Introducing Security: Aligning Asset and Risk Management Quiz Answers

Get All Weeks Introducing Security: Aligning Asset and Risk Management Quiz Answers

Week 01: Introducing Security: Aligning Asset and Risk Management Quiz Answers

Knowledge Check: Improving the Risk Assessment Process.

Q.1. ISO 27001 identifies how many steps in the risk assessment process? (D3, L1.4)

Q.2. The risk reporting phase consists of which elements? (D3, L1.4)

Documentation of the risk
Creation of a risk treatment plan (RTP)
Creating a Statement of Applicability (SoA)
All of these

Knowledge Check: Gathering Accurate Data.

Q.1. What is the difference between an interview and an oral history? (D3, L1.4)

There is no difference.
Interviews require a list or series of questions presented to a user or panel, and oral histories do not.
Oral histories require a list or series of questions presented to a user or panel, and interviews do not.
Interviews are based around record sets.

Q.2. Is there a potential risk when using observations as a means of gathering data? (D3, L1.4)

Yes
No

Q.3. Using the Grounded Theory technique moves data collection away from just assumptions and places it into something that is “real,” something that people can relate to. This technique can be applied to which of the following? (D3, L1.4)

Oral histories
Interviewing
Analyzing artifacts
It applies to none of these.

Risk Treatment Quiz answer

Q.1 All of the following are acceptable options used in the treatment of risk except which one? (D3, L1.4)

Remove
Ignore
Reduce
Transfer

Q.2. Risk mitigation is the process whereby the total risk (risk before treatment) is reduced to either a residual or acceptable level. What can be introduced to proactively help to reduce risk? (D3, L1.4)

Countermeasures
Firewalls
IDS systems
Safeguards

Q.3. Is it actually possible to avoid risk?  (D3, L1.4)

Yes
No
Sometimes

Q.4. You have decided to outsource your file storage to a third party (perhaps a cloud service provider). However, an incident has occurred and all of your company’s confidential data has been disseminated, including customer details. Who is ultimately responsible?  (D3, L1.4)

The third party
You (the organization)
It depends on the SLA or contract
It depends on jurisdictional control

Knowledge Check: Risk Treatment Process

Q.1. Which statement best shows the comparison of residual risk and acceptable risk? (D3, L1.4)

Acceptable risk is the result of transferring the risk to an insurer, while residual risk is the result of sharing the risk with a third-party service provider. 
Residual risk is the risk not mitigated by applying a control, while acceptable risk is a risk for which no treatment actions are taken.
Acceptable risk is the risk not mitigated by applying a control, while residual risk is a risk for which no treatment actions are taken.
They are two names for the same concept, which is the risk that management chooses to do nothing about.

Identify common risks and vulnerabilities.

Q.1. Which of the following is an example of organizational risk?  (D3, L1.3)

Earthquakes
Floods
Political change
All of these

Q.2. When considering the sources of known and emerging risks, which of the following sources can a security professional draw from that is not entirely internal? (D3, L1.3)

IDS/IPS systems
The risk registers
Vulnerability scans
Interviews

Q.3. When updating or maintaining vulnerability databases, one repository available to a security professionals the Common Vulnerabilities and Exposures (CVE). What does this repository provide? (D3, L1.3)

The results of private ethical penetration tests
Reference information about known general vulnerabilities and the potential exposures
Reference information on vendor-specific vulnerabilities and the potential exposures
The results of public ethical penetration tests

Q.4. What is the purpose of framing risk? (D3, L1.3)  

Assign responsibility or blame for high-risk systems, elements, or business processes.
Summarize the legal and regulatory context for risk management decisions.
Incorporate the latest threat intelligence into risk mitigation planning.
Make the risk easier to understand so decisions can be made.

Chapter 1 Quiz: Introducing Security and Aligning Asset Management to Risk Management

Q.1 What is the core objective of an information security program? (D1, L1.1)

To support the mission of the business
To dictate what the business does and how to do it securely.
To identify employees who fail to take proper security precautions for retraining or admonishment.
To demonstrate that the organization is compliant with security requirements in law, regulation or contracts.
What is meant by non-repudiation? (D1, L1.1)

Q.2. If a user does something (e.g., sends an email), they can’t later claim that they were not the sender.

Controls to protect the organization’s reputation from harm due to inappropriate social media postings by employees, even if on their private accounts and personal time.
It is part of the rules used in RuBAC to prevent unauthorized write-up.
It is a security feature that prevent session repay attack.
hat prevents session replay attacks

Q.3. Which of the following is not one of the four usual responses to risk, referred to in ISO/IEC 27005. (D3, L1.3)

Avoid
Accept
Mitigate
Remediate

Q.4. Regarding the IT asset management lifecycle, which resource is represented by the business’s people, processes, facilities, equipment, and corporate knowledge? (D1, L1.2)

Materials
Supplies
Assets
Outcomes

Q.5 What is a vulnerability? (D3, L1.3)

A systems component that fails under stress or wears out over time, which could lead to damage or loss.
A hazardous condition that could lead to a system outage.
A weakness in a system, service, process, or software.
Management decisions that underfund a security program.

Q.6. Why would we use CVSS? (D3, L1.3)

As part of systems security testing
To assess communications systems vulnerabilities
To share information with the security community regarding systems safety and security incidents
As part of risk assessment on identified or suspected vulnerabilities

Q.7. Scenario: Your organization’s chief risk officer is concerned about unintentional threat agents, or so-called self-inflicted attacks or disruptions. What advice would you offer? (D3, L1.4)

These are insidious examples of insider threats and are often people who do not respond to our security education, training, and awareness efforts. We need to be more aggressive in identifying them, retraining them, or letting them go.
These are primarily caused by poorly designed security systems or “do-it-yourself” controls we have had to try to make do with. We need significantly more resources to get better-quality security systems to face an ever-increasing threat.
Whether these agents are truly unintentional or not does not matter; we need to be more aggressive at scanning our systems for vulnerabilities and get those fixed or compensated for.
It may be that our security procedures, education, and training just aren’t clear and complete enough; our security appliance installation and configuration documentation may also be too complicated for our people to use correctly. Let’s do a thorough review and update accordingly.

Q.7. Which of the following statements is true regarding classification and categorization? (D1, L1.2)

They are two names for the same security process.
Classification is about handling and protection of assets, while categorization is about loss, impact, or compliance mandates.
Categorization is a process that groups assets having similar classifications.
They are two names for the same process of assessing impact.

Q.8.Which of the following is a common threat modeling approach? (D3, L1.4)

Attacker-centric
Asset-centric
System(software)-centric
All of these

Q.9. You are tasked with conducting a quantitative risk assessment and are calculating the annual lost expectancy. Which of the following variables do you need to complete this calculation? (D3, L1.4)