CIS4361 Chapter 4 Q&A
A(n) disaster recovery plan dictates the actions an organization can and perhaps should take
while an incident is in progress. - =False
Internal benchmarking can provide the foundation for baselining. - =False
Each of the threats faced by an organization must be examined to assess its potential to endanger
the organization and this examination is known as a threat profile. - =False
Some argue that it is virtually impossible to determine the true value of information and
information-bearing assets. - =True
Protocols are activities performed within the organization to improve security. - =False
Security efforts that seek to provide a superior level of performance in the protection of
information are referred to as best business practices. - =True
Best business practices are often called recommended practices. - =True
Risk evaluation assigns a risk rating or score to each information asset. - =False
Major risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2)
a vulnerability less the effect of vulnerability reducing safeguards, and (3) an asset less the effect
of asset value-reducing safeguards. - =False
Qualitative-based measures are comparisons based on numerical standards, such as numbers of
successful attacks. - =False
Eliminating a threat is an impossible proposition. - =False
, A(n) exposure factor is the expected percentage of loss that would occur from a particular attack.
- =True
One problem with benchmarking is that there are many organizations that are identical. - =False
When determining the relative importance of each asset, refer to the organization's mission
statement or statement of objectives to determine which elements are essential, which are
supportive, and which are merely adjuncts. - =True
CBAs cannot be calculated after controls have been functioning for a time. - =False
Once the organizational threats have been identified, an assets identification process is
undertaken. - =False
Benefit is the value that an organization realizes by using controls to prevent losses associated
with a specific vulnerability. - =True
The results from risk assessment activities can be delivered in a number of ways: a report on a
systematic approach to risk control, a project-based risk assessment, or a topic-specific risk
assessment. - =True
When the organization is pursuing an overall risk management program, it requires a(n)
systematic report that enumerates the opportunities for controlling risk. - =True
The general management of an organization must structure the IT and information security
functions to defend the organization's information assets. - =True
A(n) qualitative assessment is based on characteristics that do not use numerical measures. -
=True
You should adopt naming standards that do not convey information to potential system attackers.
- =True
A(n) disaster recovery plan dictates the actions an organization can and perhaps should take
while an incident is in progress. - =False
Internal benchmarking can provide the foundation for baselining. - =False
Each of the threats faced by an organization must be examined to assess its potential to endanger
the organization and this examination is known as a threat profile. - =False
Some argue that it is virtually impossible to determine the true value of information and
information-bearing assets. - =True
Protocols are activities performed within the organization to improve security. - =False
Security efforts that seek to provide a superior level of performance in the protection of
information are referred to as best business practices. - =True
Best business practices are often called recommended practices. - =True
Risk evaluation assigns a risk rating or score to each information asset. - =False
Major risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2)
a vulnerability less the effect of vulnerability reducing safeguards, and (3) an asset less the effect
of asset value-reducing safeguards. - =False
Qualitative-based measures are comparisons based on numerical standards, such as numbers of
successful attacks. - =False
Eliminating a threat is an impossible proposition. - =False
, A(n) exposure factor is the expected percentage of loss that would occur from a particular attack.
- =True
One problem with benchmarking is that there are many organizations that are identical. - =False
When determining the relative importance of each asset, refer to the organization's mission
statement or statement of objectives to determine which elements are essential, which are
supportive, and which are merely adjuncts. - =True
CBAs cannot be calculated after controls have been functioning for a time. - =False
Once the organizational threats have been identified, an assets identification process is
undertaken. - =False
Benefit is the value that an organization realizes by using controls to prevent losses associated
with a specific vulnerability. - =True
The results from risk assessment activities can be delivered in a number of ways: a report on a
systematic approach to risk control, a project-based risk assessment, or a topic-specific risk
assessment. - =True
When the organization is pursuing an overall risk management program, it requires a(n)
systematic report that enumerates the opportunities for controlling risk. - =True
The general management of an organization must structure the IT and information security
functions to defend the organization's information assets. - =True
A(n) qualitative assessment is based on characteristics that do not use numerical measures. -
=True
You should adopt naming standards that do not convey information to potential system attackers.
- =True
