Question 1

The intent of the ________ is to provide a clear overview of how an organization's IT infrastructure supports its overall business objectives.
A)risk register
B)corporate security policy
C)vulnerability source
D)threat assessment

Accepted Answer

The corporate security policy is a comprehensive document that outlines an organization's approach to information security. It should provide guidance on how IT infrastructure supports overall business objectives while aligning with the security objectives of the organization. A risk register provides an overview of identified risks and associated controls, a vulnerability source is a potential weakness in a system or process, and a threat assessment evaluates potential threats and their likelihood of occurrence. While these are all important components of information security, they do not specifically address the relationship between IT infrastructure and business objectives.

Question 2

Establishing security policy,objectives,processes and procedures is part of the ______ step.
A)plan
B)check
C)act
D)none of the above

Accepted Answer

Establishing security policy, objectives, processes, and procedures is part of the planning step in the Plan-Do-Check-Act (PDCA) cycle of continuous improvement.

Question 3

ISO details a model process for managing information security that comprises the following steps: plan,do,________,and act.

Accepted Answer

The answer of ISO details a model process for managing...

Question 4

_________ is a process used to achieve and maintain appropriate levels of confidentiality,integrity,availability,accountability,authenticity,and reliability.

Accepted Answer

The answer of _________ is a process used to achieve...

Question 5

The advantages of the _________ approach are that it doesn't require the expenditure of additional resources in conducting a more formal risk assessment and that the same measures can be replicated over a range of systems.
A)combined
B)informal
C)baseline
D)detailed

Accepted Answer

The advantages described in the sentence match the characteristics of a baseline approach, which uses a standard set of measures to establish a minimum level of security for systems. This approach is less resource-intensive than a detailed risk assessment and can be applied consistently to various systems. The other options - combined and informal - do not fit the advantages mentioned in the sentence.

Question 6

The advantages of the _________ risk assessment approach are that it provides the most detailed examination of the security risks of an organization's IT system and produces strong justification for expenditure on the controls proposed.

Accepted Answer

The answer of The advantages of the _________ risk assessment...

Question 7

A(n)_________ is anything that has value to the organization.

Accepted Answer

The answer of A(n)_________ is anything that has value to...

Question 8

A ________ is anything that might hinder or present an asset from providing appropriate levels of the key security services.
A)vulnerability
B)threat
C)risk
D)control

Accepted Answer

A threat is any potential danger to information or systems that might exploit a vulnerability to breach security and cause harm.

Question 9

The four approaches to identifying and mitigating risks to an organization's IT infrastructure are: baseline approach,detailed risk analysis,combined approach,and __________ approach.

Accepted Answer

The answer of The four approaches to identifying and mitigating...

Question 10

________ specification indicates the impact on the organization should the particular threat in question actually eventuate.
A)Risk
B)Consequence
C)Threat
D)Likelihood

Accepted Answer

Consequence specification refers to the potential impact that the occurrence of a particular threat may have on the organization. It describes the extent to which the threat could affect the organization's operations, reputation, finances, or other critical areas.

Question 11

The term ________ refers to a document that details not only the overall security objectives and strategies,but also procedural policies that define acceptable behavior,expected practices,and responsibilities.

Accepted Answer

The answer of The term ________ refers to a document...

Question 12

The aim of the _________ process is to provide management with the information necessary for them to make reasonable decisions on where available resources will be deployed.

Accepted Answer

The answer of The aim of the _________ process is...

Question 13

The results of the risk analysis should be documented in a _________.
A)journal
B)consequence
C)risk register
D)none of the above

Accepted Answer

The risk analysis results should be documented in a risk register, which is a tool used to track and manage identified risks throughout the project. This document includes information such as the risk description, likelihood and consequence of occurrence, risk owner, and any risk response plans. A journal is not a formal document for documenting risk analysis results, and consequence refers to the severity of a risk event rather than the documentation of the risk analysis process itself.

Question 14

The _________ approach involves conducting a risk analysis for the organization's IT systems that exploits the knowledge and expertise of the individuals performing the analysis.
A)baseline
B)combined
C)detailed
D)informal

Accepted Answer

The informal approach relies on the knowledge and expertise of the individuals conducting the risk analysis, rather than on strictly formalized procedures or methodologies.

Question 15

The __________ approach to risk assessment aims to implement a basic general level of security controls on systems using baseline documents,codes of practice,and industry best practice.

Accepted Answer

The answer of The __________ approach to risk assessment aims...

Question 16

The purpose of ________ is to determine the basic parameters within which the risk assessment will be conducted and then to identify the assets to be examined.
A)establishing the context
B)control
C)risk avoidance
D)combining

Accepted Answer

Establishing the context involves defining the scope and boundaries of the risk assessment, as well as identifying the assets to be examined in order to provide the necessary framework for the assessment process. Control, risk avoidance, and combining are not relevant to this step of the risk assessment process.

Question 17

A(n)_________ is a weakness in an asset or group of assets that can be exploited by one or more threats.

Accepted Answer

The answer of A(n)_________ is a weakness in an asset...

Question 18

_________ include management,operational,and technical processes and procedures that act to reduce the exposure of the organization to some risks by reducing the ability of a threat source to exploit some vulnerabilities.
A)Security controls
B)Risk appetite
C)Risk controls
D)None of the above

Accepted Answer

Security controls are processes and procedures implemented within an organization to mitigate risks by reducing the ability of a threat source to exploit vulnerabilities. Examples of security controls include access control mechanisms, firewalls, intrusion detection and prevention systems, and encryption. Risk appetite refers to an organization's willingness to accept risk, and risk controls are actions taken to mitigate a risk once it has been identified.

Question 19

The use of the _________ approach would generally be recommended for small to medium-sized organizations where the IT systems are not necessarily essential to meeting the organization's business objectives and additional expenditure on risk analysis cannot be justified.

Accepted Answer

The answer of The use of the _________ approach would...

Question 20

_________ is choosing to accept a risk level greater than normal for business reasons.
A)Risk avoidance
B)Reducing likelihood
C)Risk transfer
D)Risk acceptance

Accepted Answer

Risk acceptance is the process of recognizing a risk and choosing to take on that risk rather than attempt to avoid or mitigate it. This may be done for business reasons, such as the potential rewards outweighing the potential negative consequences.

Quiz 14: It Security Management and Risk Assessment

The intent of the ________ is to provide a clear overview of how an organization's IT infrastructure supports its overall business objectives.

Establishing security policy,objectives,processes and procedures is part of the ______ step.

ISO details a model process for managing information security that comprises the following steps: plan,do,________,and act.

_________ is a process used to achieve and maintain appropriate levels of confidentiality,integrity,availability,accountability,authenticity,and reliability.

The advantages of the _________ approach are that it doesn't require the expenditure of additional resources in conducting a more formal risk assessment and that the same measures can be replicated over a range of systems.

The advantages of the _________ risk assessment approach are that it provides the most detailed examination of the security risks of an organization's IT system and produces strong justification for expenditure on the controls proposed.

A(n)_________ is anything that has value to the organization.

A ________ is anything that might hinder or present an asset from providing appropriate levels of the key security services.

The four approaches to identifying and mitigating risks to an organization's IT infrastructure are: baseline approach,detailed risk analysis,combined approach,and __________ approach.

________ specification indicates the impact on the organization should the particular threat in question actually eventuate.

The term ________ refers to a document that details not only the overall security objectives and strategies,but also procedural policies that define acceptable behavior,expected practices,and responsibilities.

The aim of the _________ process is to provide management with the information necessary for them to make reasonable decisions on where available resources will be deployed.

The results of the risk analysis should be documented in a _________.

The _________ approach involves conducting a risk analysis for the organization's IT systems that exploits the knowledge and expertise of the individuals performing the analysis.

The __________ approach to risk assessment aims to implement a basic general level of security controls on systems using baseline documents,codes of practice,and industry best practice.

The purpose of ________ is to determine the basic parameters within which the risk assessment will be conducted and then to identify the assets to be examined.

A(n)_________ is a weakness in an asset or group of assets that can be exploited by one or more threats.

_________ include management,operational,and technical processes and procedures that act to reduce the exposure of the organization to some risks by reducing the ability of a threat source to exploit some vulnerabilities.

The use of the _________ approach would generally be recommended for small to medium-sized organizations where the IT systems are not necessarily essential to meeting the organization's business objectives and additional expenditure on risk analysis cannot be justified.

_________ is choosing to accept a risk level greater than normal for business reasons.