Upgrade to remove ads
CS307 - Chapter 9
Terms in this set (25)
The _________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.
Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges. (T/F)
Which of the following is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk, and how much risk exists for the asset?
By multiplying the asset factor by the exposure factor, you can calculate which of the following?
single loss expectancy
In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
The __________ level and an asset's value should be a major factor in the risk control strategy.
The ISO 27005 Standard for Information Security Risk Management includes five-stage management methodology; among them are risk treatment and risk communication. (T/F)
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being _______.
Which of the following is a step in Stage 2 - Evaluate Loss Event Frequency of the FAIR risk management framework?
estimate control strength
Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
Strategies to limit losses before and during a disaster is covered by which of the following plans in the mitigation control approach?
disaster recovery plan
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
qualitative assessment of many risk components
The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ____________.
Which of the following affects the cost of a control?
Which of the following is NOT a valid rule of thumb on risk control strategy?
When the attacker's potential gain is less than the costs of an attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
InfoSec community analysis
Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset. (T/F)
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate trade-offs between perfect security and unlimited accessibility?
The NIST risk management approach include all but which of the following elements?
Application of training and education is a common method of which risk control strategy?
The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR, and BC plans is _____________.
What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposal strategy has been executed?
documented control strategy
The criterion most commonly used when evaluating a strategy to implement the InfoSec controls and safeguards is economic feasibility. (T/F)
THIS SET IS OFTEN IN FOLDERS WITH...
CIST1602-Security Policies & Procedures Chapter 4…
management info security exam 1 ch 1-2
Management of Information Security Chapter 10
YOU MIGHT ALSO LIKE...
Module 7 Apply
Management of Information Security Chapter 9
Exam 2 Practice Test
OTHER SETS BY THIS CREATOR
SH202 Ch 8
SH202 Ch. 7
SH202 CH. 6
SH201 Ch. 5
OTHER QUIZLET SETS
Exam 1 Review
AINS 21 Section C
rmi2302 exam 1