Question 1

Which of the following is a characteristic of the silo-based approach to cybersecurity?&#10;A) Compliance is discretionary.&#10;B) Security is the responsibility of the IT department.&#10;C) Little or no organizational accountability exists.&#10;D) All of the above

Accepted Answer

The silo-based approach to cybersecurity is characterized by a mindset where security is seen as solely the IT department's responsibility, often leading to a lack of organizational accountability and a perception that compliance is discretionary rather than mandatory. This approach can result in fragmented and less effective cybersecurity practices.

Question 2

At which of the following states of the CMM scale are there no documented policies and processes?&#10;A) Ad hoc&#10;B) Defined process&#10;C) Optimized&#10;D) Nonexistent

Accepted Answer

Ad hoc&#10;

Question 3

Which of the following best describes residual risk?&#10;A) The likelihood of occurrence of a threat&#10;B) The level of risk before security measures are applied&#10;C) The level of risk after security measures are applied&#10;D) The impact of risk if a threat is realized

Accepted Answer

Residual risk refers to the level of risk that remains after security measures have been applied. It is the risk that is not eliminated by existing controls.

Question 4

Which of the following statements best describes risk transfer?&#10;A) It shifts a portion of the risk responsibility or liability to other organizations.&#10;B) It shifts the entire risk responsibility to other organizations.&#10;C) It takes steps to eliminate or modify the risk.&#10;D) None of the above

Accepted Answer

Risk transfer involves shifting a portion of the risk responsibility or liability to other organizations, typically through contracts, insurance, or other means, rather than eliminating or fully transferring the risk.

Question 5

Which of the following is the objective of risk assessment?&#10;A) Identify the inherent risk&#10;B) Determine the impact of a threat&#10;C) Calculate the likelihood of a threat occurrence&#10;D) All of the above

Accepted Answer

Risk assessment aims to identify inherent risks, determine the impact of threats, and calculate the likelihood of threat occurrences, making all the options part of its objectives.

Question 6

Which of the following risk assessment methodologies was originally developed by CERT?&#10;A) FAIR&#10;B) OCTAVE&#10;C) RMF&#10;D) CMM

Accepted Answer

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) was developed by CERT, which is part of the Software Engineering Institute (SEI) at Carnegie Mellon University. It is designed to help organizations assess their information security risks.

Question 7

Which of the following risks relates to negative public opinion?&#10;A) Operational risk&#10;B) Strategic risk&#10;C) Financial risk&#10;D) Reputational risk

Accepted Answer

Reputational risk directly relates to negative public opinion, as it involves the potential for loss that a company might experience if its reputation is damaged.

Question 8

Which of the following statements best describes strategic risk?&#10;A) Risk that relates to monetary loss&#10;B) Risk that relates to adverse business decisions&#10;C) Risk that relates to loss resulting from inadequate or failed processes or systems&#10;D) Risk that relates to violations of laws, rules, regulations, or policy

Accepted Answer

Strategic risk involves risks that arise from making adverse business decisions or failing to implement decisions properly. It is concerned with the potential for losses that a company might face if its business strategy is not effectively executed or if it fails to respond adequately to changes in the external business environment.

Question 9

Which of the following is the magnitude of harm?&#10;A) Risk&#10;B) Threat&#10;C) Impact&#10;D) Vulnerability

Accepted Answer

The magnitude of harm is best described as the impact, which refers to the potential consequences or damage that can occur as a result of a threat exploiting a vulnerability.

Question 10

The two approaches to cybersecurity are silo-based and __________.&#10;A) integrated&#10;B) operational&#10;C) environmental&#10;D) strategic

Accepted Answer

The two approaches to cybersecurity are silo-based and integrated. The integrated approach emphasizes the importance of combining cybersecurity efforts across different departments and areas of an organization, as opposed to the silo-based approach, which isolates security measures within specific departments or areas.

Question 11

Which of the following refers to directives that codify organizational requirements?&#10;A) Guidelines&#10;B) Standards&#10;C) Policies&#10;D) Baselines

Accepted Answer

The answer of Which of the following refers to directives...

Question 12

Which of the following is the leading membership organization for Boards and Directors in the U.S.?&#10;A) ISO&#10;B) NIST&#10;C) CERT&#10;D) NACD

Accepted Answer

The answer of Which of the following is the leading...

Question 13

Which of the following is a systematic, evidence-based evaluation of how well an organization conforms to such established criteria as Board-approved policies, regulatory requirements, and internationally recognized standards, such as the ISO 27000 series?

A) Audit report
B) Cybersecurity audit
C) CMM
D) CISA

Accepted Answer

The answer of Which of the following is a systematic,...

Question 14

In the NIST Cybersecurity Framework, which governance subcategory references legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations?&#10;A) ID.GV-1&#10;B) ID.GV-2&#10;C) ID.GV-3&#10;D) ID.GV-4

Accepted Answer

The answer of In the NIST Cybersecurity Framework, which governance...

Question 15

Which of the following refers to how much of the undesirable outcome a risk taker is willing to accept in exchange for the potential benefit?&#10;A) Risk tolerance&#10;B) Risk mitigation&#10;C) Risk management&#10;D) Risk acceptance

Accepted Answer

The answer of Which of the following refers to how...

Question 16

Which of the following refers to the level of risk before security measures are applied?&#10;A) Residual risk&#10;B) Vulnerability&#10;C) Inherent risk&#10;D) Impact

Accepted Answer

The answer of Which of the following refers to the...

Question 17

Which of the following is the final step in the NIST Risk Assessment methodology?&#10;A) Communicate the results.&#10;B) Prepare for the assessment.&#10;C) Conduct the assessment.&#10;D) Maintain the assessment.

Accepted Answer

The answer of Which of the following is the final...

Question 18

Which of the following refers to the process of managing, directing, controlling, and influencing organizational decisions, actions, and behaviors?&#10;A) Governance&#10;B) Risk sharing&#10;C) Risk management&#10;D) CMM

Accepted Answer

The answer of Which of the following refers to the...

Question 19

OCTAVE is short for which of the following?&#10;A) Operationally Critical Threat, Assessment, and Vulnerability Evaluation&#10;B) Operationally Critical Threat, Asset, and Vulnerability Evaluation&#10;C) Optimized Critical Threat, Assessment, and Vulnerability Evaluation&#10;D) Optimized Critical Threat, Asset, and Vulnerability Evaluation

Accepted Answer

The answer of OCTAVE is short for which of the...

Question 20

Which of the following provides a model for understanding, analyzing, and quantifying information risk in quantitative financial and business terms?&#10;A) RMF&#10;B) NIST&#10;C) FAIR&#10;D) OCTAVE

Accepted Answer

The answer of Which of the following provides a model...

Deck 4: Governance and Risk Management