Risk Mitigation

Question 1

Risk Identification Process

Answer 1

Frame
Assess
Respond
Respond

Question 2

The comprehensive process of evaluating, measuring, and mitigating the many
risks that pervade an organization

Answer 2

The comprehensive process of evaluating, measuring, and mitigating the many
risks that pervade an organization

Question 3

Establish a strategic risk management
framework that is supported by
decision makers at the top tier of the
organization

Answer 3

Frame

Question 4

Identify and prioritize business
processes/workflow

Answer 4

Assess

Question 5

Mitigate each risk factor through the deployment of managerial, operational, and
technical security controls

Answer 5

Respond

Question 6

Evaluate the effectiveness of risk response measures and identify changes that
could affect risk management processes

Answer 6

Monitor

Question 7

Most business assets have a specific value associated with them
In security terms, assets are valued according to the cost created by their loss or damage

Answer 7

Conducting an Assessment

Question 8

A loss associated with no longer being able to fulfill contracts and
orders due to the breakdown of critical systems

Answer 8

Business Continuity Loss

Question 9

A loss created by organizational liability due to prosecution (criminal
law) or damages (civil law)

Answer 9

Legal Costs

Question 10

A loss created by negative publicity and the consequential loss of
market position or consumer trust

Answer 10

Reputational Harm

Question 11

The systematic identification of critical systems by compiling an
inventory of the business processes and the tangible and intangible
assets and resources that support those processes

Answer 11

System Assessments

Question 12

A business or organizational activity that is too critical to be deferred for anything
more than a few hours (if at all)

Answer 12

Mission Essential Function (MEF)

Question 13

The use of a software or hardware solution to track and
manage any assets within an organization

Answer 13

Asset/Inventory Tracking

Question 14

An ongoing process of assessing assets against a set of known
threats and vulnerabilities

Answer 14

Threat and Vulnerability Assessment

Question 15

Risk Calculation

Answer 15

Risk = Probability x Magnitude

Question 16

Probability

Answer 16

Probability

Question 17

The impact of a successful exploit or a risk event

Answer 17

Magnitude

Question 18

A risk analysis method that is based on assigning concrete values
to factors

Answer 18

Quantitative Method

Question 19

AV x EF = SLE

Answer 19

Single Loss Expectancy (SLE) only provides the value for a single
occurrence or loss

Question 20

AV

Answer 20

Asset Value

Question 21

EF

Answer 21

Exposure Factor

Question 22

SLE

Answer 22

Single Loss Expectancy

Question 23

The cost of a given risk on an annual basis based on the single loss
expectancy

Answer 23

Annual Loss Expectancy (ALE)

Question 24

SLE x ARO = ALE

Answer 24

Annual Loss Expectancy

Question 25

ARO

Answer 25

Annual Rate of Occurrence

Question 26

ALE

Answer 26

Annual Loss Expectancy

Question 27

A risk analysis method that uses opinions and reasoning to measure the likelihood
and impact of risk

Answer 27

Qualitative Method

Question 28

A risk analysis method that uses a mixture of concrete values with opinions and
reasoning to measure the likelihood and impact of risk

Answer 28

Semi-Quantitative Method

Question 29

A systematic activity that identifies organizational risks and determines their
effect on ongoing, mission critical operations

Answer 29

Business Impact Analysis

Question 30

The longest period of time a business can be inoperable without
causing irrevocable business failure

Answer 30

Maximum Tolerable Downtime (MTD

Question 31

The length of time it takes after an event to resume normal business
operations and activities

Answer 31

Recovery Time Objective (RTO)

Question 32

The length of time in addition to the RTO of individual systems to
perform reintegration and testing of a restored or upgraded system
following an event

Answer 32

Work Recovery Time (WRT)

Question 33

The longest period of time that an organization can tolerate lost data
being unrecoverable

Answer 33

Recovery Point Objective (RPO)

Question 34

A risk response that reduces a risk to fit within an organization’s risk appetite

Answer 34

Risk Mitigation

Question 35

A risk response that involves ceasing an activity that presents risk

Answer 35

Risk Avoidance

Question 36

A risk response that involves moving or sharing the responsibility of risk to
another entity

Answer 36

Risk Transference

Question 37

A risk response that involves determining that a risk is within the organization’s
risk appetite and no countermeasures other than ongoing monitoring will be
needed

Answer 37

Risk Acceptance

Question 38

Control is required by framework, best practice, or regulation

Answer 38

Security Control Prioritization

Question 39

Amount of risk a control mitigates

Answer 39

Cost of control

Question 40

A metric to calculate whether a security control is worth the cost of deploying and
maintaining it

Answer 40

Return on Security Investment (RSOI)

Question 41

An assessment of the benefit of risk reduction against the increased complexity or
cost in a system design or specification

Answer 41

Engineering Tradeoff

Question 42

Your job is to explain risk in plain and simple language

Answer 42

Communicating Risk

Question 43

A type of security control that acts as a substitute for a principal control

Answer 43

Compensating Controls

Question 44

A formal process that is used to document each case where a function or asset is
noncompliant with written policy and procedural controls

Answer 44

Exception Management

Question 45

The hostile or attacking team in a penetration test or incident
response exercise

Answer 45

Red Team

Question 46

The defensive team in a penetration test or incident response
exercise

Answer 46

Blue Team

Question 47

Staff administering, evaluating, and supervising a penetration
test or incident response exercise

Answer 47

White Team