Risk Analysis Flashcards
You are conducting a risk analysis for a stock brokerage firm in Miami, Florida. What factors should you consider? (Choose two.)
Server downtime because of earthquakes
Destruction of government regulation documentation because of fire
Server downtime because of power outages
Customer invoicing data destroyed because of fire
Server downtime because of power outages
Customer invoicing data destroyed because of fire
Risk analysis includes calculating plausible risks such as server downtime because of power outages and loss of equipment and data because of fire
You are responsible for completing an IT asset report for your company. All IT-related equipment and data must be identified and given a value. What term best describes what you must next do?
Asset identification
Risk mitigation
Threat analysis
Asset identification
Asset identification involves identifying assets (including data) and associating a value with them. This can then be used to justify expenditures to protect these assets
You are identifying security threats to determine the likelihood of virus infection. Identify potential sources of infection. (Choose two.)
USB flash drives
USB keyboard
Smartcard
Downloaded documentation from a business partner web site
USB flash drives
Downloaded documentation from a business partner web site
USB flash drives could have files downloaded from the Internet or copied from less secure machines that could infect your network. Business partner documentation downloaded from the Internet could potentially be infected. With proper management approval, conducting a thorough vulnerability assessment of the existing network and its devices, or a more aggressive penetration test can reveal these potential security holes
During a risk analysis meeting, you are asked to specify internal threats being considered. Choose which item is not considered an internal threat from the list that follows.
Embezzlement
Hackers breaking in through the firewall
Employees using corporate assets for personal gain
Hackers breaking in through the firewall
Hackers breaking in through a firewall would be considered an external threat
A client conveys her concern to you regarding malicious Internet users gaining access to corporate resources. What type of assessment would you perform to determine this likelihood?
Threat assessment
Risk analysis
Asset identification
Threat assessment
Determining how an entity can gain access to corporate resources would require a threat assessment. Environmental threat assessments consider natural factors such as floods and earthquakes as well as facility environmental factors such as HVAC and physical security. Threat assessment must also consider man-made threats such as war or terrorism. For a completely objective view of threats, assessment should be conducted by an external entity
You are an IT consultant performing a risk analysis for a seafood company. The client is concerned with specific cooking and packaging techniques the company uses being disclosed to competitors. What type of security concern is this?
Integrity
Confidentiality
Availability
Confidentiality
Confidentiality means keeping data hidden from those who should not see it, such as competitors
After identifying internal and external threats, you must determine how these potential risks will affect business operations. What is this called?
Risk analysis
Fault tolerance
Impact analysis
Impact analysis
Determining the effect that materialized risks have on the operation of a business is called impact analysis. It is often used to determine whether expenditures against these risks are justified
When determining how best to mitigate risk, which items should you consider? (Choose two.)
Insurance coverage
Number of server hard disks
How fast CPUs in new computers will be
Network bandwidth
Insurance coverage
Number of server hard disks
Assessing risk includes determining what is and is not covered by various types of insurance coverage and whether the cost of those insurance premiums is justified. The number of server hard disks is definitely risk related. The likelihood of hard disk data loss is minimized when there are multiple hard disks configured properly, such as RAID 1 (disk mirroring)
You are listing preventative measures for potential risks. Which of the following would you document? (Choose three.)
Larger flat-screen monitors
Data backup
Employee training
Comparing reliability of network load balancing appliances
Data backup
Employee training
Comparing reliability of network load balancing appliances
Backing up data minimizes the risk of losing data. Employee training reduces the likelihood of errors or disclosure of confidential information. Choosing the most reliable network load balancing appliance can reduce the risk of network traffic congestion
An insurance company charges an additional $200 monthly premium for natural disaster coverage for your business site. What figure must you compare this against to determine whether to accept this additional coverage?
ALE
ROI
Total cost of ownership
ALE
The annual loss expectancy (ALE) value is used with quantitative risk analysis approaches to prioritize and justify expenditures that protect from potential risks. For example, an ALE value of $1000 might justify a $200 annual expense to protect against that risk
Which of the following is true regarding qualitative risk analysis?
Only numerical data is considered.
ALE must be calculated.
Threats must be identified.
Threats must be identified.
Qualitative risk analysis categorizes risks (threats) with general (not hard numerical) terms and numerical ranges—for example, a risk falling between 1 (small risk ) to 10 (big risk). For this to happen, threats must first be identified
Which values must be calculated to derive annual loss expectancy? (Choose two.)
Single loss expectancy
Annual rate of occurrence
Monthly loss expectancy
Quarterly loss expectancy
Single loss expectancy
Annual rate of occurrence
Annual loss expectancy (ALE) is derived by multiplying the annual rate of occurrence (ARO) by the single loss expectancy (SLE)
You are the server expert for a cloud computing firm named Cloud Nine Computing. Management would like to set aside funds to respond to server downtime risks. Using historical data, you determine that the probability of server downtime is 17 percent. Past data suggests the server would be down for an average of one hour and that $3000 of revenue can be earned in one hour. You must calculate the annual loss expectancy (ALE). Choose the correct ALE.
$300
$510
$3000
$510
Annual loss expectancy (ALE) is calculated by multiplying the annual rate of occurrence (ARO = 0.17) by the single loss expectancy (SLE = 3000). So, 0.17 multiplied by 3000 equals 510
Your boss asks you to calculate how much money the company loses when critical servers required by employees are down for two hours. You have determined that the probability of this happening is 70 percent. The company has 25 employees, each earning $18.50 per hour. Choose the correct value.
$12.95
$18.50
$647.50
$647.50
This question is asking you to calculate the annual loss expectancy (ALE). Multiply the probability (annual rate of occurrence) by the dollar amount associated with a single failure (single loss expectancy): 0.7 × (2 × (25 × 18.5)) = 647.50
Your company is considering having the e-mail server hosted by Hosted Solutions, Inc., to reduce hardware and mail server technician costs at the local site. What type of document formally states the reliability and recourse if the reliability is not met?
BPA
MOU
SLA
SLA
A service level agreement (SLA) formally defines what type of service a customer can expect and what type of recourse is available should that level of service not be provided