Chapter 5 and 6 Questions and Answers
docx
keyboard_arrow_up
School
Indiana University, Purdue University, Indianapolis *
*We aren’t endorsed by this school
Course
45100
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
5
Uploaded by AdmiralParrotPerson970
Chapter 5 & 6 Questions & Answers
Chapter 5:
1.
What can be used to help quantify risks?
a.
SLE
b.
ARO
c.
Risk assessment
d.
Risk mitigation plan
e.
All of the above
SLE, ARO, Risk assessment, and Risk mitigation plan can be used to help quantify risks. 2.
____ describes the loss that will happen to the asset as a result of the threat, which is expressed as a percentage value.
Exposure factor (EF) describes the loss that will happen to the asset as a result of the threat, which is expressed as a percentage value. 3.
Risk assessments are a static process.
a.
True
b.
False
It is false that risk assessments are a static process.
4.
A ___ risk assessment uses SLE.
A quantitative risk assessment use SLE. 5.
What elements are included in a quantitative analysis?
a.
SLE, ALE, and ARO
b.
ALE, ARO, and ARP
c.
Probability and impact
d.
Threats and vulnerabilities
Probability and impact are elements that are included in a quantitative analysis.
6.
What elements are included in a qualitative analysis?
a.
SLE, ALE, and ARO
b.
ALE, ARO, and ARP
c.
Probability and impact
d.
Threats and vulnerabilities
SLE, ALE, and ARO are elements that are included in a quantitative analysis. 7.
Qualitative analysis is less time consuming than quantitative analysis.
a.
True
b.
False
It is false that qualitative analysis is less time consuming than quantitative analysis.
8.
A primary benefit of a ____ risk assessment is that it can be completed more quickly than
other methods.
A primary benefit of a qualitative risk assessment is that it can be completed more quickly than other methods.
9.
A primary benefit of a ____ risk assessment is that it includes details for a cost-benefit analysis.
A primary benefit of a quantitative risk assessment is that it includes details for a cost-benefit
analysis.
10. What must be defined when performing a qualitative risk assessment?
a.
Formulas used for ALE
b.
Scales used to define probability and impact
c.
Scales used to define SLE and ALE
d.
Acceptable levels of risk
Scales used to define probability and impact must be defined when performing a qualitative risk assessment.
11. A ______ risk assessment is objective. It uses data that can be verified. A quantitative risk assessment is objective. It uses data that can be verified.
12. A ______ risk assessment is subjective. It relies on the opinions of experts. A qualitative risk assessment is subjective. It relies on the opinions of experts.
13. One of the challenges facing risk assessment is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data?
a.
Probability statement
b.
Accuracy scale
c.
Validity level
d.
Uncertainty level
One of the challenges facing risk assessment is getting accurate data. Uncertainty level can be included in the risk assessment report to give an indication of the reliability of the data.
14. An IT security team leader is working on a qualitative risk assessment for her company. She is thinking about the final report. What should the IT security team leader consider when providing the results and recommendations? (Select Two)
a.
Resource allocation
b.
Risk acceptance
c.
SLE and ARO
d.
SLE and ALE
An IT security team leader is working on a qualitative risk assessment for her company. She is thinking about the final report. The IT security team leader should consider resource allocation and risk acceptance when providing the results and recommendations.
15. Of the following, what would be considered a best practice when performing risk assessments?
a.
Starting with clear goals and a defined scope
b.
Enlisting support of senior management
c.
Repeating the risk assessment regularly
d.
Providing clear recommendations
e.
All of the above
Starting with clear goals and a defined scope, enlisting support of senior management, repeating the risk assessment regularly, and providing clear recommendations would all be considered the best practice when performing risk assessments. Chapter 6: 1.
A company is beginning a risk assessment for a system. Both the _____ characteristics and the mission of the system should be defined in the early stages of the risk assessment.
a.
Tactical
b.
Strategic
c.
Operational
d.
Visionary
A company is beginning a risk assessment for a system. Both the strategic characteristics and the mission of the system should be defined in the early stages of the risk assessment. 2.
Which of the following should be identified during a risk assessment?
a.
Assets
b.
Threats
c.
Vulnerabilities
d.
Controls
e.
All of the above
Assets, threats, vulnerabilities, and controls should be identified during a risk assessment.
3.
Of the following choices, which would be considered an asset? a.
Hardware
b.
Software
c.
Personnel
d.
Data and information
e.
All of the above
Hardware, software, personnel, data and information would be considered an asset.
4.
When defining the system for risk assessment, what should be included?
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
a.
Only the title of the system
b.
The current configuration of the system
c.
A list of possible attacks
d.
A list of previous risk assessments
The current configuration of the system should be included when defining the system for risk
assessment. 5.
Which of the following is not included in a risk assessment?
a.
Organizational mission
b.
People
c.
Nations
d.
Risk Management
e.
None of the above
Risk management is not included in a risk assessment.
6.
Which type of assessment can be performed to identify weaknesses in a system without exploiting the weaknesses?
a.
Vulnerability assessment
b.
Risk assessment
c.
Exploit assessment
d.
Penetration test
Vulnerability assessment can be performed to identify weaknesses in a system without exploiting the weaknesses. 7.
An acceptable use policy is an example of a(n) _____ control.
An acceptable use policy is an example of an administrative control.
8.
An organization requires users to log on with tokens. This is an example of a(n) _____ control. An organization requires users to log on with tokens. This is an example of a technical control.
9.
Video cameras are used to monitor the entrance of secure areas of a building. This is an example of a(n) _____ control.
Video cameras are used to monitor the entrance of secure areas of a building. This is an example of a physical control. 10. Which of the following should be matched with a control to mitigate a relevant risk?
a.
Threats
b.
Vulnerabilities
c.
Threat/vulnerability pair
d.
Residual risk
Threat/vulnerability pair should be matched with a control to mitigate a relevant risk.
11. What does a qualitative risk assessment use to prioritize a risk?
a.
Probability and impact
b.
SLE, ARO, and ALE
c.
Safeguard value
d.
Cost-benefit analysis
To prioritize a risk, a qualitative risk assessment uses probability and impact.
12. What does a quantitative risk assessment use to prioritize a risk?
a.
Probability and impact
b.
SLE, ARO, and ALE
c.
Safeguard value
d.
Cost-benefit analysis
To prioritize a risk, a quantitative risk assessment uses SLE, ARO, and ALE.
13. An organization purchased a control and installed it on several servers. This control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased?
a.
The cost and time to implement the control
b.
The operational impact of the control
c.
The in-place and planned controls
d.
The impact of the risk
An organization purchased a control and installed it on several servers. This control is consuming too many server resources, and the servers can no longer function. The reason why is because the operational impact of the control was not evaluated before purchase.
14. What is included in a risk assessment that helps justify the cost of a control?
a.
Probability and impact
b.
ALE
c.
CBA
d.
POAM
CBA is included in a risk assessment that helps justify the cost of a control. 15. What is created with a risk assessment to track the implementation of the controls?
a.
CBA
b.
POAM
c.
ALE
d.
SLE
POAM is created with a risk assessment to track the implementation of the controls.