Risk Analysis

Question 1

You are conducting a risk analysis for a stock brokerage firm in Miami, Florida. What factors should you consider? (Choose two.)

Server downtime because of earthquakes

Destruction of government regulation documentation because of fire

Server downtime because of power outages

Customer invoicing data destroyed because of fire

Answer 1

Server downtime because of power outages

Customer invoicing data destroyed because of fire

Risk analysis includes calculating plausible risks such as server downtime because of power outages and loss of equipment and data because of fire

Question 2

You are responsible for completing an IT asset report for your company. All IT-related equipment and data must be identified and given a value. What term best describes what you must next do?

Asset identification

Risk mitigation

Threat analysis

Answer 2

Asset identification

Asset identification involves identifying assets (including data) and associating a value with them. This can then be used to justify expenditures to protect these assets

Question 3

You are identifying security threats to determine the likelihood of virus infection. Identify potential sources of infection. (Choose two.)

USB flash drives

USB keyboard

Smartcard

Downloaded documentation from a business partner web site

Answer 3

USB flash drives

Downloaded documentation from a business partner web site

USB flash drives could have files downloaded from the Internet or copied from less secure machines that could infect your network. Business partner documentation downloaded from the Internet could potentially be infected. With proper management approval, conducting a thorough vulnerability assessment of the existing network and its devices, or a more aggressive penetration test can reveal these potential security holes

Question 4

During a risk analysis meeting, you are asked to specify internal threats being considered. Choose which item is not considered an internal threat from the list that follows.

Embezzlement

Hackers breaking in through the firewall

Employees using corporate assets for personal gain

Answer 4

Hackers breaking in through the firewall

Hackers breaking in through a firewall would be considered an external threat

Question 5

A client conveys her concern to you regarding malicious Internet users gaining access to corporate resources. What type of assessment would you perform to determine this likelihood?

Threat assessment

Risk analysis

Asset identification

Answer 5

Threat assessment

Determining how an entity can gain access to corporate resources would require a threat assessment. Environmental threat assessments consider natural factors such as floods and earthquakes as well as facility environmental factors such as HVAC and physical security. Threat assessment must also consider man-made threats such as war or terrorism. For a completely objective view of threats, assessment should be conducted by an external entity

Question 6

You are an IT consultant performing a risk analysis for a seafood company. The client is concerned with specific cooking and packaging techniques the company uses being disclosed to competitors. What type of security concern is this?

Integrity

Confidentiality

Availability

Answer 6

Confidentiality

Confidentiality means keeping data hidden from those who should not see it, such as competitors

Question 7

After identifying internal and external threats, you must determine how these potential risks will affect business operations. What is this called?

Risk analysis

Fault tolerance

Impact analysis

Answer 7

Impact analysis

Determining the effect that materialized risks have on the operation of a business is called impact analysis. It is often used to determine whether expenditures against these risks are justified

Question 8

When determining how best to mitigate risk, which items should you consider? (Choose two.)

Insurance coverage

Number of server hard disks

How fast CPUs in new computers will be

Network bandwidth

Answer 8

Insurance coverage

Number of server hard disks

Assessing risk includes determining what is and is not covered by various types of insurance coverage and whether the cost of those insurance premiums is justified. The number of server hard disks is definitely risk related. The likelihood of hard disk data loss is minimized when there are multiple hard disks configured properly, such as RAID 1 (disk mirroring)

Question 9

You are listing preventative measures for potential risks. Which of the following would you document? (Choose three.)

Larger flat-screen monitors

Data backup

Employee training

Comparing reliability of network load balancing appliances

Answer 9

Data backup

Employee training

Comparing reliability of network load balancing appliances

Backing up data minimizes the risk of losing data. Employee training reduces the likelihood of errors or disclosure of confidential information. Choosing the most reliable network load balancing appliance can reduce the risk of network traffic congestion

Question 10

An insurance company charges an additional $200 monthly premium for natural disaster coverage for your business site. What figure must you compare this against to determine whether to accept this additional coverage?

ALE

ROI

Total cost of ownership

Answer 10

ALE

The annual loss expectancy (ALE) value is used with quantitative risk analysis approaches to prioritize and justify expenditures that protect from potential risks. For example, an ALE value of $1000 might justify a $200 annual expense to protect against that risk

Question 11

Which of the following is true regarding qualitative risk analysis?

Only numerical data is considered.

ALE must be calculated.

Threats must be identified.

Answer 11

Threats must be identified.

Qualitative risk analysis categorizes risks (threats) with general (not hard numerical) terms and numerical ranges—for example, a risk falling between 1 (small risk ) to 10 (big risk). For this to happen, threats must first be identified

Question 12

Which values must be calculated to derive annual loss expectancy? (Choose two.)

Single loss expectancy

Annual rate of occurrence

Monthly loss expectancy

Quarterly loss expectancy

Answer 12

Single loss expectancy

Annual rate of occurrence

Annual loss expectancy (ALE) is derived by multiplying the annual rate of occurrence (ARO) by the single loss expectancy (SLE)

Question 13

You are the server expert for a cloud computing firm named Cloud Nine Computing. Management would like to set aside funds to respond to server downtime risks. Using historical data, you determine that the probability of server downtime is 17 percent. Past data suggests the server would be down for an average of one hour and that $3000 of revenue can be earned in one hour. You must calculate the annual loss expectancy (ALE). Choose the correct ALE.

$300

$510

$3000

Answer 13

$510

Annual loss expectancy (ALE) is calculated by multiplying the annual rate of occurrence (ARO = 0.17) by the single loss expectancy (SLE = 3000). So, 0.17 multiplied by 3000 equals 510

Question 14

Your boss asks you to calculate how much money the company loses when critical servers required by employees are down for two hours. You have determined that the probability of this happening is 70 percent. The company has 25 employees, each earning $18.50 per hour. Choose the correct value.

$12.95

$18.50

$647.50

Answer 14

$647.50

This question is asking you to calculate the annual loss expectancy (ALE). Multiply the probability (annual rate of occurrence) by the dollar amount associated with a single failure (single loss expectancy): 0.7 × (2 × (25 × 18.5)) = 647.50

Question 15

Your company is considering having the e-mail server hosted by Hosted Solutions, Inc., to reduce hardware and mail server technician costs at the local site. What type of document formally states the reliability and recourse if the reliability is not met?

BPA

MOU

SLA

Answer 15

SLA

A service level agreement (SLA) formally defines what type of service a customer can expect and what type of recourse is available should that level of service not be provided

Question 16

Which term best describes monies spent to minimize the impact that threats and unfavorable conditions have on a business?

Risk management

Security audit

Budgetary constraints

Answer 16

Risk management

Risk assessment means determining the impact that threats and less than optimal conditions can have on a business or agency. Risk management involves setting aside the funds to account for these eventualities. Determining the amount of money to set aside may involve many detailed calculations

Question 17

Which risk analysis approach makes use of ALE?

Best possible outcome

Quantitative

ROI

Answer 17

Quantitative

The annual loss expectancy (ALE) is a specific figure derived from the probability of a loss and the cost of one occurrence of this loss. Because specific dollar values (quantities) are used to prioritize risks, this falls into the category of quantitative risk analysis

Question 18

You are presenting data at a risk analysis meeting. During your presentation you display a list of ALE values ranked by dollar amount. Bob, a meeting participant, asks how reliable the numeracy used to calculate the ALE is. What can you tell Bob?

The numbers are 50 percent reliable.

ALEs are calculated using probability values that vary.

ALEs are calculated using percentages and are accurate.

Answer 18

ALEs are calculated using probability values that vary.

Annual loss expectancy (ALE) values use the probability of a loss in conjunction with the cost of a single incident. Probability values are rarely accurate, but because the future cannot be predicted, they are acceptable. Probability values can be arrived at by referring to past historical data

Question 19

Which of the following should be performed when conducting a qualitative risk assessment? (Choose two.)

Asset valuation

ARO

SLE

Ranking of potential threats

Answer 19

Asset valuation

Ranking of potential threats

Qualitative risk analysis assesses the likelihood of risks that will impede normal business operations and prioritizes (ranks) them relative to one another. Assets that must be protected from identified risks must have an assigned value to determine whether the cost of risk mitigation is justified

Question 20

You are the IT security analyst for Big John’s Gourmet Foods. Big John’s plans to open a plant in Oranjestad, Aruba, next year. You are meeting with a planning committee in the next week and must come up with questions to ask the committee about the new location so you can prepare a risk analysis report. Which of the following would be the most relevant questions to ask? (Choose two.)

How hot does it get in the summer?

How reliable is the local power?

What kind of physical premise security is in place?

How close is the nearest highway?

Answer 20

How reliable is the local power?

What kind of physical premise security is in place?

A reliable power source is critical for IT systems. Unreliable power would mean a different plant location or the use of an uninterruptible power supply (UPS) and power generators. Physical security should always be considered during risk analysis

Question 21

Your corporate web site is being hosted by an Internet service provider. How does this apply to the concept of risk?

Risk avoidance

Risk transfer

Risk analysis

Answer 21

Risk transfer

Risk transfer shifts some or all of the burden of risk to a third party

Question 22

Which of the following regarding risk management is true?

Funds invested in risk management could have earned much more profit if spent elsewhere.

ALEs are only estimates and are subject to being inaccurate.

IT security risks are all handled by the corporate firewall.

Answer 22

ALEs are only estimates and are subject to being inaccurate.

Annual loss expectancy (ALE) figures are considered inaccurate because part of their calculation is based on probabilities

Question 23

Your competitors are offering a new product that is predicted to sell well. After much careful study, your company has decided against launching a competing product because of the uncertainty of the market and the enormous investment required. Which term best describes your company’s decision?

Risk analysis

Risk transfer

Risk avoidance

Answer 23

Risk avoidance

Deciding to invest heavily in a new product for an uncertain market is a gamble. Deciding against it would be classified as risk avoidance

Question 24

How can management determine which risks should be given the most attention?

Threat vector

Rank risks by likelihood

Rank risks by probable date of occurrence

Answer 24

Rank risks by likelihood

Whether qualitative or quantitative risk analysis is done, once data has been properly considered, risks should be ranked by likelihood

Question 25

Recently your data center was housed in Albuquerque, New Mexico. Because of corporate downsizing, the data center equipment was moved to an existing office in Santa Fe. The server room in Santa Fe was not designed to accommodate all the new servers arriving from Albuquerque, and the server room temperature is very warm. Because this is a temporary solution until a new data center facility is built, management has decided not to pay for an updated air conditioning system. Which term best describes this scenario?

Risk transfer

Risk avoidance

Risk acceptance

Answer 25

Risk acceptance

Accepting the potential consequences of a threat is referred to as risk acceptance. The amount of money to minimize the risk is not warranted, as was the case of a temporary data center in Santa Fe

Question 26

Which of the following factors could influence your risk management strategy?

Government regulations

Moving operations to a new building

The purchase of a newer firewall solution

None of the above

All of the above

Answer 26

All of the above

Government regulations might involve the privacy of client information, which could mean a new or more prevalent security risk. It is always important to review agreement requirements to ensure compliance and that performance standards are being met. A new building might have better security than an old one, which may reduce the physical security risks. Newer firewall solutions generally have better protection than older solutions (if configured and maintained properly), which again could reduce risk

Question 27

You are a member of an IT project team. The team is performing an IT risk analysis and has identified assets and their values as well as threats and threat mitigation solutions. What must be done next?

Perform a cost–benefit analysis of proposed risk solutions.

Calculate the ALE values.

Decide which vulnerabilities exist.

Answer 27

Calculate the ALE values.

The annual loss expectancy (ALE) values must be calculated now that threats have been identified and assets have been valued

Question 28

To reduce the likelihood of internal fraud, an organization implements policies to ensure that more than one person is responsible for a financial transaction from beginning to end. Which of the following best describes this scenario?

Probability

Mitigation solution

Impact analysis

Answer 28

Mitigation solution

The implementation of policies for the internal control of transactions encompasses mitigation solutions. The threat is identified, and a solution is put into place

Question 29

What is the difference between risk assessment and risk management?

They are the same thing.

Risk assessment identifies and prioritizes risks; risk management is the governing of risks to minimize their impact.

Risk management identifies and prioritizes risks; risk assessment is the governing of risks to minimize their impact.

Answer 29

Risk assessment identifies and prioritizes risks; risk management is the governing of risks to minimize their impact.

Risk assessment requires identification and prioritization of risks using either a relative ranking scale or objective numeric data. Managing those risks involves minimizing their impact on the business

Question 30

Identify the two drawbacks to quantitative risk analysis compared to qualitative risk analysis. (Choose two.)

Quantitative risk analysis entails complex calculations.

Risks are not prioritized by monetary value.

Quantitative analysis is more time-consuming than qualitative analysis.

It is difficult to determine how much money to allocate to reduce a risk.

Answer 30

Quantitative risk analysis entails complex calculations.

Quantitative analysis is more time-consuming than qualitative analysis.

Quantitative risk analysis involves complex, time-consuming calculations. Results are expressed in specific percentages or monetary values, despite the fact that probability figures are used to arrive at these results

Question 31

Which of the following represent methods by which sensitive organizational information could be unintentionally leaked? (Choose two.)

Encrypted cloud backup

Social network apps on mobile phones

E-mail

NTFS file permissions

Answer 31

Social network apps on mobile phones

E-mail

Users could inadvertently post work-related messages, images, or documents through a social networking app. Sensitive organizational data could be contained in an e-mail message body or attached as a file. Data loss prevention (DLP) software on premises, in the cloud, or a hybrid of both can be configured to monitor these activities to prevent data leakage

Question 32

As an IT administrator, you are responsible for creating user accounts for newly hired employees. New hires must have a picture ID to obtain a network/e-mail account, and they must be given a PKI card to which they assign a PIN. Which term applies to the described process?

Onboarding

Offboarding

Data ownership

Answer 32

Onboarding

Adding new users to an identity management system is referred to as onboarding