SEC+ Revision Questions Risk Analysis

Question 1

You are conducting a risk analysis for a stock brokerage firm in Miami, Florida. What factors should you consider? (Choose two.)
A. Server downtime because of earthquakes
B. Destruction of government regulation documentation because of fire
C. Server downtime because of power outages
D. Customer invoicing data destroyed because of fire

Answer 1

C. Server downtime because of power outages
&
D. Customer invoicing data destroyed because of fire

Question 2

You are responsible for completing an IT asset report for your company. All IT-related equipment and data must be identified and given a value. What term best describes what you must next do?
A. Asset identification
B. Risk assessment
C. Risk mitigation
D. Threat analysis

Answer 2

A. Asset identification

Question 3

You are identifying security threats to determine the likelihood of virus infection. Identify potential sources of infection. (Choose two.)
A. USB flash drives
B. USB keyboard
C. Smartcard
D. Downloaded documentation from a business partner web site

Answer 3

A. USB flash drives
&
D. Downloaded documentation from a business partner web site

Question 4

During a risk analysis meeting you are asked to specify internal threats being considered. Choose which item is not considered an internal threat from the list that follows.
A. Embezzlement
B. Hackers breaking in through the firewall
C. Employees using corporate assets for personal gain
D. Users plugging in personal USB flash drives

Answer 4

B. Hackers breaking in through the firewall

Question 5

A client conveys their concern to you regarding malicious Internet users gaining access to corporate resources. What type of assessment would you perform to determine this likelihood?
A. Threat assessment
B. Risk analysis
C. Asset identification
D. Total cost of ownership

Answer 5

A. Threat assessment

Question 6

You are an IT consultant performing a risk analysis for a seafood company. The client is concerned with specific cooking and packaging techniques the company uses being disclosed to competitors. What type of security concern is this?
A. Integrity
B. Confidentiality
C. Availability
D. Authorization

Answer 6

B. Confidentiality

Question 7

After identifying internal and external threats, you must determine how these potential risks will affect business operations. What is this called?
A. Risk analysis
B. Fault tolerance
C. Availability
D. Impact analysis

Answer 7

D. Impact analysis

Question 8

When determining how best to mitigate risk, which items should you consider? (Choose two.)
A. Insurance coverage
B. Number of server hard disks
C. How fast CPUs in new computers will be
D. Network bandwidth

Answer 8

A. Insurance coverage
&
B. Number of server hard disks

Question 9

An insurance company charges an additional $200 monthly premium for natural disaster coverage for your business site. What figure must you compare this against to determine whether to accept this additional coverage?
A. ALE
B. ROI
C. Total cost of ownership
D. Total monthly insurance premium

Answer 9

A. ALE

Question 9

You are listing preventative measures for potential risks. Which of the following would you document? (Choose three.)
A. Larger flat-screen monitors
B. Data backup
C. Employee training
D. Comparing reliability of network load balancing appliances

Answer 9

B. Data backup
&
C. Employee training
&
D. Comparing reliability of network load balancing appliances

Question 10

Which of the following is true regarding qualitative risk analysis?
A. Only numerical data is considered.
B. ALE must be calculated.
C. Threats must be identified.
D. ROI must be calculated.

Answer 10

C. Threats must be identified.

Question 11

Which values must be calculated to derive annual loss expectancy? (Choose two.)
A. Single loss expectancy
B. Annual rate of occurrence
C. Monthly loss expectancy
D. Quarterly loss expectancy

Answer 11

A. Single loss expectancy
&
B. Annual rate of occurrence

Question 12

You are the server expert for a cloud computing firm named Cloud Nine Computing. Management would like to set aside funds to respond to server downtime risks. Using historical data, you determine the probability of server downtime is 17 percent. Past data suggests the server would be down for an average of one hour and that $3,000 of revenue can be earned in one hour. You must calculate the annual loss expectancy (ALE). Choose the correct ALE.
A. $300
B. $510
C. $3,000
D. $36,000

Answer 12

B. $510

Question 13

Your boss asks you to calculate how much money the company loses when critical servers required by employees are down for 2 hours. You have determined that the probability of this happening is 70 percent. The company has 25 employees each earning $18.50 per hour. Choose the correct value.
A. $12.95
B. $18.50
C. $323.75
D. $3,885

Answer 13

C. $323.75

Question 14

Your company is considering having the e-mail server hosted by Hosted Solutions, Inc., to reduce hardware and mail server technician costs at the local site. What type of document formally states the reliability and recourse if the reliability is not met?
A. BPA
B. MOU
C. SLA
D. ISA

Answer 14

C. SLA

Question 15

Which term best describes monies spent to minimize the impact that threats and unfavorable conditions have on a business?
A. Risk management
B. Security audit
C. Budgetary constraints
D. Impact analysis

Answer 15

A. Risk management

Question 16

Which risk analysis approach makes use of ALE?
A. Best possible outcome
B. Quantitative
C. ROI
D. Qualitative

Answer 16

B. Quantitative

Question 17

You are presenting data at a risk analysis meeting. During your presentation you display a list of ALE values sorted ranked by dollar amount. Bob, a meeting participant, asks how reliable the numeracy used to calculate the ALE is. What can you tell Bob?
A. The numbers are 100 percent reliable.
B. The numbers are 50 percent reliable.
C. ALEs are calculated using probability values that vary.
D. ALEs are calculated using percentages and are accurate.

Answer 17

C. ALEs are calculated using probability values that vary.

Question 18

Which of the following should be performed when conducting a qualitative risk assessment? (Choose two.)
A. Asset valuation
B. ARO
C. SLE
D. Ranking of potential threats

Answer 18

A. Asset valuation
&
D. Ranking of potential threats

Question 19

You are the IT security analyst for Big John’s Gourmet Foods. Big John’s plans to open a plant in Oranjestad, Aruba, next year. You are meeting with a planning committee in the next week and must come up with questions to ask the committee about the new location so you can prepare
a risk analysis report. Which of the following would be the most relevant questions to ask? (Choose two.)
A. How hot does it get in the summer?
B. How reliable is the local power?
C. What kind of physical premise security is in place?
D. How close is the nearest highway?

Answer 19

B. How reliable is the local power?
&
C. What kind of physical premise security is in place?

Question 20

Your corporate web site is being hosted by an Internet service provider. How does this apply to the concept of risk?
A. Risk avoidance
B. Risk transference
C. Risk analysis
D. Increase in ALE

Answer 20

B. Risk transference

Question 21

Which of the following regarding risk management is true?
A. Funds invested in risk management could have earned much more profit if spent elsewhere.
B. ALEs are only estimates and are subject to being inaccurate.
C. IT security risks are all handled by the corporate firewall.
D. Qualitative risk analysis results are expressed in dollar amounts.

Answer 21

B. ALEs are only estimates and are subject to being inaccurate.

Question 22

Your competitors are offering a new product that is predicted to sell well. After much careful study, your company has decided against launching a competing product because of the uncertainty of the market and the enormous investment required. Which term best describes your company’s decision?
A. Risk analysis
B. Risk transfer
C. Risk avoidance
D. Product avoidance

Answer 22

C. Risk avoidance

Question 23

How can management determine which risks should be given the most attention?
A. Threat vector
B. Rank risks by likelihood
C. Rank risks by probable date of occurrence
D. Rank risks by SLE

Answer 23

B. Rank risks by likelihood

Question 24

Recently your data center was housed in Albuquerque, New Mexico. Because of corporate downsizing, the data center equipment was moved to an existing office in Santa Fe. The server room in Santa Fe was not designed to accommodate all the new servers arriving from Albuquerque, and the server room temperature is very warm. Because this is a temporary solution until a new data center facility is built, management has decided not to pay for an updated air conditioning system. Which term best describes this scenario?
A. Risk transfer
B. Risk avoidance
C. Risk acceptance
D. Risk reduction

Answer 24

C. Risk acceptance

Question 25

Which factors could influence your risk management strategy?
A. Government regulations
B. Moving operations to a new building
C. The purchase of a newer firewall solution
D. None of the above
E. All of the above

Answer 25

E. All of the above

Question 26

You are a member of an IT project team. The team is performing an IT risk analysis and has identified assets and their values as well as threats and threat mitigation solutions. What must be done next?
A. Perform a cost-benefit analysis of proposed risk solutions.
B. Calculate the ALE values.
C. Decide which vulnerabilities exist.
D. There is nothing more to do.

Answer 26

B. Calculate the ALE values.

Question 27

To reduce the likelihood of internal fraud, an organization implements policies that ensure more than one person is responsible for a financial transaction from beginning to end. Which of the following best describes this scenario?
A. Probability
B. Mitigation solution
C. Impact analysis
D. Threat analysis

Answer 27

B. Mitigation solution

Question 28

What is the difference between risk assessment and risk management?
A. They are the same thing.
B. Risk assessment identifies and prioritizes risks; risk management is the governing of risks to minimize their impact.
C. Risk management identifies and prioritizes risks; risk assessment is the governing of risks to minimize their impact.
D. Risk assessment identifies threats; risk management controls those threats.

Answer 28

B. Risk assessment identifies and prioritizes risks; risk management is the governing of risks to minimize their impact.

Question 29

Identify the two drawbacks to quantitative risk analysis compared to qualitative risk analysis. (Choose two.)
A. Quantitative risk analysis entails complex calculations.
B. Risks are not prioritized by monetary value.
C. Quantitative analysis is more time-consuming than qualitative.
D. It is difficult to determine how much money to allocate to reduce a risk.

Answer 29

A. Quantitative risk analysis entails complex calculations.
&
C. Quantitative analysis is more time-consuming than qualitative.

Question 30

Which of the following represent methods by which sensitive organizational information could be unintentionally leaked? (Choose two.)
A. Encrypted cloud backup
B. Social network apps on mobile phones
C. E-mail
D. NTFS file permissions

Answer 30

B. Social network apps on mobile phones
&
C. E-mail

Question 31

As an IT administrator, you are responsible for creating user accounts for newly hired employees. New hires must have a picture ID to obtain a network/e-mail account, and they must be given a PKI card that they assign a PIN to. Which term applies to the described process?
A. Onboarding
B. Offboarding
C. Data ownership
D. User-adding

Answer 31

A. Onboarding