ISOL 533Midterm_2.

What are the elements of the security triad? Risk is the practice of identifying, assessing, controlling, and mitigating risks. Another term for risk mitigation is . What is NOT a step in risk management? Companies use risk management techniques to differentiate from ? Total risk = What is a major type of vulnerability for the user domain? What are often the weakest links in IT security? What is the area that is inside the firewall? What is the primary reason to avoid risk? What is one source of risk reduction? What is NOT an example of unintentional threat? damage for the sake of doing damage, and they often choose targets of opportunity. are acts that are hostile to an organization. A(n) is a computer joined to a botnet. What is the most commonly seen attack? What can you control about threat/vulnerability pairs? A policy governs how patches are understood, tested, and rolled out to systems and clients. What is a security policy? A teenager learning about computers and programming for the first time writes a simple program meant to disrupt the function of his sister’s computer. While she’s hanging out with friends at the mall, he enters his sister’s IP address, launches the program, and waits to see what will happen. The teenager is an example of a . What is a publicly traded company? What are the seven COBIT enablers? FERPA applies to all of the following, EXCEPT . 0.25 out of 0.25 points What ensures that federal agencies protect their data and assigns specific responsibilities for federal agencies? CIPA is . When a fiduciary does not exercise due diligence, it can be considered . HIPAA requires that your insurance company sets standards for the protection of your data and the systems that handle that data’s . When your bank or credit card company sends you a notification of changes in how it collects or shares data, it is sending that notification in compliance with . What is NOT one of the three primary bureaus of the FTC? When companies are expected to adhere to the laws that they are affected by, this is commonly known as . Choose the most accurate statement with respect to creating a risk management plan. You are creating objectives for your risk management plan. What do you NOT include at this stage? 0.25 out of 0.25 points In a CBA, if the benefits of a control outweigh the costs of implementing that control, then the control can be implemented to reduce risk. However, if the cost outweighs the benefit, then . Selected POAM stands for . When a stakeholder’s involvement in a project helps that stakeholder have ownership of the project, the ownership is also known as a(n) . What are the four major categories of reporting requirements? All of the following are steps involved in creating an affinity diagram, EXCEPT: You use to communicate a risk and the resulting impact. A(n) is a process used to determine how to manage risk. After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this? is the likelihood that a threat will exploit a vulnerability. Selected What is the Delphi Method? Qualitative RAs determine the level of risk based on the and of risk. 0.25 out of 0.25 points If you know an SLE is $100 and the associated ARO is 5 months, then what is the ALE? What is NOT a benefit of a quantitative RA? All of the following are major components of RAs, EXCEPT: What does RAID stand for? You run a bank and wish to update your physical security at each branch of your bank and to update the technological security of the bank’s private financial data. What is the best way to determine whether physical security or technological security has a higher priority of protection? When should you perform a risk assessment? is the negative result if the risk occurs. The define(s) what the system does. An exploit assessment is also known as a(n) . What is NOT something to consider when determining the value of an asset? value is the cost to purchase a new asset. What is NOT a way that you can determine the value of an asset? What may occur if you do NOT include the scope of the RA when defining it? How do you start a risk assessment? A cold site is . All of the following are reasons why configuration management is an important risk management process, EXCEPT: Threat is a process used to identify possible threats on a system. A(n) provides access to a private network over a public network such as the internet. The two categories of IP are and . refer(s) to when users or customers need a system or service.