Risk Assessments

Question 1

A process used inside of risk management to identify how much risk
exists in a given network or system

Answer 1

Risk Assessments

Question 2

§ The probability that a threat will be realized

Answer 2

Risk

Question 3

§ Weaknesses in the design or implementation of a system

Answer 3

Vulnerability

Question 4

Any condition that could cause harm, loss, damage, or compromise to
our information technology systems

Answer 4

Threat

Question 5

A strategy that requires stopping the activity that has risk or
choosing a less risky alternative

Answer 5

Risk Avoidance

Question 6

• A strategy that passes the risk to a third party

Answer 6

Risk Transfer

Question 7

• A strategy that seeks to minimize the risk to an acceptable level

Answer 7

Risk Mitigation

Question 8

A strategy that seeks to accept the current level of risk and the
costs associated with it if the risk were realized

Answer 8

Risk Acceptance

Question 9

The risk remaining after trying to avoid, transfer, or mitigate the
risk

Answer 9

Residual Risk

Question 10

uses intuition, experience, and other methods to assign a
relative value to risk

Answer 10

Qualitative analysis/risk

Question 11

uses numerical and monetary values to calculate risk

Answer 11

Quantitative analysis/Risk

Question 12

An estimation of the amount of damage that a negative risk might
achieve

Answer 12

Magnitude of Impact

Question 13

Cost associated with the realization of each individualized threat
that occurs

Answer 13

Single Loss Expectancy (SLE)

Question 14

Number of times per year that a threat is realized

Answer 14

Annualized Rate of Occurence (ARO)

Question 15

• Expected cost of a realized threat over a given year

Answer 15

Annualized Loss Expectancy (ALE)

Question 16

Verify that the organization’s security posture is designed and configured
properly to help thwart different types of attacks

Answer 16

Security Assessments

Question 17

Utilize more intrusive techniques like scanning, hands-on
testing, and probing of the network to determine
vulnerabilities

Answer 17

Active Assessments

Question 18

Utilize open source information, the passive collection and
analysis of the network data, and other unobtrusive
methods without making direct contact with the targeted
systems

Answer 18

Passive Assessments

Question 19

§ Methods implemented to mitigate a particular risk

Answer 19

Security Controld

Question 20

Any security measures that are designed to deter or prevent
unauthorized access to sensitive information or the systems that
contain it

Answer 20

Physical Controls

Question 21

Safeguards and countermeasures used to avoid, detect,
counteract, or minimize security risks to our systems and
information

Answer 21

Technical Controls

Question 22

Focused on changing the behavior of people instead of removing
the actual risk involved

Answer 22

Administrative Controls

Question 23

Security controls that are focused on decision-making and the
management of risk

Answer 23

NIST MANAGEMENT CONTROLs

Question 24

• Focused on the things done by people

Answer 24

NIST Operational Controls

Question 25

• Logical controls that are put into a system to help secure it

Answer 25

Ni=IST Technical Controls

Question 26

Security controls that are installed before an event happens and
are designed to prevent something from occurring

Answer 26

Preventative Controls

Question 27

Used during the event to find out whether something bad might
be happening

Answer 27

Detective Controls

Question 28

Used after an event occurs

Answer 28

Corrective Controls

Question 29

§ Used whenever you can’t meet the requirement for a normal control

Answer 29

Compensating Control

Question 30

Risks that are produced by a non-human source and are beyond human
control

Answer 30

External Risk

Question 31

Risks that are formed within the organization, arise during normal
operations, and are often forecastable

Answer 31

Internal Risk

Question 32

An old method, technology, computer system, or application program
which includes an outdated computer system still in use

Answer 32

Legacy Systems

Question 33

A risk that refers to the connection of multiple systems or organizations
with each bringing their own inherent risks

Answer 33

Multiparty

Question 34

Risk associated with business assets and property being stolen from an
organization in which economic damage, the loss of a competitive edge,
or a slowdown in business growth occurs

Answer 34

IP Theft

Question 35

Risk associated with a company not being aware of what software or
components are installed within its network

Answer 35

Software Compliance/Licensing