IT RIsk Management Quiz

Question 1

Two fundamental components affecting the trustworthiness of information systems are ______ and ______.

Answer 1

Security Functionality

Security Assurance

Question 2

Security controls are classified: ______, ______, and ______.

Answer 2

Management
Operational
Technical Controls

Question 3

______ risk assessment most effectively supports cost-benefit analyses of alternative risk responses or courses of action.

Answer 3

Quantitative

Question 4

______ risk assessments typically employ a set of methods, principles, or rules for assessing risk based on non-numerical categories.

Answer 4

Qualitative

Question 5

Risk management reduces risks by defining and controlling \_\_\_\_\_\_ and \_\_\_\_\_\_.
A. Threats
B. Vulnerabilities
C. Adverse Impacts
D. Likelihood

Answer 5

A. Threats

B. Vulnerabilities

Question 6

Which of the following is not a part of the risk management process as discussed in class? (Choose 1)
A. Framing Risk
B. Assessing Risk
C. Mitigating Risk
D. Monitoring Risk

Answer 6

C. Mitigating Risk

Question 7

The degree to which the systems can be expected to preserve the confidentiality, integrity, and availability of the information systems is called: (Choose 1)
A. System Integrity
B. Security Capability
C. Security Functionality
D. Risk Assurance
E. Trustworthiness

Answer 7

E. Trustworthiness

Question 8

When conducting a risk assessment, \_\_\_\_\_\_ is the highest priority and is always given the highest impact rating. (Choose 1)
A. Loss of Data Center
B. Loss of Reputation
C. Loss of Data
D. Loss of Intellectual Property
E. Loss of Life

Answer 8

E. Loss of Life

Question 9

The integrity of data is not related to which of the following? (Choose 1)
A. Unauthorized manipulation
B. The modification of data without authorization
C. The intentional or accidental substitution of data
D. The extraction of data to share with unauthorized entities

Answer 9

D. The extraction of data to share with unauthorized entities

Question 10

Company X signs a service level agreement with their internet service provider (ISP), which requires the ISP to pay for all potential losses in the event of loss of connectivity. This is an example of: (Choose 1)
A. Risk Avoidance
B. Risk Mitigation
C. Risk Acceptance
D. Risk Transfer

Answer 10

D. Risk Transfer

Question 11

______ is measured by the capabilities of the threat and the presence or absence of countermeasures

Answer 11

Likelihood

Question 12

Jared plays a role in his company’s data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared’s role? (Choose 1)
A. Data Owner
B. Data Custodian
C. Data User
D. Information Systems Auditor

Answer 12

C. Data User

Question 13

A CCTV (Closed Circuit TV) system that is monitored is an example of: (Choose 1)
A. Detective Control
B. Corrective Control
C. Compensating Control
D. Preventative Control

Answer 13

A. Detective Control

Question 14

IT governance is the responsibility of ______.

Answer 14

The Business

Question 15

Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company’s e-mail system. What type of approach is her company taking to handle the risk posed by the system? (Choose 1)
A. Risk Mitigation
B. Risk Acceptance
C. Risk Avoidance
D. Risk Transferance

Answer 15

A. Risk Mitigation

Question 16

The loss of productivity suffered by Company X due to malware per incident is 30%. Here, 30% is the \_\_\_\_\_\_. (Choose 1)
A. Single Loss Expectancy
B. Exposure Factor
C. Impact Variable
D. Impact Factor
E. None of the Above

Answer 16

B. Exposure Factor

Question 17

Which of the following is not a variable in rating/qualifying/computing likelihood? (Choose 1)
A. Impact
B. Skill
C. Ease of Access
D. Resources
E. Incentive

Answer 17

A. Impact

Question 18

______ is the legal team used to describe the care a “reasonable person” would exercise under given circumstances. (Choose 1)
A. Due Diligence
B. Due Care

Answer 18

B. Due Care

Question 19

The maximum amount of time that a system can be unavailable before there is an unacceptable impact on other systems is called: (Choose 1)
A. Recovery Point Objective (RPO)
B. Max Allowable Downtime (MAD)
C. Maximum Tolerable Downtime (MTD)
D. Recovery Time Objective (RTO)

Answer 19

D. Recovery Time Objective (RTO)

Question 20

As head of sales, Jim is the information owner for the sales department. Which of the following is not Jim’s responsibility as information owner? (Choose 1)
A. Assigning information classifications
B. Dictating how data should be protected
C. Verifying the availability of data
D. Determining how long to retain data

Answer 20

C. Verifying the availability of data

Question 21

Qualitative risk assessments are done in conjunction with a quantitative analysis since pure qualitative analysis is often not feasible.
A.True
B. False

Answer 21

B. False

Question 22

Due care leads to due diligence.
A. True
B. False

Answer 22

B. False

Question 23

Tier 3 risk is a component of Tier 1 risk.
A. True
B. False

Answer 23

A. True