IT RIsk Management Quiz Flashcards
Two fundamental components affecting the trustworthiness of information systems are ______ and ______.
Security Functionality
Security Assurance
Security controls are classified: ______, ______, and ______.
Management
Operational
Technical Controls
______ risk assessment most effectively supports cost-benefit analyses of alternative risk responses or courses of action.
Quantitative
______ risk assessments typically employ a set of methods, principles, or rules for assessing risk based on non-numerical categories.
Qualitative
Risk management reduces risks by defining and controlling \_\_\_\_\_\_ and \_\_\_\_\_\_. A. Threats B. Vulnerabilities C. Adverse Impacts D. Likelihood
A. Threats
B. Vulnerabilities
Which of the following is not a part of the risk management process as discussed in class? (Choose 1) A. Framing Risk B. Assessing Risk C. Mitigating Risk D. Monitoring Risk
C. Mitigating Risk
The degree to which the systems can be expected to preserve the confidentiality, integrity, and availability of the information systems is called: (Choose 1) A. System Integrity B. Security Capability C. Security Functionality D. Risk Assurance E. Trustworthiness
E. Trustworthiness
When conducting a risk assessment, \_\_\_\_\_\_ is the highest priority and is always given the highest impact rating. (Choose 1) A. Loss of Data Center B. Loss of Reputation C. Loss of Data D. Loss of Intellectual Property E. Loss of Life
E. Loss of Life
The integrity of data is not related to which of the following? (Choose 1)
A. Unauthorized manipulation
B. The modification of data without authorization
C. The intentional or accidental substitution of data
D. The extraction of data to share with unauthorized entities
D. The extraction of data to share with unauthorized entities
Company X signs a service level agreement with their internet service provider (ISP), which requires the ISP to pay for all potential losses in the event of loss of connectivity. This is an example of: (Choose 1) A. Risk Avoidance B. Risk Mitigation C. Risk Acceptance D. Risk Transfer
D. Risk Transfer
______ is measured by the capabilities of the threat and the presence or absence of countermeasures
Likelihood
Jared plays a role in his company’s data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared’s role? (Choose 1) A. Data Owner B. Data Custodian C. Data User D. Information Systems Auditor
C. Data User
A CCTV (Closed Circuit TV) system that is monitored is an example of: (Choose 1) A. Detective Control B. Corrective Control C. Compensating Control D. Preventative Control
A. Detective Control
IT governance is the responsibility of ______.
The Business
Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company’s e-mail system. What type of approach is her company taking to handle the risk posed by the system? (Choose 1) A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk Transferance
A. Risk Mitigation
The loss of productivity suffered by Company X due to malware per incident is 30%. Here, 30% is the \_\_\_\_\_\_. (Choose 1) A. Single Loss Expectancy B. Exposure Factor C. Impact Variable D. Impact Factor E. None of the Above
B. Exposure Factor
Which of the following is not a variable in rating/qualifying/computing likelihood? (Choose 1) A. Impact B. Skill C. Ease of Access D. Resources E. Incentive
A. Impact
______ is the legal team used to describe the care a “reasonable person” would exercise under given circumstances. (Choose 1)
A. Due Diligence
B. Due Care
B. Due Care
The maximum amount of time that a system can be unavailable before there is an unacceptable impact on other systems is called: (Choose 1) A. Recovery Point Objective (RPO) B. Max Allowable Downtime (MAD) C. Maximum Tolerable Downtime (MTD) D. Recovery Time Objective (RTO)
D. Recovery Time Objective (RTO)
As head of sales, Jim is the information owner for the sales department. Which of the following is not Jim’s responsibility as information owner? (Choose 1)
A. Assigning information classifications
B. Dictating how data should be protected
C. Verifying the availability of data
D. Determining how long to retain data
C. Verifying the availability of data
Qualitative risk assessments are done in conjunction with a quantitative analysis since pure qualitative analysis is often not feasible.
A.True
B. False
B. False
Due care leads to due diligence.
A. True
B. False
B. False
Tier 3 risk is a component of Tier 1 risk.
A. True
B. False
A. True