CYBER SECURITY AND INFORMATION ASSURANCE
EXAM QUESTIONS AND ANSWERS 100% CORRECT!!
, Risk - ANSWER is the likelihood that a threat agent will exploit a vulnerability and the
associated impact
Managing Risk - ANSWER means identifying, assessing, prioritizing, and treating
(responding to) risk; monitoring the evolving situation, and continuing the process
Risk Assessment - ANSWER means "the process of identifying, estimating, and
prioritizing information security risks."
What does risk assessment include? - ANSWER *Identify threats
*Estimate the likelihood of being targeted
*Identify vulnerabilities
*Estimate the impact/harm should a threat successfully exploit a vulnerability
*Estimate the likelihood that the harm will occur
*Estimate risk as a function of the degree of harm and the likelihood that it will occur
Responding/Treating Risk - ANSWER Avoid
Mitigate
Transfer
Accept
Avoid (Risk) - ANSWER Discontinue risky practice
(decommission insecure system or prohibit insecure conduct)
Mitigate(Risk) - ANSWER Apply measures to reduce the level of risk (encryption, AV,
access control)
Transfer(Risk) - ANSWER Shift the impact to some other entity(cyber-insurance,
contractual means such as indemnification clauses)
Accept(Risk) - ANSWER Process by which managers agree to accept the risk (e.g.,
managers understand risk and the possible options for treating it, but decide to accept
it)
Controls - ANSWER Measures that we put in place to mitigate risk
Administrative Control - ANSWER management of policy oriented
Technical Control - ANSWER Software or hardware oriented
EXAM QUESTIONS AND ANSWERS 100% CORRECT!!
, Risk - ANSWER is the likelihood that a threat agent will exploit a vulnerability and the
associated impact
Managing Risk - ANSWER means identifying, assessing, prioritizing, and treating
(responding to) risk; monitoring the evolving situation, and continuing the process
Risk Assessment - ANSWER means "the process of identifying, estimating, and
prioritizing information security risks."
What does risk assessment include? - ANSWER *Identify threats
*Estimate the likelihood of being targeted
*Identify vulnerabilities
*Estimate the impact/harm should a threat successfully exploit a vulnerability
*Estimate the likelihood that the harm will occur
*Estimate risk as a function of the degree of harm and the likelihood that it will occur
Responding/Treating Risk - ANSWER Avoid
Mitigate
Transfer
Accept
Avoid (Risk) - ANSWER Discontinue risky practice
(decommission insecure system or prohibit insecure conduct)
Mitigate(Risk) - ANSWER Apply measures to reduce the level of risk (encryption, AV,
access control)
Transfer(Risk) - ANSWER Shift the impact to some other entity(cyber-insurance,
contractual means such as indemnification clauses)
Accept(Risk) - ANSWER Process by which managers agree to accept the risk (e.g.,
managers understand risk and the possible options for treating it, but decide to accept
it)
Controls - ANSWER Measures that we put in place to mitigate risk
Administrative Control - ANSWER management of policy oriented
Technical Control - ANSWER Software or hardware oriented
