Managing Risk Flashcards

1
Q

You’re the chief security contact for MTS. One of your primary tasks is to document everything related to security and to create a manual that can be used to manage the company in your absence. Which documents should be referenced in your manual as the ones that identify the methods used to accomplish a given task?

Policies

Standards

Guidelines

A

Guidelines

Guidelines help clarify processes to maintain standards. Guidelines tend to be less formal than policies or standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Consider the following scenario. The asset value of your company’s primary servers is $2 million, and they are housed in a single office building in Anderson, Indiana. Field offices are scattered throughout the United States, but the workstations located at the field offices serve as thin clients and access data from the Anderson servers. Tornados in this part of the country are not uncommon, and it is estimated that one will level the building every 60 years. Which of the following is the SLE for this scenario?

$2 million

$1 million

$500,000

A

$2 million

It does not matter how frequent a loss is projected (only once every 60 years, in this case). What does matter is that each occurrence will be disastrous: SLE (single loss expectancy) is equal to asset value (AV) times exposure factor (EF). In this case, asset value is $2 million, and the exposure factor is 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Refer to the scenario in question 2. Which of the following amounts is the ALE for this scenario?

$1 million

$500,000

$33,333.33

A

$33,333.33

ALE (annual loss expectancy) is equal to the SLE times the annualized rate of occurrence. In this case, the SLE is $2 million, and the ARO is 1/60

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Refer to the scenario in question 2. Which of the following is the ARO for this scenario?

0.0167

1

5

A

0.0167

ARO (annualized rate of occurrence) is the frequency (in number of years) that an event can be expected to happen. In this case, ARO is 1/60, or 0.0167

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following strategies involves identifying a risk and making the decision to discontinue engaging in the action?

Risk acceptance

Risk avoidance

Risk mitigation

A

Risk avoidance

Risk avoidance involves identifying a risk and making the decision no longer to engage in the actions associated with that risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following policy statements may include an escalation contact in the event that the person dealing with a situation needs to know who to contact?

Scope

Exception

Overview

A

Exception

The exception policy statement may include an escalation contact in the event that the person dealing with a situation needs to know whom to contact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following policies are designed to reduce the risk of fraud and prevent other losses in an organization?

Separation of duties

Acceptable use

Least privilege

A

Separation of duties

A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the term used for events that were mistakenly flagged although they weren’t truly events about which to be concerned?

Non-incidents

Error flags

False positives

A

False positives

False positives are events that were mistakenly flagged and aren’t truly events to be concerned about

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is the structured approach that is followed to secure a company’s assets?

Audit management

Incident management

Change management

A

Change management

Change management is the structured approach that is followed to secure a company’s assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following strategies involves sharing some of the risk burden with someone else, such as an insurance company?

Risk deterrence

Risk mitigation

Risk transference

A

Risk transference

Risk transference involves sharing some of the risk burden with someone else, such as an insurance company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The risk assessment component, in conjunction with the__________, provides the organization with an accurate picture of the situation facing it.

RAC

ALE

BIA

A

BIA

The risk-assessment component, in conjunction with the business impact analysis (BIA), provides an organization with an accurate picture of the situation it faces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following policy statements should address who is responsible for ensuring that the policy is enforced?

Exception

Overview

Accountability

A

Accountability

The accountability policy statement should address who is responsible for ensuring that the policy is enforced

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following strategies is accomplished any time you take steps to reduce risk?

Risk avoidance

Risk transference

Risk mitigation

A

Risk mitigation

Risk mitigation is accomplished any time you take steps to reduce risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If you calculate the SLE to be $4,000 and that there will be 10 occurrences a year (ARO), then the ALE is:

$400

$4,000

$40,000

A

$40,000

If you calculate the SLE to be $4,000 and that there will be 10 occurrences a year (ARO), then the ALE is $40,000 ($4,000 × 10)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following policies describes how the employees in an organization can use company systems and resources, both software and hardware?

Separation of duties

Acceptable use

Least privilege

A

Acceptable use

The acceptable use policies describe how the employees in an organization can use company systems and resources, both software and hardware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Separation of duties helps to prevent an individual from embezzling money from a company. To embezzle funds successfully, an individual would need to recruit others to commit an act of______ (an agreement between two or more parties established for the purpose of committing deception or fraud).

Misappropriation

Misuse

Collusion

A

Collusion

Collusion is an agreement between two or more parties established for the purpose of committing deception or fraud. Collusion, when part of a crime, is also a criminal act in and of itself

17
Q

Which of the following agreements contains the technical information regarding the technical and security requirements of the interconnection between two or more organizations?

BPA

MOA

ISA

A

ISA

The ISA (Interconnection Security Agreement) specifies the technical and security requirements of the interconnection

18
Q

If you calculate SLE to be $25,000 and that there will be one occurrence every four years (ARO), then what is the ALE?

$6,250

$12,500

$25,000

A

$6,250

If you calculate SLE to be $25,000 and that there will be one occurrence every four years (ARO), then the ALE is $6,250 ($25,000 × 0.25)

19
Q

Which of the following policies should be used when assigning permissions, giving users only the permissions they need to do their work and no more?

Separation of duties

Acceptable use

Least privilege

A

Least privilege

The principle of least privilege should be used when assigning permissions. Give users only the permissions that they need to do their work and no more

20
Q

Which of the following strategies necessitates an identified risk that those involved understand the potential cost/damage and agree to live with it?

Risk acceptance

Risk avoidance

Risk transference

A

Risk acceptance

Risk acceptance necessitates an identified risk that those involved understand the potential cost or damage and agree to accept it