Section 21 Risk Assessments

Question 1

A process used inside of risk management to identify how much risk exists in a given network or system.

Answer 1

Risk Assessments

Question 2

The probability that a threat will be realized.

Answer 2

Risk

Question 3

Weaknesses in the design or implementation of a system.

Answer 3

Vulnerabilities

Question 4

Any condition that could cause harm, loss, damage, or compromise to our information technology systems.

Answer 4

Threat

Question 5

A strategy that requires stopping the activity that has risk or choosing a less risky alternative.

Answer 5

Risk Avoidance

Question 6

A strategy that passes the risk to a third party.

Answer 6

Risk Transfer

Question 7

A strategy that seeks to minimize the risk to an acceptable level.

Answer 7

Risk Mitigation

Question 8

A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized.

Answer 8

Risk Acceptance

Question 9

The risk remaining after trying to avoid, transfer, or mitigate the risk.

Answer 9

Residual Risk

Question 10

An estimation of the amount of damage that a negative risk might acheive.

Answer 10

Magnitude of Impact

Question 11

Cost associated with the realization of each individualized threat that occurs.

Answer 11

Single Loss Expectancy (SLE)

Question 12

SLE = AV x EF

Answer 12

Asset value x Exposure factor

Question 13

Number of times per year that a threat is realized.

Answer 13

Annualized Rate of Occurrence (ARO)

Question 14

Expected cost of a realized threat over a given year.

Answer 14

Annualized Loss Expectancy (ALE)

Question 15

Verify that the organizations security posture is designed and configured properly to help thwart different types of attacks.

Answer 15

Security Assessments

Question 16

Utilizes more intrusive techniques like scanning, hands on testing, and probing of the network to determine vulnerabilities.

Answer 16

Active Assessments

Question 17

Utilizes open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems.

Answer 17

Passive Assessments

Question 18

Methods implemented to mitigate a particular risk.

Answer 18

Security Controls

Question 19

Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it.

Answer 19

Physical Controls

Question 20

Safeguards and countermeasures used to avoid, detect, counteract, or minimize, security risks to our systems and information.

Answer 20

Technical Controls

Question 21

Focused on changing the behavior of people instead of removing the actual risk involved.

Answer 21

Administrative Controls

Question 22

Security controls that are focused on decision making and the management of risk.

Answer 22

Management Controls

Question 23

Focused on the things done by people.

Answer 23

Operational Controls

Question 24

Security controls that are installed before an event happens and are designed to prevent something from occurring.

Answer 24

Preventative

Question 25

Used during the event to find out whether something bad might be happening.

Answer 25

Dective Controls

Question 26

Used after an event occurs a single control can be categorized into multiple types or categories.

Answer 26

Corrective Controls

Question 27

Used whenever you can’t meet the requirements for a normal control.

Answer 27

Compensating Controls

Question 28

Risks that are produced by a non human source and are beyond human control.

Answer 28

External Risk

Question 29

Risks that are formed within the organizations, arise during normal questions, and are often forecastable.

Answer 29

Internal Risk

Question 30

An old method, technology, computer system, or application program which includes an outdated computer system still in use.

Answer 30

Legacy Systems

Question 31

A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent tasks.

Answer 31

Multiparty

Question 32

Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of a competitive edge, or a slowdown in business growth occurs.

Answer 32

IP Theft

Question 33

Risk associated with a company not being aware of what software or components are installed within its network.

Answer 33

Software Compliance/Licensing