Download MIS 416 Exam 2/Final questions with complete solutions!! and more Exams Nursing in PDF only on Docsity!
MIS 416 Exam 2/Final questions with
complete solutions!!
Place the following in the correct order for risk management. A) rank risks B) analyze risks C) identify risk D) treat risks
E) monitor and review risks - CORRECT ANSWER -C B A D E
Clear and effective security risk assessment reporting requires that the contents of the report be perceived as (check all that apply) A) unambiguous B) nonthreatening C) accurate D) relevant
E) actionable - CORRECT ANSWER -A B C D
Which of the following can affect the state of risks? A) Risk levels of competitors B) Supply Chain changes C) Personnel changes
D) Mergers - CORRECT ANSWER -B C D
In addition to the data captured in your risk assessment template, exceptions and mitigation plans need to include the following information EXCEPT: A) Budget Process B) Business justification for the risk C) Mitigation action items, long- and short-term
D) Policy exceptions/risk acceptance approval and time frame - CORRECT
ANSWER -A
Action plans are a necessary output of the risk assessment process so that recommendations can be acted upon quickly once the assessment is approved. T/F? -
CORRECT ANSWER -T
A gap analysis report documents differences between what is mitigated and what is
NOT mitigated, resulting in a gap in security. T/F? - CORRECT ANSWER -T
What information should you include in your report for management when you present your recommendations?
A) affinity diagram, POAM, and CBA B) stakeholders, key stakeholders, and C-level stakeholders C) recommendation, justification, and procedure D) findings, recommendation cost and time frame, and cost-benefit analysis -
CORRECT ANSWER -D
Which of the following is NOT part of a risk report structure? A) Risk Report Memorandum B) Base Report C) Executive-Level Report D) Appendices
E) Exhibits - CORRECT ANSWER -A
The final summary of risks, impacts, rationales, and treatments is called what? A) A Threat-Control-Vulnerability-Impact Catalog B) A Risk Catalog C) A Risk Index
D) A Risk Register - CORRECT ANSWER -D
Which of the following is NOT risk evaluation step? A) Determine severity of threat/vulnerability B) Determine risk exposure (including risk sensitivity) C) Determine likelihood of threat/vulnerability D) Determine residual risk level
E) Identify the key components - CORRECT ANSWER -E
The final phase of the security risk assessment is to create a(n) ________ that addresses all security risks identified in the ___________. A) Final report, risk assessment B) Final report, Action plan C) Action plan, final report D) Action plan, data gathering phase
E) Risk report, risk assessment - CORRECT ANSWER -C
A risk assessment ends with a report. T/F? - CORRECT ANSWER -T
The objective in risk assessment reporting is to assign blame to those who pose risks.
T/F? - CORRECT ANSWER -F
There is only one way to format and organize a risk assessment report. T/F? -
CORRECT ANSWER -F
Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. T/F? -
CORRECT ANSWER -F
The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.
T/F? - CORRECT ANSWER -T
The COSO framework is built on eight interrelated components. Which of the following is NOT one of them? A) Risk assessment B) InfoSec Governance C) Monitoring
D) Risk response - CORRECT ANSWER -B
It is important to understand that not all frameworks are created as equivalents. Let's look at the differences between FAIR and OCTAVE. Which statement is NOT true? A) OCTAVE is more flexible and customizable B) FAIR is more quantitative and prescriptive C) FAIR addresses a wider range of security and risk assessment issues than OCTAVE
D) OCTAVE is lower level, more methodological - CORRECT ANSWER -C
What are the seven COBIT enablers? A) covering the enterprise end-to-end; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and applying a single integrated framework B) meeting stakeholder needs; processes; enabling a holistic approach; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies C) meeting stakeholder needs; covering the enterprise end-to-end; applying a single integrated framework; enabling a holistic approach; information; separating governance from management; and people, skills, and competencies D) principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people,
skills, and competencies - CORRECT ANSWER -D
COBIT worked with ISACA to develop ITGI. T/F? - CORRECT ANSWER -F
All of the following are risk treatments in different frameworks except? A) Accept B) Defer C) Ignore D) Transfer E) Mitigate
F) Avoid - CORRECT ANSWER -C
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following? A) risk treatment B) risk determination C) risk communication
D) risk assessment - CORRECT ANSWER -B
What does FAIR's BRAG rely on to build the risk management framework that is unlike many other risk management frameworks? A) subjective prioritization of controls B) quantitative valuation of safeguards C) risk analysis estimates
D) qualitative assessment of many risk components - CORRECT ANSWER -B
The Information Technology Infrastructure Library (ITIL) defines the organizational structure and skill requirements of an IT organization and a set of standard operational procedures and practices that allow the organization to manage an IT operation and
associated infrastructure. T/F? - CORRECT ANSWER -T
Security risk decision variables include all the following aspects EXCEPT A) Severity of the impact B) Likelihood that a vulnerability will be exploited C) Value of the asset
D) Weakness of the security - CORRECT ANSWER -D
In information security, a framework or security model customized to an organization,
including implementation details is known as a floor plan. T/F? - CORRECT
ANSWER -F
What is the first step in applying the RMF? A) Select an initial set of baseline security controls B) Categorize the information system and the information processed C) Authorize information system operation based on risk determination D) Assess the security controls using appropriate assessment procedures -
CORRECT ANSWER -B
Which of the following is NOT a purpose of ISO/IEC 27001:2005? A) Implementation of business-enabling information security B) Use to form information technology governance C) Use within an organization to ensure compliance with laws and regulations
D) 1600
E) 2350
F) 4000
G) 8000 - CORRECT ANSWER -B
KRIs measure how risky an activity is. T/F? - CORRECT ANSWER -T
Analyzing monitoring results gives organizations the capability to maintain awareness of the risk being incurred, highlight the need to revisit other steps in the risk management
process, and initiate process improvement activities as needed. T/F? - CORRECT
ANSWER -T
Change management ensures that similar systems have the same, or at least similar,
configurations. T/F? - CORRECT ANSWER -F
Organizations employ risk monitoring tools, techniques, and procedures to increase risk
awareness. T/F? - CORRECT ANSWER -T
In addition to deciding on appropriate monitoring activities across the risk management tiers, organizations also decide how monitoring is to be conducted (e.g., automated or
manual approaches) and the frequency of monitoring activities. T/F? - CORRECT
ANSWER -T
Which of the following orders is consistent with the KPI, KPx and KRI formation? A) metrics, KPR, KPI, KPx, Dashboard B) metrics, KPx, KPR, KPI, Dashboard C) metrics, KPI, KPR, KPx, Dashboard
D) metrics, KPI, KPx, KRI, Dashboard - CORRECT ANSWER -D
All of the following are KPI types except: A) Threshold B) Milestone C) Esoteric
D) Qualitative - CORRECT ANSWER -C
Configuration management is the same as change management. T/F? - CORRECT
ANSWER -F
Order the following for measuring and incorporating metrics. A) Mature measurements B) Design and select metric system C) Manage measurements
D) Business case E) Test metrics F) Launch metrics G) Determine requirement
H) Develop metrics - CORRECT ANSWER -G D B H E F C A
Organizations can only implement risk monitoring at risk management tiers 1 and 2.
T/F? - CORRECT ANSWER -F
Which of the following is a Tier 1 risk monitoring activity? A) Penetration Testing B) Ongoing threat assessments C) Analysis of new or current technologies D) Automated monitoring of standard configuration settings for IT products
E) Vulnerability scanning - CORRECT ANSWER -B
In Information Security, KPIs measure the performance or health of Information
Security. T/F? - CORRECT ANSWER -T
A threshold KPI is significant when an index falls into a set range. T/F? - CORRECT
ANSWER -T
Select all of the following that risk monitoring allows organizations to do: A) Avoid performing risk assessments B) Verify compliance C) Determine the ongoing effectiveness of risk response measures D) Evaluate the costs and benefits of different security controls
E) Identify risk-impacting changes to organization information systems - CORRECT
ANSWER -B C E
PRAGMATIC is a A) Cyber Security Framework B) Risk Assessment Approach C) Threat Catalog D) Security Measurement System
E) Government Regulation - CORRECT ANSWER -D
A CBA helps determine if you should use a safeguard. T/F? - CORRECT
ANSWER -T
What is NOT one of the three primary objectives of controls? A) eliminate B) correct
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy? A) exposure factor B) cost-benefit analysis C) single loss expectancy
D) annualized rate of occurrence - CORRECT ANSWER -B
Risk avoidance may be the appropriate risk response when the identified risk exceeds
the organizational risk tolerance. T/F? - CORRECT ANSWER -T
What type of control ensures that account management is secure? A) access management controls B) access controls C) account management controls
D) account controls - CORRECT ANSWER -C
____________ mitigate(s) risk. A) Assessments B) Management C) Controls
D) Databases - CORRECT ANSWER -C
How your organization starts its risk mitigation process depends entirely on the type of
organization you are working in. T/F? - CORRECT ANSWER -F
The risk control strategy where the organization is willing to accept the current level of risk and makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the
termination risk control strategy. T/F? - CORRECT ANSWER -F
What is Risk Acceptance? A) The appropriate risk response when the identified risk is within the organizational risk tolerance. B) The acceptance of what the actual risk is C) How appropriate the risk can be to the situation
D) None of the above - CORRECT ANSWER -A
You will never need to replace in-place controls. T/F? - CORRECT ANSWER -F
What does the Assign Security Risk help with? A) Based on business mission and other factors, accept the identified security risk B) All the above C) Purchase insurance to assign or transfer the security risk to another party
D) Reduce specific security risk - CORRECT ANSWER -C
What is the purpose of a risk mitigation plan? A) to reduce threats B) to implement approved countermeasures C) to bolster a risk assessment
D) to ensure compliance - CORRECT ANSWER -B
The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy. T/F? -
CORRECT ANSWER -T
SLE is A) AV - EF B) AV + ALE C) AV x EF
D) AV / EF - CORRECT ANSWER -C
The criterion most commonly used when evaluating a strategy to implement InfoSec
controls is economic feasibility. T/F? - CORRECT ANSWER -T
Asset valuation is a listing or grouping of assets under an assessment. T/F? -
CORRECT ANSWER -F
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk
control strategy, also known as the avoidance strategy. T/F? - CORRECT
ANSWER -F
Which of the following is a type of safeguard cost? A) Orientation Cost B) Selling Cost C) Training Cost
D) Employment Cost - CORRECT ANSWER -C
Organizations can implement risk monitoring at any of the risk management tiers with
different objectives and utility of information produced. T/F? - CORRECT
ANSWER -T
OCTAVE is one of the many frameworks available. Although heavy and labor intensive, it includes innovative approaches. One of the unique aspects of OCTAVE is the pools of mitigation approaches. The pools used include everything but? A) Mitigate or Defer
C) maintenance
D) CBA report - CORRECT ANSWER -C
Logs need to be reviewed. T/F? - CORRECT ANSWER -T
What is NOT a best practice for enabling a risk mitigation plan from your risk assessment? A) Stay within the scope. B) Control the schedule. C) Create a new POAM.
D) Control the costs. - CORRECT ANSWER -C
ALE is: A) SLE x ARO B) SLE - ARO C) SLE / ARO
D) ARO * EF - CORRECT ANSWER -A
Loss Before Countermeasure - Loss After Countermeasure = Countermeasure Value.
T/F? - CORRECT ANSWER -F
What is a significant part of the step of evaluating controls and determining which controls to implement? A) BCPs B) DRPs C) CBAs
D) DMZs - CORRECT ANSWER -C
A best practice for enabling a risk mitigation plan from your risk assessment is
prioritizing countermeasures. T/F? - CORRECT ANSWER -T
When a vulnerability (flaw or weakness) exists in an important asset, implement security
controls to reduce the likelihood of a vulnerability being exploited. T/F? - CORRECT
ANSWER -T
Risk mitigation plans help determine the numerical values for the risk formula, which is
Risk = Threat x Vulnerability. T/F? - CORRECT ANSWER -F
When converting a risk assessment to a risk mitigation plan, you may need to verify the
risk elements. T/F? - CORRECT ANSWER -T
Which of the following is NOT a valid rule of thumb on risk control strategy selection?
A) When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls. B) When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. C) When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. D) When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an
attack. - CORRECT ANSWER -A
The security risk for each vulnerability found during the gathering phase can be addressed through all of the following EXCEPT: A) Reduce Security Risk B) Avoid Security Risk C) Accept Security Risk
D) Ignore Security Risk - CORRECT ANSWER -D
Which phase of the information security measurement system lifecycle involves gaining a solid appreciation of the organization information security-related information needs? A) Phase 4 B) Phase 3 C) Phase 8
D) Phase 1 - CORRECT ANSWER -D
KPIs do not necessarily need to be tied to organizational strategy. T/F? - CORRECT
ANSWER -F
Risk monitoring provides organizations the means to (click all that apply): A) determine the ongoing effectiveness of risk response measures B) identify risk-impacting changes to organizational information systems and environments of operation C) assess risk
D) verify compliance - CORRECT ANSWER -A B D
Key Performance Indicators monitor risk appetite. T/F? - CORRECT ANSWER -F
Change management is a process that ensures that changes are made only after a
review process. T/F? - CORRECT ANSWER -T
Risk monitoring provides organization with the means to verify compliance, determine the effectiveness of risk measures, and identify risk-impacting changes to organizational
Ensuring that controls are effective is a best practice for risk mitigating security controls.
T/F? - CORRECT ANSWER -T
The second step of becoming ISO 27002 certified involves implementing best practices.
T/F? - CORRECT ANSWER -F
ISO 27005's Risk Assessment steps include everything but? A) Consequence Identification B) Existing Control Identification C) Threat Identification D) Risk elimination E) Vulnerability Identification
F) Asset Identification - CORRECT ANSWER -D
Risk mitigation, or risk Reduction, is the appropriate risk response for that portion of risk
that cannot be accepted, avoided, shared, or transferred. T/F? - CORRECT
ANSWER -T
Another term for data range and reasonableness checks is ______________. A) reasonableness range B) input validation C) input checks
D) data validation - CORRECT ANSWER -B
As a top-level executive at your own company, you are worried that your employees may steal confidential data too easily by downloading and taking home data onto thumb drives. What is the best way to prevent this from happening? A) Hold a seminar that explains to employees why the use of thumb drives in the workplace is a security hazard. B) Install a technical control to prevent the use of thumb drives. C) Instruct higher level employees to inform their employees that the use of a thumb drive is a fireable offense. D) Create and enforce a written company policy against the use of thumb drives, and install a technical controls on the computers that will prevent the use of thumb drives. -
CORRECT ANSWER -D
A best practice for enabling a risk mitigation plan from your risk assessment is staying
within scope. T/F? - CORRECT ANSWER -T
What is NOT an example of an intangible value? A) Future loss B) Customer influence C) Cost of gaining a consumer
D) Data - CORRECT ANSWER -D
Key Risk Indicators should be tied to one or more Key Performance Indexes. T/F? -
CORRECT ANSWER -T
ROSI = reduction in risk exposure / investment in countermeasures. T/F? -
CORRECT ANSWER -T
What is NOT one of the implementation methods of controls? A) procedural B) technical C) physical
D) manual - CORRECT ANSWER -D
