Question 1

A countermeasure reduces the potential risk.

Accepted Answer

A countermeasure is an action, device, procedure, or technique that reduces a threat, vulnerability, or attack by eliminating or preventing it, minimizing the harm it can cause, or discovering and reporting it so that corrective action can be taken.

Question 2

The Zachman Framework is an enterprise architecture framework.

Accepted Answer

The Zachman Framework is indeed an enterprise architecture framework that provides a structured way of viewing and defining an enterprise.

Question 3

The first step of a risk assessment is to identify threats and vulnerabilities.

Accepted Answer

The first step in a risk assessment is to identify assets and their value, not threats and vulnerabilities.

Question 4

Tangible assets include intellectual property, data, and organizational reputation.

Accepted Answer

Tangible assets include computers, facilities, supplies, and personnel. Intangible assets include intellectual property, data, and organizational reputation.

Question 5

A quantitative risk analysis does not assign monetary and numeric values to all facets of the risk analysis process.

Accepted Answer

A quantitative risk analysis does assign monetary and numeric values to all facets of the risk analysis process. A qualitative risk analysis does not assign monetary and numeric values to all facets of the risk analysis process.

Question 6

One of the disadvantages of qualitative risk analysis is that all results are subjective.

Accepted Answer

Qualitative risk analysis often relies on subjective judgments and perceptions, making its results potentially influenced by personal biases and interpretations.

Question 7

After an organization understands its total and residual risk, it must determine how to get rid of the risk.

Accepted Answer

After an organization understands its total and residual risk, it must determine how to handle, not get rid of, the risk.

Question 8

Policies are broad and provide the foundation for development of standards, baselines, guidelines, and procedures.

Accepted Answer

Policies are high-level statements that provide the guiding principles and framework for an organization's approach to security, compliance, and operations, serving as the foundation for the more specific and detailed development of standards, baselines, guidelines, and procedures.

Question 9

Commercial organizations usually classify data using five main classification levels: Top Secret, Secret, Confidential, Sensitive but Unclassified, and Unclassified.

Accepted Answer

Government or military organizations usually classify data using five main classification levels: Top Secret, Secret, Confidential, Sensitive but Unclassified, and Unclassified.

Question 10

The data custodian implements the information classification and controls after they are determined.

Accepted Answer

The data custodian is responsible for implementing the information classification and controls that are determined by the data owner or other authoritative entity, ensuring that the data is handled and protected according to its classification.

Question 11

What is the probability that a threat agent will exploit vulnerability and the impact if the threat is carried out?&#10;A) Exposure&#10;B) Countermeasure&#10;C) Risk&#10;D) Due diligence

Accepted Answer

The answer of What is the probability that a threat...

Question 12

Which of the following is an enterprise security architecture framework?&#10;A) MODAF&#10;B) TOGAF&#10;C) ITIL&#10;D) SABSA

Accepted Answer

The answer of Which of the following is an enterprise...

Question 13

According to the NIST SP 800-30, what is the last step of a risk assessment?&#10;A) Determine risk as a combination of likelihood and impact.&#10;B) Identify impact.&#10;C) Determine likelihood.&#10;D) Identify threats.

Accepted Answer

The answer of According to the NIST SP 800-30, what...

Question 14

Which threat agent group includes malicious users?&#10;A) Natural&#10;B) Human&#10;C) Technical&#10;D) Operational

Accepted Answer

The answer of Which threat agent group includes malicious users?&#10;A)...

Question 15

Which calculation uses the formula AV &#215; EF?&#10;A) SLE&#10;B) ARO&#10;C) ALE&#10;D) Cost-benefit analysis

Accepted Answer

The answer of Which calculation uses the formula AV &#215;...

Question 16

What is the calculation you should use for safeguard value?&#10;A) (ALE before safeguard) + (ALE after safeguard) - (annual cost of safeguard)&#10;B) (ALE before safeguard) - (ALE after safeguard) - (annual cost of safeguard)&#10;C) (ALE before safeguard) - (ALE after safeguard) + (annual cost of safeguard)&#10;D) (ALE before safeguard) + (ALE after safeguard) + (annual cost of safeguard)

Accepted Answer

The answer of What is the calculation you should use...

Question 17

Which risk handling method defines the acceptable risk level the organization can tolerate and reduces the risk to that level?&#10;A) Risk avoidance&#10;B) Risk transfer&#10;C) Risk mitigation&#10;D) Risk acceptance

Accepted Answer

The answer of Which risk handling method defines the acceptable...

Question 18

What is a baseline?&#10;A) Recommended actions that are more flexible than standards&#10;B) All the detailed actions that personnel are required to follow&#10;C) Mandatory actions that describe how policies will be implemented within an organization&#10;D) A reference point defined and captured to be used as a future reference

Accepted Answer

The answer of What is a baseline?&#10;A) Recommended actions that...

Question 19

Which type of data includes patents, trade secrets, and other information that could seriously affect the government if unauthorized disclosure occurred?&#10;A) Confidential&#10;B) Top secret&#10;C) Secret&#10;D) Sensitive

Accepted Answer

The answer of Which type of data includes patents, trade...

Question 20

Which role evaluates the security needs of the organization and develops the internal information security governance documents?&#10;A) Security administrator&#10;B) Security analyst&#10;C) Data custodian&#10;D) Data owner

Accepted Answer

The answer of Which role evaluates the security needs of...

Deck 4: Information Security Governance and Risk Management