Question 1

The advantages of the _________ approach are that it doesn't require the expenditure of additional resources in conducting a more formal risk assessment and that the same measures can be replicated over a range of systems.

Accepted Answer

The advantages described in the sentence match the characteristics of a baseline approach, which uses a standard set of measures to establish a minimum level of security for systems. This approach is less resource-intensive than a detailed risk assessment and can be applied consistently to various systems. The other options - combined and informal - do not fit the advantages mentioned in the sentence.

Question 2

The intent of the ________ is to provide a clear overview of how an organization's IT infrastructure supports its overall business objectives.

Accepted Answer

The corporate security policy outlines how an organization's IT infrastructure supports its overall business objectives by providing standards and guidelines for the security of the company's technology assets. A risk register, vulnerability source, and threat assessment are all related to identifying, analyzing, and mitigating specific security risks, rather than providing an overview of the overarching IT infrastructure's support of business objectives.

Question 3

The aim of the _________ process is to provide management with the information necessary for them to make reasonable decisions on where available resources will be deployed.

Accepted Answer

The answer of The aim of the _________ process is...

Question 4

________ specification indicates the impact on the organization should the particular threat in question actually eventuate.

Accepted Answer

Consequence specification refers to the potential impact on the organization if the identified threat becomes a reality. Risk assessment involves analyzing different factors like likelihood of the risk, the severity of the threat and the resulting consequences that organization may face. Consequence specification helps in prioritizing risks as it indicates the degree of damage an organization may encounter if the threat materializes.

Question 5

The term ________ refers to a document that details not only the overall security objectives and strategies, but also procedural policies that define acceptable behavior, expected practices, and responsibilities.

Accepted Answer

The answer of The term ________ refers to a document...

Question 6

_________ include management, operational, and technical processes and procedures that act to reduce the exposure of the organization to some risks by reducing the ability of a threat source to exploit some vulnerabilities.

Accepted Answer

Security controls are measures taken to reduce risk and mitigate vulnerabilities. These can include management, operational, and technical processes and procedures that help minimize the impact of potential threats. Risk appetite refers to the amount of risk an organization is willing to tolerate, while risk controls refers to specific measures taken to manage or mitigate identified risks.

Question 7

ISO details a model process for managing information security that comprises the following steps: plan, do, ________, and act.

Accepted Answer

The answer of ISO details a model process for managing...

Question 8

The purpose of ________ is to determine the basic parameters within which the risk assessment will be conducted and then to identify the assets to be examined.

Accepted Answer

This question is asking about a step in the risk management process known as "establishing the context." This step involves identifying the scope of the risk assessment, including the assets or systems that will be analyzed, as well as defining the criteria for evaluating risk. Choices B, C, and D are not relevant to this step specifically.

Question 9

The __________ approach to risk assessment aims to implement a basic general level of security controls on systems using baseline documents, codes of practice, and industry best practice.

Accepted Answer

The answer of The __________ approach to risk assessment aims...

Question 10

A ________ is anything that might hinder or present an asset from providing appropriate levels of the key security services.

Accepted Answer

A threat is any potential danger to information or systems that might exploit a vulnerability to breach security and cause harm.

Question 11

The results of the risk analysis should be documented in a _________.

Accepted Answer

The risk analysis should be documented in a risk register, which is a document that identifies potential risks, assesses their likelihood and potential impact, and outlines strategies for mitigating or responding to them. Keeping a comprehensive and up-to-date risk register is an essential part of effective risk management. Journals and consequences may be relevant to the risk analysis process, but they do not provide a centralized and organized way to track and manage risks over time.

Question 12

The _________ approach involves conducting a risk analysis for the organization's IT systems that exploits the knowledge and expertise of the individuals performing the analysis.

Accepted Answer

The informal approach relies on the knowledge and expertise of the individuals conducting the risk analysis, rather than on strictly formalized procedures or methodologies.

Question 13

The use of the _________ approach would generally be recommended for small to medium-sized organizations where the IT systems are not necessarily essential to meeting the organization's business objectives and additional expenditure on risk analysis cannot be justified.

Accepted Answer

The answer of The use of the _________ approach would...

Question 14

Establishing security policy, objectives, processes and procedures is part of the ______ step.

Accepted Answer

Establishing security policy, objectives, processes and procedures is a key part of the planning stage of any security management program. This is because it involves setting goals and defining strategies for achieving them. The plan stage also involves assessing risk and identifying potential threats, which are necessary steps in determining the appropriate security measures to implement.

Question 15

_________ is a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability.

Accepted Answer

The answer of _________ is a process used to achieve...

Question 16

The advantages of the _________ risk assessment approach are that it provides the most detailed examination of the security risks of an organization's IT system and produces strong justification for expenditure on the controls proposed.

Accepted Answer

The answer of The advantages of the _________ risk assessment...

Question 17

The four approaches to identifying and mitigating risks to an organization's IT infrastructure are: baseline approach, detailed risk analysis, combined approach, and __________ approach.

Accepted Answer

The answer of The four approaches to identifying and mitigating...

Question 18

A(n) _________ is anything that has value to the organization.

Accepted Answer

The answer of A(n) _________ is anything that has value...

Question 19

A(n) _________ is a weakness in an asset or group of assets that can be exploited by one or more threats.

Accepted Answer

The answer of A(n) _________ is a weakness in an...

Question 20

_________ is choosing to accept a risk level greater than normal for business reasons.

Accepted Answer

Risk acceptance is choosing to accept a risk level greater than normal for business reasons. This can be a strategic decision made by a company when the potential benefits outweigh the potential losses or negative consequences of the risk.

Quiz 14: IT Security Management and Risk Assessment