is a qualitative risk assessment methodology?
- CRAMM
- ISO
- MTD
- BIA
- None of the above
CRAMM
(UK’s Central Computer and Telecommunications Agency (CCTA) CCTA created CRAMM (CCTA Risk Analysis and Management Method
FYI: CRAMM has been commercialized and is sold as a software program. It is a Qualitative Risk Analysis method and relies on international standards for its RA methodology.
- Which risk response eliminates all risk of harm posted by a threat or vulnerability?
- Risk transfer
- Risk mitigation
- Risk acceptance
- Risk avoidance
- None of the above
Risk avoidance
- Which type of contingency plan reacts to attacks against an organization’s IT infrastructure?
- BC plan
- DR plan
- IR plan
- 1 & 2 only
- None of the above
IR plan
- A(n) ___ is an event that adversely affects the confidentiality, integrity, and/or availability of an organization’s data and IT systems.
Incident
- A(n) ___ is a sudden, unplanned event that negatively affects the organization’s critical business functions for an unknown period.
Disaster
- Which backup site is fully operational backup site?
- Mirrored site
- Hot site
- Warm site
- Cold site
- None of the above
Mirrored site
- A business impact analysis identifies key business operations and resources.
TRUE OR FALSE
TRUE
