IS3340 CHAPTER 14 Flashcards Preview

IS3340 SEC. STRAT. IN WINDOWS PLATFORM & APPS. > IS3340 CHAPTER 14 > Flashcards

Flashcards in IS3340 CHAPTER 14 Deck (41):
1

The number of times a threat might affect an organization during a one-year time frame is called ___?

ANNUAL RATE OF OCCURRENCE (ARO)

2

The amount of loss that an organization can expect to have each year due to a particular risk. (The equation
ALE=SLE x ARO is used) This is called ___?

ANNUALIZED LOSS EXPECTANCY (ALE)

3

Plans that address the recovery of an organization's business processes and functions in the event of a disaster. They tend to be comprehensive for returning an organization to normal operating conditions. This is called ___?

BUSINESS CONTINUITY (BC) PLANS

4

A process that identifies key business operations and the resources used to support those processes. It also identifies maximum tolerable down-time for critical business functions and is called ___?

BUSINESS IMPACT ANALYSIS (BIA)

5

A basic type of disaster recovery and business continuity test that checks to make sure that supplies and inventory items needed for an organization's business recovery are on hand is called ___?

CHECKLIST TEXT

6

A backup site for disaster recovery and business continuity planning purposes that is little more than reserved space. It does not have any hardware or equipment ready for business operations. It will have electrical service, but most likely won't have network connectivity. It can take weeks to months for an organization ready this site for business operations and is called a ___?

COLD SITE

7

Any situation where a person's private interests and professional obligations collide. Independent observers might question whether a person's private interests improperly influence his or her professional decision. This is called ___?

CONFLICTS OF INTEREST

8

A sudden, unplanned event that negatively affects the organization's critical business functions for an unknown period is called a ___?

DISASTER

9

Plans that address the recovery of an organization's information technology systems in the event of a disaster is called ___?

DISASTER RECOVERY (DR) PLANS

10

The percentage of asset loss that is likely to be caused by an identified threat or vulnerability is called ___?

EXPOSURE FACTOR

11

A disaster recovery and business continuity test where an organization stops all of its normal business operations and transfers those operations to its backup site. This is the most comprehensive form of disaster recovery and business continuity plan test. This is called ____?

FULL INTERRUPTION TEST

12

An operational backup site for disaster recovery and business continuity planning purposes. It has equipment and infrastructure that is fully compatible with an organization's main facility. It is not staffed with people. It can become operational within minutes to hours after a disaster and is called ___?

HOT SITE

13

A contingency plan that helps an organizations respond to attacks against an organization's information technology infrastructure is called___?

INCIDENT RESPONSE (IR)

14

The amount of time that critical business processes and resources can be offline before an organization begins to experience irreparable business harm is called ___?

MAXIMUM TOLERABLE DOWNTIME (MTD)

15

A fully operational backup site for disaster recovery and business continuity planning purposes. This site actively runs an organization's information technology function in parallel with the organization's mail processing facility. It is fully staffed and has all necessary data and equipment to continue business operations. This is called ___?

MIRRORED SITE

16

A disaster recovery and business continuity test where an organization tests its ability to recover its information technology systems and its business data. In this type of test, the organization brings its backup recovery sites online. It will then use historical business data to test the operations of those systems. This is called ___?

PARALLEL TEST

17

A marketing field that manages an organization's public image is called ___?

PUBLIC RELATIONS (PR)

18

A risk analysis method that uses scenarios and ratings systems to calculate risk and potential harm. This analysis does not attempt to assign money value to assets and risk. This is called ___?

QUALITATIVE RISK ANALYSIS

19

A risk analysis method that uses real money costs and values to determine the potential monetary impact of threats and vulnerabilities is called ___?

QUANTITATIVE RISK ANALYSIS

20

The loss that an organization has when a potential threat actually occurs is called ___?

REALIZED RISK

21

A process of identifying threats and vulnerabilities that an organization faces. It can be quantitative, qualitative, or a combination of both and is called ___?

RISK ASSESSMENT (RA)

22

The process that an organization uses to identify risks, assess them, and reduce them to an acceptable level is called ___?

RISK MANAGEMENT (RM)

23

A disaster recovery and business continuity test where an organization real-plays a specific disaster scenario. This type of test does not interrupt normal business operations and activities and is called ___?

SIMULTATION TEST

24

The amount of money that an organization stands to lose every time a specified risk is realized is called ___?

SINGLE LOSS EXPECTANCY (SLE)

25

A basic type of disaster recovery and business continuity test that reviews a disaster recovery/business continuity plan to make sure that all of the assumptions and tasks stated in the plan are correct. This type of test is sometimes called a tabletop walk-through test or tabletop test but often is called a ___?

WALK-THROUGH TEST

26

A partially equipped backup site for disaster recovery and business continuity planning purposes. It is a space that contains some, but not all, of the equipment and infrastructure that an organization needs to continue operations in the event of a disaster. It is partially prepared for operations and has electricity and network connectivity. This is called a ___?

WARM SITE

27

1. A parallel test uses current processing data to test IT system operation.
TRUE OR FALSE

FALSE

28

2. Which item is NOT part of the risk management process?

1. Risk analysis
2. Risk response
3. Continuous monitoring
4. Training employees
5. All the above are parts of the risk management process

All the above are parts of the risk management process

Risk analysis
Risk response
Continuous monitoring
Training employees

29

3. What does a risk assessment do?

A risk assessment identifies the threats and vulnerabilities to IT resources.

30

4. Which type of contingency plan test is the least expensive?

1. Full interruption test
2. Parallel test
3. Simulation test
4. Checklist test
5. None of the above

Checklist test

31

5. which type of risk analysis uses real numbers to calculate risk?

1. Quantitative
2. Qualitative
3. Quasi-quantitative
4. Quasi-qualitative
5. None of the above

Quantitative

32

6. The ___ is the percentage of asset loss that is likely to be caused by an identified threat.

Exposure factor

33

7. How is annualized loss expectancy calculated?

The annualized loss expectancy (ALE) is the amount of loss that an organization can expect to have each year due to a particular risk.
ALE is often expressed in the equation:
ALE=SLE x ARO.
SLE is single loss expectancy
ARO is annual rate of occurrence

34

8. What is the main benefit of a qualitative risk assessment?

1. Measures the money cost of a risk
2. Scope of the assessment can be easily changed
3. Easy to administer
4. All the above
5. None of the above

Easy to administer

35

9. Which of the following is a qualitative risk assessment methodology?

1. CRAMM
2. ISO
3. MTD
4. BIA
5. None of the above

CRAMM
(UK's Central Computer and Telecommunications Agency (CCTA) CCTA created CRAMM (CCTA Risk Analysis and Management Method

FYI: CRAMM has been commercialized and is sold as a software program. It is a Qualitative Risk Analysis method and relies on international standards for its RA methodology.

36

10. Which risk response eliminates all risk of harm posted by a threat or vulnerability?

1. Risk transfer
2. Risk mitigation
3. Risk acceptance
4. Risk avoidance
5. None of the above

Risk avoidance

37

11. Which type of contingency plan reacts to attacks against an organization's IT infrastructure?

1. BC plan
2. DR plan
3. IR plan
4. 1 & 2 only
5. None of the above

IR plan

38

12. A(n) ___ is an event that adversely affects the confidentiality, integrity, and/or availability of an organization's data and IT systems.

Incident

39

13. A(n) ___ is a sudden, unplanned event that negatively affects the organization's critical business functions for an unknown period.

Disaster

40

14. Which backup site is fully operational backup site?

1. Mirrored site
2. Hot site
3. Warm site
4. Cold site
5. None of the above

Mirrored site

41

15. A business impact analysis identifies key business operations and resources.
TRUE OR FALSE

TRUE