Risk Management Flashcards

1
Q

Which of the following is not an advantage of quantitative risk analysis?
A. Examination of real threats
B. Fast results
C. Subjective opinions
D. Dollar values

A

C. Subjective opinions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is the formula for SLE?
A. SLE = AV x EF
B. SLE = AV / EF
C. SLE = ARO x EF
D. SLE = ARO x AV

A

A. SLE = AV x EF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is not an advantage of qualitative risk assessments?
A. Speed
B. Use of numeric dollar values
C. Base don CIA
D. Performed by a team

A

B. Use of numeric dollar values

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is the formula for ALE?
A. ALE = AV x ARO
B. ALE = ARO x SLE
C. ALE = SLE / ARO
D. ALE = AV / ARO

A

B. ALE = ARO x SLE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is the approach for dealing with risk that incurs an ongoing continual cost from a third party?
A. Accept
B. Avoid
C. Mititgate
D. Transfer

A

D. Transfer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Implementation of a firewall best maps to which of the following?
A. Accept
B. Avoid
C. Mitigate
D. Transfer

A

C. Mitigate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

After determining the exposure factor, which is the next step of the quantitative risk assessment process?
A. Determine the SLE
B. Determine the ARO
C. Determine the SLE
D. Determine the AV

A

A. Determine the SLE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When problem solving, which of the following steps or guidance involves making a step-by-step list of the possibilities for testing?
A. Implement
B. Gather the facts
C. Brainstorm
D. Evaluate

A

A. Implement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following most helps employees know how to respond to potential security risks and incidents?
A. Brainstorm
B. Separation of duties
C. Security awareness training
D. Mandatory vacation

A

C. Security awareness training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A(n) _____ is any agent, condition, or circumstance that could potentially cause harm to, loss of, or damage to an IT asset or data asset, or compromise it.
A. Vulnerability
B. Risk
C. Threat
D. Exposure

A

C. Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is not an acceptable audit standard for an auditor to follow?
A. COBIT
B. GAAP
C. FISMA
D. OpenVAS

A

D. OpenVAS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A(n) _____ can be described as a weakness in hardware, software, or components that may be exploited in order for a threat to destroy, damage, or compromise an asset.
A. Vulnerability
B. Threat
C. Exposure
D. Risk

A

A. Vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following helps describe reporting the difference between “where we are” and “where we want to be”?
A. Lessons learned report
B. After-action report
C. Audit
D. Gap analysis

A

D. Gap analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Nikto, Nessus, LanGuard, and SAINT are useful for what kind of activity?
A. Exploitation
B. Threat assessment
C. Control auditing
D. Vulnerability scanning

A

D. Vulnerability scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

As one of the most well-known types of SLAs, which of the following details the agreed-on amount of uptime?
A. RTO
B. UA
C. FCR
D. TSF

A

B. UA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The concept that users should have only the access needed is known as which of the following?
A. Audited control
B. Defense in depth
C. Deny all
D. Least privilege

A

D. Least privilege

17
Q

Which of the following types of testing is best described as manually performing the recovery steps without causing any real disruption?
A. Full interruption test
B. Checklist
C. Walk-through test
D. Simulation test

A

C. Walk-through test

18
Q

What type of disaster recovery site is the cheapest to maintain?
A. Mobile site
B. Cold site
C. Warm site
D. Hot site

A

B. Cold site

19
Q

Which of the following terms is described as the length of time between an interrupt9ion and the recovery from that interruption?
A. MTTR
B. RPO
C. MTBF
D. Availability

A

A. MTTR

20
Q

Which of the following describes the scenario when two employees are required to open a safe, each of them with its combination or code?
A. Dual control
B. Separation of duties
C. Job rotation
D. Least privilege

A

A. Dual control