Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

15 Cards in this Set

  • Front
  • Back
One of the primary steps in a quantitative risk analysis is to determine the annualized loss expectancy (ALE). How is the ALE calculated?

A. Single loss expectancy / Frequency per year
B. Asset value x 2.8
C. Single loss expectancy X Frequency per year
D. Asset value + (Single loss expectancy / Frequency per year)
C - Single loss expectancy X Frequency per year

A quantitative risk analysis calculates the ALE, which is the annual loss of an asset if expected threats are realized. This value allows the company to evaluate the financial implications of potential threats. ALE is calculated as the product of Single Life Expectancy (SLE) and the Frequency per year, also known as Annual Rate of Occurrence (ARO). [Information Security and Risk Management]
An Electrical provider must maintain documentation of their electronic security perimeter in precisely the way set forth in the North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection documents, particularly CIP-005-1, or face significantly daily fines. What is this an example of?

A. Standards
B. Baselines
C. Practices
D. Policies
A - Standards

A Standard is non-negotiable. It must be followed to the fullest extent. A Baseline is a minimum configuration that is required across all of an organization's technology. [Information Security and Risk Management]
Which of the following terms refers to a security hole that could result in an attack on a system?

A. Risk
B. Exposure
C. Threat
D. Vulnerability
D - Vulnerability

A 'vulnerability' refers to a security hole that can potentially be tapped, resulting in an attack. It is not that an attack has been made, just that the possibility exists. If an attacker uses a vulnerability then it is said to have been "exploited." [Information Security and Risk Management]
Before Joan can begin work at her new job, she must undergo a Criminal Background Check and participate in Security Awareness Training. What type of control are these preventative measures?

A. Technical Controls
B. Administrative Controls
C. Physical Controls
D. Resident Controls
B - Administrative Controls

Administrative controls are preventative in nature and include background checks, drug testing, security training on the Human Resources side, and also include policies, procedures, and data classification. [Information Security and Risk Management]
After risks are mitigated, what is the amount of risk remaining called?

A. Annualized Loss Expectancy
B. Single Loss Expectancy
C. Residual Risk
D. Exposure Factor
C - Residual Risk

After a Risk Analysis is performed, controls may be implemented. The risk that remains and is not mitigated by the controls is called Residual Risk. [Information Security and Risk Management]
Which of the following has the highest potential to be a security hazard to a company that has well-defined security procedures.

A. An employee who performs critical duties is fired.
B. The Information Security Officer falls ill.
C. Grid power is lost for 3 hours
D. A web server containing employee performance data crashes.
A - An employee who performs critical duties is fired.

Among these choices, the greatest risk is from an employee performing critical duties being fired. He may be in a position to compromise the security if he is disgruntled and wants to 'get back'. The other situations will be handled well since the company has a well-defined security procedures in place. [Information Security and Risk Management]
Senior management plans to implement a security policy that outlines what can and cannot be done with employees' e-mail for monitoring purposes and to address privacy issues. What would such a security policy be called?

A. Advisory
B. Issue-specific
C. System-specific
D. Organizational
B - Issue-specific

Issue-specific policies are also called functional implementing policies. They address specific issues that management feels needs more explanation and attention. [Information Security and Risk Management]
Which of the following denotes the magnitude of potential losses due to a threat?

A. Risk
B. Exposure
C. Vulnerability
D. Loss
B - Exposure

Exposure is the magnitude of losses a potential vulnerability may cost an entity, if exploited by an agent of threat. [Information Security and Risk Management]
Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances?

A. Policies
B. Standards
C. Procedures
D. Guidelines
D - Guidelines

Guidelines are general approaches and provide the necessary flexibility to handle emergencies. Guidelines may also be certain recommended approaches / actions to handle certain scenarios. [Information Security and Risk Management]
Non-enforced password management on servers and workstations would be defined as a:

A. Risk
B. Threat Agent
C. Vulnerability
D. Threat
C - Vulnerability

A vulnerability is a S/W, hardware, or procedural weakness that could be easily exploited by an attacker. Non-enforced password management on servers and workstations is a vulnerability. [Information Security and Risk Management]
Information such as data that is critical to a company needs to be properly identified and classified. In general, what are the guidelines to classify data?

A. Classify all data irrespective of format (digital, audio, video) excluding paper.
B. Classify only data that is digital in nature and exists on the company servers.
C. Classify all data irrespective of the format it exists in (paper, digital, audio, video)
D. Classify only data that is digital in nature and exists on the company servers, desktops and all computers in the company.
C - Classify all data irrespective of the format it exists in (paper, digital, audio, video)

It might appear that one only needs to classify "digital data". However, all data needs to be classified, irrespective of the format in which it exists. [Information Security and Risk Management]
In a secure network, personnel play a key role in the maintenance and promotion of security procedures. Which of the following roles is responsible for ensuring that the company complies with software license agreements?

A. Product-line manager
B. Process owner
C. Solution provider
D. Data analyst
A - Product-line manager
Product-line managers are responsible for ensuring that license agreements are complied with. They are also responsible for translating business objectives and specifications for the developer of a product or solution. [Information Security and Risk Management]
13. Once risk assessment of a company is performed, threats and vulnerabilities are identified and the total / residual risk is determined. Which of the following is not one of the ways in which risk is handled?

A. Risk Inference
B. Risk Mitigation
C. Risk Acceptance
D. Risk Avoidance
A - Risk Inference

Risk Inference is not a valid way to handle Risk. Risks are usually dealt with in four ways - risk mitigation, risk avoidance, risk transference and risk acceptance. [Information Security and Risk Management]
Steve is doing risk analysis as part of his company's Information Risk Management. He ends up with a calculation that the annualized loss expectancy (ALE) due to a virus attack on the company's network is $ 25000. He also calculates that the single loss expectancy (SLE) due to this event would be $ 25000. What can you say about the annualized rate of occurrence (ARO)?

A. The ARO will be greater than 1.0
B. The ARO will be less than 1.0
C. The ARO cannot be calculated in this case.
D. The ARO equals 1.0
D - The ARO equals 1.0

The annualized loss expectancy is obtained by the product of the single loss expectancy and the annualized rate of occurrence. In this instance, the ALE equals the SLE, hence the ARO equals 1.0 [Information Security and Risk Management]
Which of the following statements is not true with respect to the relationships between threat, vulnerability, exposure, countermeasure and risk?

A. A threat agent takes advantage of a vulnerability.
B. The probability of a fire causing damage is a risk.
C. A countermeasure can mitigate a vulnerability.
D. A vulnerability can expose a system to possible damage
C - A countermeasure can mitigate a vulnerability.

A countermeasure usually mitigates a risk and not a vulnerability. A vulnerability is just the potential possibility that a risk may occur. [Information Security and Risk Management]