IS3110 CHAP 1 Flashcards
(37 cards)
Which of the following properly defines risk?
- Threat x Mitigation
- Vulnerability x Controls
- Controls - Residual Risk
- Threat x Vulnerability
Threat x Vulnerability
Which of the following properly defines total risk?
- Threat - Mitigation
- Threat x Vulnerability x Asset Value
- Vulnerability - Controls
- Vulnerability x Controls
Threat x Vulnerability x Asset Value
You can completely eliminate risk in an IT environment.
TRUE OR FALSE
FALSE
Which of the following are accurate pairings of threat categories? (Select Two)
- External and Internal
- Natural and supernatural
- Intentional and accidental
- Computer and user
External and Internal
AND
Intentional and accidental
A loss of client confidence or public trust is an example of loss of ___.
Intangible value
A ___ is used to reduce a vulnerability.
RISK MANAGEMENT PLAN
As long as a company is profitable, it does not need to consider survivability.
TRUE OR FALSE
FALSE
What is the primary goal of an information security program?
- Eliminate losses related to employee actions
- Eliminate losses related to risk
- Reduce losses related to residual risk
- Reduce losses related to loss of confidentiality, integrity, and availability
Reduce losses related to loss of confidentiality, integrity, and availability
The ___ is an industry-recognized standard list of common vulnerabilities.
CVE
Which of the following is a goal of a risk management?
- Identify the correct cost balance between risk and controls
- Eliminate risk by implementing controls
- Eliminate the loss associated with risk
- Calculate value associated with residual risk
Identify the correct cost balance between risk and controls
If the benefits outweighs the cost, a control is implemented. Costs and benefits are identified by completing a ___.
COST BENEFIT ANALYSIS
A company decides to reduce losses of a threat by purchasing insurance. This is known as risk ___.
Transfer
What can you do to manage risk? (Select three)
- Accept
- Transfer
- Avoid
- Migrate
Accept
Transfer
Avoid
You have applied controls to minimize risk in the environment. What is the remaining risk called?
- Remaining Risk
- Mitigated risk
- Managed Risk
- Residual Risk
Residual Risk
Who is ultimately responsible for losses resulting from residual risk?
- End users
- Technical staff
- Senior Management
- Security personnel
Senior Management
A technique used to manage risk.
When the cost to reduce the risk is greater than the potential loss, the risk is accepted.
A risk is also accepted if management considers the risk necessary and tolerable for business
ACCEPT
Ensuring that data or a service is available when needed. Data and services are protected using fault tolerance and redundancy techniques
AVAILABILITY
A technique used to manage risk.
A risk can be avoided by eliminating the source of the risk or eliminating the exposure of assets to the risk.
A company can either stop the risk activity or move the asset.
AVOID
Database of vulnerabilities maintained by the MITRE Corporation
MITRE works in conjunction with the US Dept of Homeland Security
CVE
Protecting data from unauthorized disclosure. Data is protected using access controls and encryption technologies.
CONFIDENTIALITY
An action or change put in place to reduce a weakness or potential loss. A control is also referred to as a countermeasure
CONTROL
A process used to determine how to manage a risk.
If the benefits of a control outweigh the costs, the control can be implemented to reduce the risk. If the costs are greater than the benefits, the risk can be accepted.
COST-BENEFIT ANALYSIS (CBA)
The amount of the loss resulting from a threat exploiting a vulnerability. The loss can be expressed in monetary terms or a relative value. The impact identifies the severity of the loss. Impact is derived from the opinions of experts.
IMPACT
Value that isn’t directly related to the actual cost of a physical asset. Intangibles can include future lost revenue, client confidence, and customer influence.
INTANGIBLE VALUE
