IS3340 CHAPTER 14

Question 1

The number of times a threat might affect an organization during a one-year time frame is called ___?

Answer 1

ANNUAL RATE OF OCCURRENCE (ARO)

Question 2

The amount of loss that an organization can expect to have each year due to a particular risk. (The equation
ALE=SLE x ARO is used) This is called ___?

Answer 2

ANNUALIZED LOSS EXPECTANCY (ALE)

Question 3

Plans that address the recovery of an organization’s business processes and functions in the event of a disaster. They tend to be comprehensive for returning an organization to normal operating conditions. This is called ___?

Answer 3

BUSINESS CONTINUITY (BC) PLANS

Question 4

A process that identifies key business operations and the resources used to support those processes. It also identifies maximum tolerable down-time for critical business functions and is called ___?

Answer 4

BUSINESS IMPACT ANALYSIS (BIA)

Question 5

A basic type of disaster recovery and business continuity test that checks to make sure that supplies and inventory items needed for an organization’s business recovery are on hand is called ___?

Answer 5

CHECKLIST TEXT

Question 6

A backup site for disaster recovery and business continuity planning purposes that is little more than reserved space. It does not have any hardware or equipment ready for business operations. It will have electrical service, but most likely won’t have network connectivity. It can take weeks to months for an organization ready this site for business operations and is called a ___?

Answer 6

COLD SITE

Question 7

Any situation where a person’s private interests and professional obligations collide. Independent observers might question whether a person’s private interests improperly influence his or her professional decision. This is called ___?

Answer 7

CONFLICTS OF INTEREST

Question 8

A sudden, unplanned event that negatively affects the organization’s critical business functions for an unknown period is called a ___?

Answer 8

DISASTER

Question 9

Plans that address the recovery of an organization’s information technology systems in the event of a disaster is called ___?

Answer 9

DISASTER RECOVERY (DR) PLANS

Question 10

The percentage of asset loss that is likely to be caused by an identified threat or vulnerability is called ___?

Answer 10

EXPOSURE FACTOR

Question 11

A disaster recovery and business continuity test where an organization stops all of its normal business operations and transfers those operations to its backup site. This is the most comprehensive form of disaster recovery and business continuity plan test. This is called ____?

Answer 11

FULL INTERRUPTION TEST

Question 12

An operational backup site for disaster recovery and business continuity planning purposes. It has equipment and infrastructure that is fully compatible with an organization’s main facility. It is not staffed with people. It can become operational within minutes to hours after a disaster and is called ___?

Answer 12

HOT SITE

Question 13

A contingency plan that helps an organizations respond to attacks against an organization’s information technology infrastructure is called___?

Answer 13

INCIDENT RESPONSE (IR)

Question 14

The amount of time that critical business processes and resources can be offline before an organization begins to experience irreparable business harm is called ___?

Answer 14

MAXIMUM TOLERABLE DOWNTIME (MTD)

Question 15

A fully operational backup site for disaster recovery and business continuity planning purposes. This site actively runs an organization’s information technology function in parallel with the organization’s mail processing facility. It is fully staffed and has all necessary data and equipment to continue business operations. This is called ___?

Answer 15

MIRRORED SITE

Question 16

A disaster recovery and business continuity test where an organization tests its ability to recover its information technology systems and its business data. In this type of test, the organization brings its backup recovery sites online. It will then use historical business data to test the operations of those systems. This is called ___?

Answer 16

PARALLEL TEST

Question 17

A marketing field that manages an organization’s public image is called ___?

Answer 17

PUBLIC RELATIONS (PR)

Question 18

A risk analysis method that uses scenarios and ratings systems to calculate risk and potential harm. This analysis does not attempt to assign money value to assets and risk. This is called ___?

Answer 18

QUALITATIVE RISK ANALYSIS

Question 19

A risk analysis method that uses real money costs and values to determine the potential monetary impact of threats and vulnerabilities is called ___?

Answer 19

QUANTITATIVE RISK ANALYSIS

Question 20

The loss that an organization has when a potential threat actually occurs is called ___?

Answer 20

REALIZED RISK

Question 21

A process of identifying threats and vulnerabilities that an organization faces. It can be quantitative, qualitative, or a combination of both and is called ___?

Answer 21

RISK ASSESSMENT (RA)

Question 22

The process that an organization uses to identify risks, assess them, and reduce them to an acceptable level is called ___?

Answer 22

RISK MANAGEMENT (RM)

Question 23

A disaster recovery and business continuity test where an organization real-plays a specific disaster scenario. This type of test does not interrupt normal business operations and activities and is called ___?

Answer 23

SIMULTATION TEST

Question 24

The amount of money that an organization stands to lose every time a specified risk is realized is called ___?

Answer 24

SINGLE LOSS EXPECTANCY (SLE)

Question 25

A basic type of disaster recovery and business continuity test that reviews a disaster recovery/business continuity plan to make sure that all of the assumptions and tasks stated in the plan are correct. This type of test is sometimes called a tabletop walk-through test or tabletop test but often is called a ___?

Answer 25

WALK-THROUGH TEST

Question 26

A partially equipped backup site for disaster recovery and business continuity planning purposes. It is a space that contains some, but not all, of the equipment and infrastructure that an organization needs to continue operations in the event of a disaster. It is partially prepared for operations and has electricity and network connectivity. This is called a ___?

Answer 26

WARM SITE

Question 27

1. A parallel test uses current processing data to test IT system operation.
   TRUE OR FALSE

Answer 27

FALSE

Question 28

2. Which item is NOT part of the risk management process?
3. Risk analysis
4. Risk response
5. Continuous monitoring
6. Training employees
7. All the above are parts of the risk management process

Answer 28

All the above are parts of the risk management process

Risk analysis
Risk response
Continuous monitoring
Training employees

Question 29

3. What does a risk assessment do?

Answer 29

A risk assessment identifies the threats and vulnerabilities to IT resources.

Question 30

4. Which type of contingency plan test is the least expensive?
5. Full interruption test
6. Parallel test
7. Simulation test
8. Checklist test
9. None of the above

Answer 30

Checklist test

Question 31

5. which type of risk analysis uses real numbers to calculate risk?
6. Quantitative
7. Qualitative
8. Quasi-quantitative
9. Quasi-qualitative
10. None of the above

Answer 31

Quantitative

Question 32

6. The ___ is the percentage of asset loss that is likely to be caused by an identified threat.

Answer 32

Exposure factor

Question 33

7. How is annualized loss expectancy calculated?

Answer 33

The annualized loss expectancy (ALE) is the amount of loss that an organization can expect to have each year due to a particular risk.  
ALE is often expressed in the equation:
ALE=SLE x ARO.
SLE is single loss expectancy
ARO is annual rate of occurrence

Question 34

8. What is the main benefit of a qualitative risk assessment?
9. Measures the money cost of a risk
10. Scope of the assessment can be easily changed
11. Easy to administer
12. All the above
13. None of the above

Answer 34

Easy to administer

Question 35

9. Which of the following is a qualitative risk assessment methodology?
10. CRAMM
11. ISO
12. MTD
13. BIA
14. None of the above

Answer 35

CRAMM
(UK’s Central Computer and Telecommunications Agency (CCTA) CCTA created CRAMM (CCTA Risk Analysis and Management Method

FYI: CRAMM has been commercialized and is sold as a software program. It is a Qualitative Risk Analysis method and relies on international standards for its RA methodology.

Question 36

10. Which risk response eliminates all risk of harm posted by a threat or vulnerability?
11. Risk transfer
12. Risk mitigation
13. Risk acceptance
14. Risk avoidance
15. None of the above

Answer 36

Risk avoidance

Question 37

11. Which type of contingency plan reacts to attacks against an organization’s IT infrastructure?
12. BC plan
13. DR plan
14. IR plan
15. 1 & 2 only
16. None of the above

Answer 37

IR plan

Question 38

12. A(n) ___ is an event that adversely affects the confidentiality, integrity, and/or availability of an organization’s data and IT systems.

Answer 38

Incident

Question 39

13. A(n) ___ is a sudden, unplanned event that negatively affects the organization’s critical business functions for an unknown period.

Answer 39

Disaster

Question 40

14. Which backup site is fully operational backup site?
15. Mirrored site
16. Hot site
17. Warm site
18. Cold site
19. None of the above

Answer 40

Mirrored site

Question 41

15. A business impact analysis identifies key business operations and resources.
    TRUE OR FALSE

Answer 41

TRUE