Risk Management Flashcards

1
Q

Which of the following risk assessment formulas represents the total potential loss a company may experience within a single year due to a specific risk to an asset?

SLE

ARO

ALE

A

ALE

The annualized loss expectancy (ALE) represents the total potential loss a company may experience within a single year due to a specific risk to an asset. EF is the percentage of asset value loss that would occur if a risk was realized. SLE is the potential dollar value loss from a single risk-realization incident. ARO is the statistical probability that a specific risk may be realized a certain number of times in a year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is more formal than a handshake agreement but not a legal binding contract?

SLA

DLP

MOU

A

MOU

A memorandum of understanding (MOU) is an expression of agreement or aligned intent, will, or purpose between two entities. An MOU is not typically a legal agreement or commitment, but rather a more formal form of a reciprocal agreement or gentleman’s handshake (neither of which is typically written down). An SLA is a formal control. BIA is business impact assessment. DLP is data loss prevention

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When a user signs a(n) ________, it’s a form of consent to the monitoring and auditing processes used by the organization.

Acceptable use policy

Privacy policy

Separation of duties policy

A

Acceptable use policy

When a user signs an acceptable use policy, it’s a form of consent to the monitoring and auditing processes used by the organization. A privacy policy usually explains that there is no privacy on company systems. A separation of duties policy indicates that administrative functions are divided among several people. The code of ethics policy describes decision-making processes to use when faced with ethical dilemmas

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When is business continuity needed?

When business processes are interrupted

When a user steals company data

When business processes are threatened

A

When business processes are threatened

Business continuity is used when business processes are threatened. Security policy is used when new software is distributed. Disaster recovery is used when business processes are interrupted. Incident response is used when a user steals company data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You run a full backup every Monday. You also run a differential backup every other day of the week. You experience a drive failure on Friday. Which of the following restoration procedures should you use to restore data to the replacement drive?

Restore the full backup and then each differential backup.

Restore the full backup and then the last differential backup.

Restore the differential backup.

A

Restore the full backup and then the last differential backup.

The proper procedure is to restore the full backup and then the last differential backup. The other three options are incorrect or incomplete

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is a security control type that is not usually associated with or assigned to a security guard?

Preventive

Detective

Administrative

A

Administrative

A security guard is not an administrative control. A security guard can be considered a preventive, detective, and/or corrective control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You are the security manager for a brokerage firm. New company policy requires that all administrators be evaluated for compliance or violations in regard to adherence to the security policy and ethics agreement. Which of the following is a technique that can be used to accomplish this task?

Separation of duties

Clean desk

Mandatory vacations

A

Mandatory vacations

Mandatory vacations are a form of user peer auditing. The process works by requiring each employee to be on vacation (or just away from the office and without remote access) for a minimal amount of time each year (typically one to two weeks). While the employee is away, another worker sits at their desk and performs their work tasks using the original employee’s privileged account. This process is used to detect fraud, abuse, or incompetence. The technique is often employed in financial environments or where high-value assets are managed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Separation of duties has recently been implemented at your organization. Due to the size of the company, a single person has been assigned to each compartmented management area. There is some concern that over time the company will be at risk of being unable to perform critical tasks if one or more administrators are unavailable due to illness, vacation, retirement, or termination. What tool can be used to reduce this risk?

Job rotation

Principle of least privilege

Exit interviews

A

Job rotation

Job rotation, cross-training, or rotation of duties is a counterbalance to the application of separation of duties. If all high-level tasks are performed by individual administrators, what happens if one person leaves the organization? If no one else has the knowledge or skill to perform the tasks, the organization suffers. Job rotation is the periodic shifting of assigned work tasks or job descriptions among a small collection of workers, sometimes known as a rotation group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Downtime is a violation of availability. Avoiding downtime is an essential tenet of your organization’s mission and security policy. What element of system management and maintenance needs to be monitored and tracked in order to avoid device failure resulting in unplanned downtime?

RTO

MTTF

ALE

A

MTTF

Aging hardware should be scheduled for replacement and/or repair. The schedule for such operations should be based on the mean time to failure (MTTF), mean time between failures (MTBF), and mean time to repair/restore (MTTR) estimates established for each device or on prevailing best organizational practices for managing the hardware life cycle. MTTF is the expected typical functional lifetime of the device, given a specific operating environment. MTBF is the expected typical time frame between failures, such as between the first failure and the second failure. If the MTTF and MTBF are the same values (or nearly so), some manufacturers only list the MTBF rating and use it to address both concepts. MTTR is the average length of time required to perform a repair on the device. A device can often undergo numerous repairs before a catastrophic failure is expected. Be sure to schedule all devices to be replaced before their MTTFs expire

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You are the network manager for a large organization. Over the weekend a storm caused a power surge, which damaged the main router between the company network and the Internet service. On Monday morning you realize that the entire intranet is unable to connect to any outside resource and mission-critical tasks are not functioning. What is the problem that the organization is experiencing?

Sustained redundancy

Maintaining of availability

A single point of failure

A

A single point of failure

A single point of failure is any individual or sole device, connection, or pathway that is of moderate to mission-critical importance to the organization. If that one item fails, the whole organization suffers loss. Infrastructures should be designed with redundancies of all moderately or highly important elements in order to avoid single points of failure. Removing single points of failure involves adding redundancy, recovery options, or alternative means to perform business tasks and processes. Avoiding or resolving single points of failure will improve stability, uptime, and availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What form of risk analysis can involve the Delphi technique, interviews, and focus groups?

Quantitative

Residual

Qualitative

A

Qualitative

Qualitative risk analysis is more scenario, based than calculator, based. Rather than assign exact dollar figures to possible losses, you rank threats on a scale to evaluate their risks, costs, and effects. The process of performing qualitative risk analysis involves judgment, intuition, and experience. You can use many techniques to perform qualitative risk analysis, including brainstorming, the Delphi technique, storyboarding, focus groups, surveys, checklists, questionnaires, one-on-one meetings, and interviews

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You are the security manager for a large organization. During the yearly risk management reassessment, a specific risk is being left as is. You thoroughly document the information regarding the risk, the related assets, and the potential consequences. What is this method of addressing risk known as?

Mitigation

Tolerance

Assignment

A

Tolerance

Accepting risk, or tolerating risk, is the valuation by management of the cost-benefit analysis of possible safeguards and the determination that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk. It also means management has agreed to accept the consequences and the loss if the risk is realized. In most cases, accepting risk requires a clearly written statement that indicates why a safeguard was not implemented, who is responsible for the decision, and who will be responsible for the loss if the risk is realized, usually in the form of a “sign-off” letter. An organization’s decision to accept risk is based on its risk tolerance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What type of security policy or plan has the following main phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned?

IRP

BCP

DRP

A

IRP

An incident response plan (IRP) consists of Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In what phase of an incident response plan does the organization return to normal operations after handling a violating event?

Containment

Lessons Learned

Recovery

A

Recovery

Recovery is the process of removing any damaged elements from the environment and replacing them. This can apply to corrupted data being restored from backup and to malfunctioning hardware or software being replaced with updated or new versions. In some cases, entire computer systems need to be reconstituted (rebuilt from new parts) in order to eradicate all elements of compromise and return into production a functioning and trustworthy system. The recovery and reconstitution procedures can also include alterations of configuration settings and adding new security features or components. This is especially important if a vulnerability remains that could be exploited to cause the incident to reoccur. The environment is returned to normal operations by the end of the recovery phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When an organization is sent a lawyer’s letter demanding that they retain specific records, logs, and other files pertaining to suspected illegal activity, what is this known as?

Forensics

Investigation

Legal hold

A

Legal hold

A legal hold is an early step in the evidence collection or e-discovery process. It is a legal notice to a data custodian that that specific data or information must be preserved and that good-faith efforts must be engaged to preserve the indicated evidence. The custodian must maintain and preserve the data until they are notified that the obligation is no longer necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following are important elements in gathering data from storage devices related to a suspect’s system during a forensic investigation? (Select all that apply.)

Calculating a hash of the original storage device

Creating bitstream copy clones of the original

Using read-block adapters

Removing the storage device from the suspect’s system

A

Calculating a hash of the original storage device

Creating bitstream copy clones of the original

Removing the storage device from the suspect’s system

Forensic preservation aims at preventing any change from occurring as related to collected evidence. These efforts include removing relevant storage devices from their systems, using write-blocking adapters to block any writing signals from being received by storage devices, using hash calculations before and after every operation, and only analyzing cloned copies of storage devices and never the original device. If the original data is corrupted or changed, then it usually becomes inadmissible in court. Thus, forensic experts take extreme caution when working with the original source drives

17
Q

What is the main goal of BCP?

Recover from disasters

Minimize the impact of a disruptive event

Keep costs to a minimum

A

Minimize the impact of a disruptive event

The goal of BCP (business continuity planning) planners is to implement a combination of policies, procedures, and processes such that a potentially disruptive event has as little impact on the business as possible

18
Q

What form of alternate processing facility is a reliable means of recovery but is not usually considered to be cost effective?

Cold

Onsite

Hot

A

Hot

A hot site is a real-time, moment-to-moment mirror image of the original site. It contains a complete network environment that is fully installed and configured with live current business data. The moment the original site becomes inoperable due to a disaster, the hot site can be used to continue business operations without a moment of downtime. Hot sites are the most expensive, but they offer the least amount of downtime. Thus, while being a reliable means of recovery, they are not cost effective

19
Q

A corrective control is used for what purpose?

To thwart or stop unwanted or unauthorized activity from occurring

To discover or detect unwanted or unauthorized activity

To modify the environment to return systems to normal after an unwanted or unauthorized activity has occurred

A

To modify the environment to return systems to normal after an unwanted or unauthorized activity has occurred

A corrective access control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. A preventive access control is deployed to thwart or stop unwanted or unauthorized activity from occurring. A detective access control is deployed to discover or detect unwanted or unauthorized activity. A compensation access control is deployed to provide various options to other existing controls to aid in enforcement and support of security policies

20
Q

Which of the following may be considered protected health information? (Select all that apply.)

Phone numbers

Medical record numbers

Email address

Vehicle identifiers

Web URLs

IP address numbers

Biometric identifiers

Photographic images

A

Phone numbers

Medical record numbers

Email address

Vehicle identifiers

Web URLs

IP address numbers

Biometric identifiers

Photographic images

Protected Health Information (PHI), according to the laws of the United States, is any data that relates to the health status, use of health care, payment for health care, and other information collected about an individual in relation to their health. HIPAA defines PHI in relation to 18 types of information that must be handled securely to protect against disclosure and misuse. These 18 elements are names, all geographic identifiers smaller than a state (so address, city, and zip are protected), dates directly related to an individual, other than year, phone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health insurance beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers, device identifiers and serial numbers, Web URLs, IP address numbers, biometric identifiers, photographic images, and any other unique identifying number, characteristic, or code except the unique code assigned by the collecting entity to code the data