IS3350 CHAPTER 14

Question 1

The number of times a threat might affect an organization during a one-year time frame is called ___?

Answer 1

ANNUAL RATE OF OCCURRENCE (ARO)

Question 2

The amount of loss that an organization can expect to have each year due to a particular risk is called \_\_\_?
ALE is often expressed as the equation:
ALE = SLE x ARO.
SLE is single loss expectancy
ARO is annual rate or occurrence

Answer 2

ANNUALIZED LOSS EXPECTANCY (ALE)

Question 3

These ___ address the recovery of an organization’s business processes and functions in the event of a disaster.
These tend to be comprehensive plans for returning an organization to normal operating conditions.

Answer 3

BUSINESS CONTINUITY (BC) PLANS

Question 4

A process that identifies key business operations and the resources used to support those processes is called ___?
This also identifies maximum tolerable down-time for critical business functions.

Answer 4

BUSINESS IMPACT ANALYSIS (BIA)

Question 5

A basic type of disaster recovery and business continuity test that checks to make sure that supplies and inventory items needed to an organization’s business recovery are on hand is called ___?

Answer 5

CHECKLIST TEST

Question 6

A backup site for disaster recovery and business continuity planning purposes that is little more than reserved space is called ___?
It doesn’t have any hardware or equipment ready for business operations.
It will have electrical service, but most likely won’t have network connectivity.
It can take weeks to months for an organization to ready this site for business operations.

Answer 6

COLD SITE

Question 7

Any situation where a person’s private interests and professional obligations collide is called ___?
Independent observers might question whether a person’s private interests improperly influence his or her professional decisions.

Answer 7

CONFLICT OF INTEREST

Question 8

A sudden, unplanned event that negatively affects the organizations’ critical business functions for an unknown period is called ___?

Answer 8

DISASTER

Question 9

Plans that address the recovery of an organization’s information technology systems in the event of a disaster is called ___?

Answer 9

DISASTER RECOVERY (DR) PLANS

Question 10

The percentage of asset loss that is likely to be caused by an identified threat or vulnerability is called ___?

Answer 10

EXPOSURE FACTOR

Question 11

A disaster recovery and business continuity test where an organization stopes all of its normal business operations and transfers those operations to its backup site is called ___?
This is the most comprehensive form of disaster recovery and business continuity plan testing; also the most expensive.

Answer 11

FULL INTERRUPTION TEST

Question 12

An operation backup site for disaster recovery and business continuity planning purposes is called ___?
It has equipment and infrastructure that is fully compatible with an organization’s main facility.
It is not staffed with people.
It can become operational within minutes to hours after a disaster.

Answer 12

HOT SITE

Question 13

An event that adversely affects the confidentiality, integrity, and/or availability of an organization’s data and information technology systems is called ____?

Answer 13

INCIDENT

Question 14

A contingency plan that helps an organization respond to attacks against an organizations’ information technology infrastructure is called ___?

Answer 14

INCIDENT RESPONSE (IR)

Question 15

The amount of time that critical business processes and resurrect can be offline before an organization begins to experience irreparable business harm is called ___?

Answer 15

MAXIMUM TOLERABLE DOWNTIME (MTD)

Question 16

A fully operational backup site for disaster recovery and business continuity planning purposes is called ___?
This site actively runs an organization’s information technology functions in parallel with the organization’s mail processing facility.
It is fully staffed.
It has all necessary data and equipment to continue business operations.

Answer 16

MIRRORED SITE

Question 17

A disaster recovery and business continuity test where an organization tests its ability to recover its information technology systems and its business data is called ___?
In this test, the organization brings its backup recovery sites online.
It will then use historical business data to test the operations of those systems.

Answer 17

PARALLEL TEST

Question 18

A marketing field that manages an organization’s public image is called ___?

Answer 18

PUBLIC RELATIONS (PR)

Question 19

A risk analysis method that uses scenarios and ratings systems to calculate risk and potential harm is called ___?
This does not attempt to assign money value to assets and risks.

Answer 19

QUALITATIVE RISK ANALYSIS

Question 20

A risk analysis method that uses real money costs and values to determine the potential monetary impact of threats and vulnerabilities is called ___?

Answer 20

QUANTITATIVE RISK ANALYSIS

Question 21

The loss that an organization has when a potential threat actually occurs is called ___?

Answer 21

REALIZED RISK

Question 22

A process for identifying threats and vulnerabilities that an organization faces is called ___?
This can be qualitative or quantitative or both.

Answer 22

RISK ASSESSMENT (RA)

Question 23

The process that an organization uses to identify risks, asses them, and reduce them to an acceptable level is called ___?

Answer 23

RISK MANAGEMENT (RM)

Question 24

A disaster recovery and business continuity test where an organization role plays a specific disaster scenario is called ___?
This type of test doesn’t interrupt normal business operations and activities.

Answer 24

SIMULATION TEST

Question 25

The amount of money that an organization stands to lose every time a specified risk is realized is called ___?

Answer 25

SINGLE LOSS EXPECTANCY (SLE)

Question 26

A basic type of disaster recovery and business continuity test that reviews a disaster recovery/business continuity plan to make sure that all of the assumptions and tasks stated in the plan are correct is called ___?

Answer 26

WALK-THROUGH TEST

Question 27

A partially equipped backup site for disaster recovery and business continuity planning purposes is called ___?
This is space that contains some, but not all, of the equipment and infrastructure that an organization needs to continue operations in the event of a disaster.
It is partially prepared for operations and has electricity and network connectivity.

Answer 27

WARM SITE

Question 28

1. A parallel test uses current processing data to test IT system operation.
   TRUE OR FALSE

Answer 28

FALSE

Question 29

2. Which item is NOT part of the risk management process?
3. Risk analysis
4. Risk response
5. Continuous monitoring
6. Training employees
7. All the above are parts of the risk management process

Answer 29

All are parts of the risk management process

Risk analysis
Risk response
Continuous monitoring
Training employees

Question 30

3. What does a risk assessment do?

Answer 30

A risk assessment identifies the threats and vulnerabilities to IT resources.

Question 31

4. Which type of contingency plan test is the least expensive?
5. Full interruption test
6. Parallel test
7. Simulation test
8. Checklist test
9. None of the above

Answer 31

Checklist test

Question 32

5. Which type of risk analysis uses real numbers to calculate risk?
6. Quantitative
7. Qualitative
8. Quasi-quantitative
9. Quasi-qualitative
10. None of the above

Answer 32

Quantitative

Question 33

6. The ___ is the percentage of assets loss that is likely to be caused by an identified threat.

Answer 33

Exposure factor

Question 34

7. How is annualized loss expectancy calculated?

Answer 34

The annualized loss expectancy (ALE) is the amount of loss that an organization can expect to have each year due to a particular risk.

ALE = SLE x ARO
SLE is single loss expectancy
ARO is annual rate of occurrence

Question 35

8. What is the main benefit of a qualitative risk assessment?
9. Measures the money cost of a risk
10. Scope of the assessment can be easily changed
11. Easy to administer
12. All the above
13. None of the above

Answer 35

Easy to administer

Question 36

9. Which of the following is a qualitative risk assessment methodology?
10. CRAMM
11. ISO
12. MTD
13. BIA
14. None of the above

Answer 36

CRAMM

Question 37

10. Which risk response eliminates all risk of harm posted by a threat or vulnerability?
11. Risk transfer
12. Risk mitigation
13. Risk acceptance
14. Risk avoidance
15. None of the above

Answer 37

Risk avoidance

Question 38

11. Which type of contingency plan reacts to attacks against an organization’s IT infrastructure?
12. BC plan
13. DR plan
14. IR plan
15. 1 & 2 only
16. None of the above

Answer 38

IR plan

Question 39

12. A(n) ___ is an event that adversely affects the confidentiality, integrity, and/or availability of an organization’s data and IT systems.

Answer 39

Incident

Question 40

13. A(n) ___ is a sudden, unplanned event that negatively affects the organization’s critical business functions for an unknown period.

Answer 40

Disaster

Question 41

14. Which backup site is a fully operational backup site?
15. Mirrored site
16. Hot site
17. Warm site
18. Cold site
19. None of the above

Answer 41

Mirrored site

Question 42

15. A business impact analysis identifies key business operations and resources.
    TRUE OR FALSE

Answer 42

TRUE