Chapter 10 Cloud Vendor Management Siedel Flashcards
Jen identified a missing patch on a Windows servers that might allow an attacker to gain remote control of the system. After consulting with her manage, she applied the patch.
From a risk management perspective, what has she done?
A. Removed the threat
B. Reduced the threat
C. Removed the vulnerability
D. Reduced the vulnerability
C. Removed the vulnerability
Explanation:
By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server
You notice a high number of SQL injection attacks against a web application run by your organization, so you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk?
A. Reduced the magnitude
B. Eliminated the vulnerability
C. Reduced the probability
D. Eliminated the threat
C. Reduced the probability
Explanation:
Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application and the threat of an external attack is unchanged
The impact of a successful SQL injection attack is also unchanged by a web application firewall
Questions 3-7 refer to the following:
Aziz is responsible for the administration of an e commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firms customers
Aziz is assessing the risk of a denial of service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.
What is the asset value (AV)?
A. $5,000
B. $100,000
C. $500,000
D. $600,000
C. $500,000
Explanation:
The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value is $500,000
What is the exposure factor?
A. 5 percent
B. 20 percent
C. 50 percent
D. 100 percent
D. 100 percent
Explanation:
The attack would result in the total loss of customer data stored in the database, making the exposure factor 100 percent
What is the single loss expectancy (SLE)?
A. $5,000
B. $100,000
C. $500,000
D. $600,000
C. $500,000
Explanation:
We compute the single loss expectancy (SLE) by multiplying the asset value ($500,000) and the exposure factor (EF) to get an SLE of $500,000
What is the annualized rate of occurrence (ARO)?
A. 0.05
B. 0.20
C. 2.00
D. 5.00
A. 0.05
Explanation:
Aziz’s threat intelligence research determined that the threat has a 5 percent likelihood of occurrence each year. This is an ARO of 0.05
What is the annualized loss expectancy?
A. $5,000
B. $25,000
C. $100,000
D. $500,000
B. $25,000
Explanation:
We compute the annualized loss expectancy (ALE) by multiplying the SLE ($500,000) and the ARO (0.05) to get an ALE of $25,000
Questions 8-11
Grace recently completed a risk assessment of her organizations exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive information. SHe is considered a variety of approaches to managing this risk
Graces first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
C. Risk mitigation
Explanation:
Installing new controls or upgrading existing controls is an effort to reduce the probability or magnitude of a risk. This is an example of a risk mitigation activity
Grace is considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would Graces approach use?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
B. Risk avoidance
Explanation:
Changing business processes or activities to eliminate a risk is an example of risk avoidance
Graces company decided to install the web application firewall and continue doing business. They are still worried about other risks to the information that were not addressed by the firewall and are considering purchasing an insurance policy to cover those risks. What strategy does this use?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
D. Risk transference
Explanation:
insurance policies use a risk transference strategy by shifting some or all of the financial risk from the organization to an insurance company
In the end, Grace found that the insurance policy was too expensive and opted not to purchase it. She is taking no additional action. What risk management strategy is Grace using in this situation?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Brian recently conducted a risk mitigation exercise and has determined that the level of risk that remains after implementing a series of controls. What term best describes this risk?
A. Inherent risk
B. Control Risk
C. Risk appetite
D. Residual risk
Joe is authoring a document that explains to system administrators one way in which they might comply with the organizations requirement to encrypt all laptops. What type of document is Joe writing?
A. Policy
B. Guideline
C. Procedure
D. Standard
Which one of the following documents must normally be approved by the CEO or a similarly high level executive?
A. Standard
B. Procedure
C. Guideline
D. Policy
Greg would like to create an umbrella agreement that provides the security terms and conditions for all future work that his organization does with a vendor. What type of agreement should Greg use?
A. BPA
B. MOU
C. MSA
D. SLA
