Chapter 1 and 2 Questions and Answers
docx
keyboard_arrow_up
School
Indiana University, Purdue University, Indianapolis *
*We aren’t endorsed by this school
Course
45100
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
2
Uploaded by AdmiralParrotPerson970
CIT 415 Chapter 1 & 2 Q/A
Chapter 1:
1.
Threat x Vulnerability
properly defines risk in formula form. 2.
Threat x Vulnerability x Asset Value
properly defines the total risk in formula form.
3.
It is True
that the best bet is to reduce risk to a level that can be accepted.
4.
External and Internal
, and Intentional and Accidental are accurate pairings of threat categories. 5.
Loss of Intangible Value is an example of loss of client confidence or public trust.
6.
To reduce vulnerability, you need to use control
. 7.
It is False to consider that so long as a company is profitable that it should not need to consider survivability. 8.
To reduce losses related to loss of confidentiality, integrity, and availability is the primary goal of an information security program. 9.
An industry-recognized standard list of common vulnerabilities is CVE
.
10.
To identify the correct cost balance between risk and controls is a goal of risk management. 11. Costs and benefits are identified by completing a CBA
; which is where the benefits outweigh the cost, and a control is then implemented. 12. A risk transfer is when a company decides to reduce losses of a threat by purchasing insurance. 13. To manage risk, you need to accept it
,
transfer it
,
and then avoid it
.
14.
Residual risk is the remaining risk after controls are applied to minimize risk in the environment. 15.
Senior managers are responsible for losses resulting from residual risk. Chapter 2:
1.
A security policy is a document created by senior managers that identifies the role of security in the organization and is used as a defense mechanism to protect the assets of the organization
.
2.
The principle of least privilege should be used to ensure that users are granted only the rights to perform actions required for their jobs. 3.
The principle of proportionality should be used to ensure that the amount spent on mitigating a risk is proportional to a risk. 4.
Separation of duties divides the job responsibilities to reduce fraud. 5.
Configuration management can be used to ensure that unauthorized changes are not made to the systems. 6.
Host based and network based are two intrusion detection systems. 7.
It is False that a technical control prevents unauthorized personnel from having physical access to a secure area or secure system.
8.
A Buffer overflow allows an attacker to gain additional privileges on a system by sending unexpected code to the system.
9.
Hardening a server requires securing it from the default configuration
.
10.
Removing unnecessary services and protocols, keeping the server up to date, changing defaults, and enabling local firewalls are the steps required to be taken to harden a server. 11.
NIST is a government agency that includes the Information Technology Laboratory and publishes SP 800-30. 12. The SP 800-37 is a Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach. 13. The US-CERT is a U.S. government agency regularly publishes alerts and bulletins related to security threats.
14. The CVE list is maintained by the MITRE Corporation
.
15. The CVE is the standard used to create information security vulnerability names.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help