Chapter 2

Question 1

Anything used in a business process or task.

Answer 1

Asset

Question 2

The value assigned to an asset based on importance to the organization, use in critical processes, actual cost, & nonmonetary costs (time, attention, productivity)

Answer 2

Asset Valuation

Question 3

Any potential occurence that may cause an undesirable or unwanted outcome for a specific asset

Answer 3

Threat

Question 4

People or Programs, hardware or systems that intentionally exploit vulnerabilities

Answer 4

Threat Agent/Actor

Question 5

The effort to increase the knowledge of risks within an organization

Answer 5

Risk Awareness

Question 6

Evaluating countermeasures, safeguards & security controls using a cost/benefit analysis; adjusting findings & providing a proposal of response options

Answer 6

Risk Response

Question 7

The examination of an environment for risks, evaluating each threate event as to its likelihood of occuring and the severity of the damage it would cause if it did occur, and assessing the cost of various countermeasures for each risk.

Answer 7

Risk Assessment or Risk Analysis

Question 8

What is the Primary Goal of Risk Management?

Answer 8

To reduce risk to an acceptable level.

Question 9

A detailed process identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.

Answer 9

Risk Management

Question 10

Keeps communications and contracts confidential, requires encrypted and authenticated transactions, and maintains a detailed activity log of events related to vendors and suppliers.

Answer 10

VMS (Vendor Management System)

Question 11

A Software solution that assists with managing and procuring staffing services, hardware and software and other needed products and services.

Answer 11

Vendor Management System (VMS)

Question 12

True or False? Vendors, consultants and contractors also represent an increase in the risk of trade secret, theft or espionage?

Answer 12

True

Question 13

Supports the tenets of your security policy and infrastructure rather than being in conflict with them. Which could introduce weak points, vulnerabilities, or exceptions.

Answer 13

SLA

Question 14

An important part of Risk Reduction & Risk Avoidance

Answer 14

SLA’s, Vendor, Consultant & Contractor Controls

Question 15

True or False? SLA’s are NOT an important factor when using any type of third-party service provider, including cloud services?

Answer 15

False,

SLAS are an important factor when using any type of third-party service provider, including cloud services.

Question 16

The Level of Risk an organization is able to shoulder.

Answer 16

Risk Capacity

Question 17

The “total amount” of risk that an organization is willing to shoulder in aggregate across all assets.

Answer 17

Risk Appetite

Question 18

Mitigation or Reduction
Assignment or transfer
Deterrence
Avoidance
Acceptance
Reject or Ignore

Are all part of what?

Answer 18

Possible Risk Responses

Question 19

Used to identify the risks and set criticality priorities

Answer 19

Risk Assesment

Question 20

Used to determine the best defense for each identified risk

Answer 20

Risk Response

Question 21

True or False - Qualitative analysis Employs Math Functions?

Answer 21

False

Question 22

True or False - Quantitative Analysis Uses Cost/Benefit analysis.

Answer 22

True

Question 23

An amalgamation of intangible and tangible value multiplied by a future prediction of loss multiplied by a future prediction of likelihood.

Answer 23

ALE

Question 24

How is ALE calculated? (2 Options)

Answer 24

ALE =SLEARO
or
ALE=AVEF*ARO

Question 25

Name (in order) the Six Major Elelements of Quantitative Risk Analysis.

Answer 25

Asset Value (AV) Calculate Exposure Factor (EF) Calculate Single Loss Expectancy (SLE) Assess the ARO Derive the ALE Perform cost/benefit analysis of countermeasures

Question 26

Represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.

Answer 26

Exposure Factor

Question 27

Also known as Cyber Insurance or Cyber Risk Insurance, a type of insurance policy that provides coverage and financial protection to organizations or individuals in the even of cyber-related incidents.

Answer 27

Cybersecurity Insurance

Question 28

This type of Risk is introduced by the introduction of the countermeasure to an environment.

Answer 28

Control Risk

Question 29

total risk - controls gap = residual risk True or False?

Answer 29

True

Question 30

The amount of risk that is reduced by implementing safegaurds

Answer 30

Controls Gap

Question 31

The amount of risk an organization would face if no safeguards were implemented

Answer 31

Total Risk

Question 32

The type of risk that consists of threats to specific assets against which upper management chooses not to implement a response

Answer 32

Residual Risk

Question 33

This type of Risk is the level of natural risk in an envi. system or product before any risk management efforts are performed.

Answer 33

Inherent Risk

Question 34

An unacceptable possible response to Risk

Answer 34

Risk Rejection

Question 35

This type of Risk is the result after a cost/benefit analysis shows countermeasure costs that would outweigh the possible cost of loss due to a risk

Answer 35

Risk Acceptance

Question 36

The process of selecting alternate options or activities that have less associated risk that the default, common, expedient or cheap option

Answer 36

Risk Avoidance

Question 37

The process of implementing deterrents to violators of security & policy.

Answer 37

Risk Deterrence

Question 38

The placement of the responsibility of loss due to a risk onto another entity or organization

Answer 38

Risk Assignment

Question 39

The implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats. (Risk Response)

Answer 39

Risk Mitigation