QUESTIONS SET 2:
1. When would someone ask, “Would a reasonable person be expected to manage this risk?”
2. When a threat exploits a vulnerability, it results in a(n) __________.
3. As a top-level executive at your own company, you are worried that your employees may steal confidential data too easily by downloading and taking home data onto thumb drives. What is the best way to prevent this from happening?
4. Risk __________ is the practice of identifying, assessing, controlling, and mitigating risks.
5. What is NOT an example of an intangible value?
6. What is the primary reason to avoid risk?
7. Identify the true statement.
8. A _________ is the likelihood that a loss will occur.
9. Another term for risk mitigation is _______.
10. What are often the weakest links in IT security?
11. When risk is reduced to an acceptable level, the remaining risk is referred to as _________.
12. What is NOT an example of unintentional threat?
13. Identify the acronym that does NOT refer to an initiative taken by the government to help companies manage IT risks.
14. A(n) __________ is a computer joined to a botnet.
15. __________ damage for the sake of doing damage, and they often choose targets of opportunity.
16. Hardening the server refers to ____________.
17. A _____________ policy governs how patches are understood, tested, and rolled out to systems and clients.
18. What is a security policy?
19. What is the most commonly seen attack?
20. You are a disgruntled employee with a master’s degree in computer sciences who was recently laid off from a major technology company, and you want to launch an attack on the company. Where might you go to learn about vulnerabilities that you can exploit for your plan?
21. What is the function of job rotation?
22. CIPA is ________________.
23. What is NOT one of the three primary bureaus of the FTC?
24. FERPA applies to all of the following, EXCEPT ______________.
25. What are the six principles of PCI DSS?
26. When a fiduciary does not exercise due diligence, it can be considered __________.
27. What are the seven COBIT enablers?
28. What is NOT a standard or guideline for compliance that exists to assess and improve security?
29. In relation to risk management, IP stands for _________.
30. What ensures that federal agencies protect their data and assigns specific responsibilities for federal agencies?
31. POAM stands for _________.
32. After you present your recommendations, the managers can ___________, ___________, or _____________ your recommendations.
33. What are the four major categories of reporting requirements?
34. When should you establish objectives for your risk management plan?
35. Costs for solutions are often ____________.
36. Choose the most accurate statement with respect to creating a risk management plan.
37. What is the purpose of a POAM?
38. All of the following are steps involved in creating an affinity diagram, EXCEPT:
39. A risk management PM is also sometimes called a(n) ________________.
40. In a risk management plan, how should you complete the step of describing the procedures and schedules for accomplishment?
41. Formulas for quantitative risk assessments usually look at a period of _____________.
42. What are the two primary methods used to create a risk assessment?
43. When should you perform a risk assessment?
44. All of the following are major components of RAs, EXCEPT:
45. ____________ assessments are objective, while ___________ assessments are subjective.
46. What is NOT a benefit of a qualitative RA?
47. You run a bank and wish to update your physical security at each branch of your bank and to update the technological security of the bank’s private financial data. What is the best way to determine whether physical security or technological security has a higher priority of protection?
48. What is the Delphi Method?
49. ___________ is the negative result if the risk occurs.
50. Why should the people on the RA team be different from the people responsible for correcting deficiencies?
51. ____________ is the process of determining fair market value of an asset.
52. What is NOT something to consider when determining the value of an asset?
53. _____________ value is the cost to purchase a new asset.
54. What is an example of a Group Policy?
55. ______________ refers to how responsibilities are assigned.
56. Threat ___________ is a process used to identify possible threats on a system.
57. What may occur if you do NOT include the scope of the RA when defining it?
58. Addresses ______________ are automatically marked as spam.
59. The _____________ define(s) what the system does.
60. An exploit assessment is also known as a(n) ___________.
61. What is NOT one of the words in the ETL acronym?
62. A ___________ plan can help you identify steps needed to restore a failed system.
63. __________ refer(s) to when users or customers need a system or service.
64. What is NOT a way that you can measure the value of a system when determining if the system requires five nines?
65. An operating system is an example of a(n) ___________.
66. Most organizations use __________ to track hardware assets.
67. BIA is an important part of a(n) _____________, and it can also be part of a(n) __________.
68. What are the steps of a BCP?
69. A ___________ plan can help ensure that mission-critical systems continue to function after a disaster.
70. The two categories of IP are _______________ and _______________.
71. What does the principle of least privilege have in common with the principle of need to know?
72. A (n) ____________ assessment attempts to identify vulnerabilities that can actually be exploited.
73. What is NOT a benefit of the tools commonly used to perform vulnerability scans?
74. When performing threat assessments, it’s important to ensure you understand the system or application you are evaluating. In order to understand a given system or application, you need to understand all of the following EXCEPT:
75. Piggybacking is also known as _____________.
76. How do attackers deface websites?
77. Risk = which of the following?
78. Penetration testing is also known as ____________ testing.
79. What is a transaction in a database?
80. You run a successful casual dining restaurant in Virginia and are reviewing historical data in an attempt to identify potential threats to your business. What would NOT be helpful to you in this process?