Is the process of identifying and controlling the risks to an organizations information assets?

Successfully reported this slideshow.

Your SlideShare is downloading. ×

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

More Related Content

1. 1. Name: Class: Date: Chapter 06 - Risk Management: Identifying and Assessing Risk Copyright Cengage Learning. Powered by Cognero. Page 1 1. Having an established risk management program means that an organization's assets are completely protected. a. True b. False ANSWER: False 2. The InfoSec community often takes on the leadership role in addressing risk. a. True b. False ANSWER: True 3. MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof. a. True b. False ANSWER: False 4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat’s probability of occurrence and expected results of a successfulattack. a. True b. False ANSWER: True 5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. a. True b. False ANSWER: True 6. The secretarialcommunity often takes on the leadership role in addressing risk. ____________ ANSWER: False - InfoSec, infosec, Information Security, information security 7. An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________ ANSWER: False - analysis 8. Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. ____________ ANSWER: False - vulnerabilities 9. The recognition, enumeration, and documentation of risks to an organization’s information assets. is known as risk control. ____________ ANSWER: False - identification 10. An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment. ____________ ANSWER: False - threat
2. 2. Name: Class: Date: Chapter 06 - Risk Management: Identifying and Assessing Risk Copyright Cengage Learning. Powered by Cognero. Page 2 11. A formal access controlmethodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________ ANSWER: False - classification 12. The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ____________ ANSWER: False - likelihood 13. The information technology management community of interest often takes on the leadership role in addressing risk. ____________ ANSWER: False - infosec, information security 14. A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________ ANSWER: False - vulnerabilities 15. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________ ANSWER: False - qualitative 16. Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following? a. General management must structure the IT and InfoSec functions b. IT management must serve the IT needs of the broader organization c. Legal management must develop corporate- wide standards d. InfoSec management must lead the way with skill, professionalism, and flexibility ANSWER: c 17. The identification and assessment of levels of risk in an organization describes which of the following? a. Risk analysis b. Risk identification c. Risk management d. Risk reduction ANSWER: a 18. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process? a. Creating an inventory of information assets b. Classifying and organizing information assets into meaningful groups c. Assigning a value to each information asset d. Calculating the severity of risks to which assets are exposed in their current setting ANSWER: d 19. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process? a. Determining the likelihood that vulnerable systems will be attacked by specific threats b. Calculating the severity of risks to which assets are exposed in their current setting c. Assigning a value to each information asset d. Documenting and reporting the findings of risk identification and assessment
3. 3. Name: Class: Date: Chapter 06 - Risk Management: Identifying and Assessing Risk Copyright Cengage Learning. Powered by Cognero. Page 3 ANSWER: c 20. Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset- identification using this attribute difficult? a. Part number b. Serial number c. MAC address d. IP address ANSWER: d 21. Which of the following is an attribute of a network device is physically tied to the network interface? a. Serial number b. MAC address c. IP address d. Model number ANSWER: b 22. Which of the following attributes does NOT apply to software information assets? a. Serial number b. Controlling entity c. Manufacturer name d. Product dimensions ANSWER: d 23. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components? a. Name b. MAC address c. Serial number d. Manufacturer’s model or part number ANSWER: d 24. Data classification schemes should categorize information assets based on which of the following? a. Value and uniqueness b. Sensitivity and security needs c. Cost and replacement value d. Ease of reproduction and fragility ANSWER: b 25. Classification categories must be mutually exclusive and which of the following? a. Repeatable b. Unique c. Comprehensive d. Selective ANSWER: c 26. What is the final step in the risk identification process? a. Assessing values for information assets b. Classifying and categorizing assets c. Identifying and inventorying assets d. Listing assets in order of importance ANSWER: d 27. Once an information asset is identified, categorized, and classified, what must also be assigned to it? a. Asset tag b. Relative value c. Location ID d. Threat risk ANSWER: b 28. What should you be armed with to adequately assess potential weaknesses in each information asset?
4. 4. Name: Class: Date: Chapter 06 - Risk Management: Identifying and Assessing Risk Copyright Cengage Learning. Powered by Cognero. Page 4 a. Properly classified inventory b. Audited accounting spreadsheet c. Intellectual property assessment d. List of known threats ANSWER: a 29. Which of the following is an example of a technological obsolescence threat? a. Hardware equipment failure b. Unauthorized access c. Outdated servers d. Malware ANSWER: c 30. Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another? a. Cost of prevention b. Cost of litigation c. Cost of detection d. Cost of identification ANSWER: a 31. What is defined as specific avenues that threat agents can exploit to attack an information asset? a. Liabilities b. Defenses c. Vulnerabilities d. Weaknesses ANSWER: c 32. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create? a. Risk exposure report b. Threats-vulnerabilities-assets worksheet c. Costs-risks-prevention database d. Threat assessment catalog ANSWER: b 33. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____. a. Vulnerability mitigation controls b. Risk assessment estimate factors c. Exploit likelihood equation d. Attack analysis calculation ANSWER: b 34. An estimate made by the manager using good judgement and experience can account for which factor of risk assessment? a. Risk determination b. Assessing potential loss c. Likelihood and consequences d. Uncertainty ANSWER: d 35. Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet? a. Uncertainty percentage b. Asset impact c. Risk-rating factor d. Vulnerability likelihood ANSWER: a 36. Risk ____________ is the process of discovering and assessing the risks to an organization’s operations and determining how those risks can be mitigated.
5. 5. Name: Class: Date: Chapter 06 - Risk Management: Identifying and Assessing Risk Copyright Cengage Learning. Powered by Cognero. Page 5 ANSWER: management 37. Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats. ANSWER: likelihood probability 38. Classification categories must be ____________________ and mutually exclusive. ANSWER: comprehensive 39. As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it. ANSWER: relative 40. As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet. ANSWER: factor analysis factor table analysis table 41. Briefly describe any three standard categories of information asset and their respective risk management components. ANSWER: - The people asset is divided into internal personnel (employees) and external personnel (nonemployees). Insiders are further divided into those employees who hold trusted roles and therefore have correspondingly greater authority and accountability and those regular staff members who do not have any special privileges. Outsiders consist of other users who have access to the organization’s information assets, some trusted and some untrusted. - Procedures are assets because they are used to create value for the organization. They are divided into (1) IT and business standard procedures and (2) IT and business sensitive procedures. - The data asset includes information in all states: transmission, processing, and storage. This is an expanded use of the term “data,” which is usually associated with databases, not the full range of information used by modern organizations. - Software is divided into applications, operating systems, and security components. Software that provides security controls may fall into the operating systems or applications category but is differentiated by the fact that it is part of the InfoSec control environment and must therefore be protected more thoroughly than other systems components. - Hardware is divided into (1) the usual systems devices and their peripherals and (2) the devices that are part of InfoSec control systems. The latter must be protected more thoroughly than the former. - Networking components include networking devices (such as firewalls, routers, and switches) and the systems software within them, which is often the focal point of attacks, with successfulattacks continuing against systems connected to the networks. 42. For the purposes of relative risk assessment how is risk calculated? ANSWER: Risk equals likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty. 43. List the stages in the risk identification process in order of occurrence. ANSWER: Plan and Organize Process
6. 6. Name: Class: Date: Chapter 06 - Risk Management: Identifying and Assessing Risk Copyright Cengage Learning. Powered by Cognero. Page 6 Create System Component Categories Develop Inventory of Assets Identify Threats Specify Vulnerable Assets Assign Value or Impact Rating to Assets Assess Likelihood for Vulnerabilities Calculate Relative Risk Factor for Assets Preliminary Review of Possible Controls Document Findings 44. What does it mean to ‘know the enemy’ with respect to risk management? ANSWER: Once an organization becomes aware of its weaknesses, managers can take up Sun Tzu’s second dictum: Know the enemy. This means identifying, examining, and understanding the threats facing the organization’s information assets. Managers must be fully prepared to identify those threats that pose risks to the organization and the security of its information assets. 45. What strategic role do the InfoSec and IT communities play in risk management? Explain. ANSWER: InfoSec - Because members of the InfoSec community best understand the threats and attacks that introduce risk, they often take a leadership role in addressing risk. IT - This group must help to build secure systems and ensure their safe operation. For example, IT builds and operates information systems that are mindful of operational risks and have proper controls implemented to reduce risk. 46. What are the included tasks in the identification of risks? ANSWER: Creating an inventory of information assets Classifying and organizing those assets meaningfully Assigning a value to each information asset Identifying threats to the cataloged assets Pinpointing vulnerable assets by tying specific threats to specific assets 47. Describe the use of an IP address when deciding which attributes to track for each information asset. ANSWER: This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a relational database and track software instances on specific servers or networking devices. Many larger organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification process very difficult. 48. How should the initial inventory be used when classifying and categorizing assets? ANSWER: The inventory should reflect the sensitivity and security priority assigned to each information asset. A classification scheme should be developed (or reviewed, if already in place) that categorizes these information assets based on their sensitivity and security needs. 49. Why is threat identification so important in the process of risk management? ANSWER: Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end. At every step, the manager is called on to exercise good judgment and draw on experience to make the process function smoothly. 50. Discuss the trends in frequency of attacks and how that plays into a risk management strategy.
7. 7. Name: Class: Date: Chapter 06 - Risk Management: Identifying and Assessing Risk Copyright Cengage Learning. Powered by Cognero. Page 7 ANSWER: The number of detected attacks is steadily decreasing; after a peak in 2000, fewer organizations have reported unauthorized use of their computer systems (i.e., hacking) every year. Meanwhile, the number of organizations reporting malware attacks has dramatically increased. Unfortunately, the number of organizations willing to report the number or costs of successfulattacks is also decreasing. The fact is, almost every company has experienced an attack. Whether that attack was successfuldepends on the company’s security efforts; whether the perpetrators were caught or the organization was willing to report the attack is another matter entirely. a. risk management b. risk analysis c. classification categories d. risk identification e. field change order f. threat assessment g. risk appetite h. qualitative assessment i. residual risk j. ranked vulnerability risk worksheet 51. Occurs when a manufacturer performs an upgrade to a hardware component at the customer’s premises. ANSWER: e 52. The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level. ANSWER: a 53. The quantity and nature of risk that organizations are willing to accept. ANSWER: g 54. Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair. ANSWER: j 55. An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. ANSWER: b 56. Remains even after current control has been applied. ANSWER: i 57. The recognition, enumeration, and documentation of risks to an organization’s information assets. ANSWER: d 58. An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization. ANSWER: f 59. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures. ANSWER: h
8. 8. Name: Class: Date: Chapter 06 - Risk Management: Identifying and Assessing Risk Copyright Cengage Learning. Powered by Cognero. Page 8 60. Labels that must be comprehensive and mutually exclusive. ANSWER: c

Is the process of identifying and controlling the risks to an organization's information assets?

What is the process of identifying potential threats to an information asset?

What is risk of an asset in information security?

What is an asset in risk management?