When would someone ask, “would a reasonable person be expected to manage this risk?”

IMPORTANT: AFTER PURCHASE, OPEN THIS PAGE AGAIN AND SCROLL DOWN BELOW TO DOWNLOAD FILES WITH ANSWERS.

QUESTIONS SET 1:

1. What is the area that is inside the firewall?

2. What are often the weakest links in IT security?

3. Risk __________ is the practice of identifying, assessing, controlling, and mitigating risks.

4. Companies use risk management techniques to differentiate ___________ from _________?

5. What are the elements of the security triad?

6. What is the primary reason to avoid risk?

7. What is NOT a step in risk management?

8. What is NOT an example of an intangible value?

9. Total risk = _______________

10. What is the best example of warez?

11. IDS stands for ______________.

12. __________ damage for the sake of doing damage, and they often choose targets of opportunity.

13. A(n) __________ is a computer joined to a botnet.

14. What is NOT an example of unintentional threat?

15. What is the most commonly seen attack?

16. Identify the acronym that does NOT refer to an initiative taken by the government to help companies manage IT risks.

17. What is a security policy?

18. When does a threat/vulnerability pair occur?

19. When risk is reduced to an acceptable level, the remaining risk is referred to as _________.

20. What can you control about threat/vulnerability pairs?

21. When your bank or credit card company sends you a notification of changes in how it collects or shares data, it is sending that notification in compliance with ________________.

22. When companies are expected to adhere to the laws that they are affected by, this is commonly known as _______________.

23. What is NOT one of the three primary bureaus of the FTC?

24. What is the relevance of state AGs to IT issues?

25. What is the function of job rotation?

26. When the FTC was created in 1914, its primary goal was to ______________.

27. HIPAA requires that your insurance company sets standards for the protection of your data and the systems that handle that data’s ________________.

28. What is the relationship between Enron and SOX?

29. What are the six principles of PCI DSS?

30. CIPA is ________________.

31. At what point should you describe the procedures and schedules for accomplishment?

32. Costs for solutions are often ____________.

33. Choose the most accurate statement with respect to creating a risk management plan.

34. What information should you include in your report for management when you present your recommendations?

35. POAM stands for _________.

36. After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this?

37. All of the following terms have the same meaning EXCEPT:

38. A risk management PM is also sometimes called a(n) ________________.

39. What is the purpose of a POAM?

40. What are the four major categories of reporting requirements?

41. What is the Delphi Method?

42. What is NOT a benefit of a qualitative RA?

43. What are the two primary methods used to create a risk assessment?

44. All of the following are major components of RAs, EXCEPT:

45. What is NOT a benefit of a quantitative RA?

46. A (n) __________ is a common type of attack on Internet-facing servers.

47. It is common to focus the scope of an RA on system ownership, because doing so ____________.

48. If you know an SLE is $100 and the associated ARO is 5 months, then what is the ALE?

49. When should you perform a risk assessment?

50. ____________ assessments are objective, while ___________ assessments are subjective.

51. An exploit assessment is also known as a(n) ___________.

52. __________ define(s) how the system operates in your environment.

53. Addresses ______________ are automatically marked as spam.

54. ____________ is the process of determining fair market value of an asset.

55. _____________ value is the cost to purchase a new asset.

56. How do you start a risk assessment?

57. The _____________ define(s) what the system does.

58. Threat ___________ is a process used to identify possible threats on a system.

59. What is NOT something to consider when determining the value of an asset?

60. What is an example of a Group Policy?

61. A ___________ plan can help ensure that mission-critical systems continue to function after a disaster.

62. The two categories of IP are _______________ and _______________.

63. An operating system is an example of a(n) ___________.

64. A failover cluster requires at least __________ node(s).

65. BIA is an important part of a(n) _____________, and it can also be part of a(n) __________.

66. What is NOT a category of data and information assets?

67. A ___________ plan can help you identify steps needed to restore a failed system.

68. ________ help(s) prevent a hard drive from being a single point of failure. __________ help(s) prevent a server from being a single point of failure. _________ help(s) prevent a person from being a single point of failure.

69. How can you determine the importance of a system?

70. Most organizations use __________ to track hardware assets.

71. Penetration testing is also known as ____________ testing.

72. Functionality testing is primarily used with ____________.

73. Risk = which of the following?

74. What is NOT a benefit of the tools commonly used to perform vulnerability scans?

75. In a SQL injection attack, an attacker can _________________.

76. What is a transaction in a database?

77. Why are audits performed?

78. Ideally, when should you perform threat modeling?

79. What are some of the best practices you can use when evaluating potential threats for each of the domains?

80. How do attackers deface websites?

QUESTIONS SET 2:

1. When would someone ask, “Would a reasonable person be expected to manage this risk?”

2. When a threat exploits a vulnerability, it results in a(n) __________.

3. As a top-level executive at your own company, you are worried that your employees may steal confidential data too easily by downloading and taking home data onto thumb drives. What is the best way to prevent this from happening?

4. Risk __________ is the practice of identifying, assessing, controlling, and mitigating risks.

5. What is NOT an example of an intangible value?

6. What is the primary reason to avoid risk?

7. Identify the true statement.

8. A _________ is the likelihood that a loss will occur.

9. Another term for risk mitigation is _______.

10. What are often the weakest links in IT security?

11. When risk is reduced to an acceptable level, the remaining risk is referred to as _________.

12. What is NOT an example of unintentional threat?

13. Identify the acronym that does NOT refer to an initiative taken by the government to help companies manage IT risks.

14. A(n) __________ is a computer joined to a botnet.

15. __________ damage for the sake of doing damage, and they often choose targets of opportunity.

16. Hardening the server refers to ____________.

17. A _____________ policy governs how patches are understood, tested, and rolled out to systems and clients.

18. What is a security policy?

19. What is the most commonly seen attack?

20. You are a disgruntled employee with a master’s degree in computer sciences who was recently laid off from a major technology company, and you want to launch an attack on the company. Where might you go to learn about vulnerabilities that you can exploit for your plan?

21. What is the function of job rotation?

22. CIPA is ________________.

23. What is NOT one of the three primary bureaus of the FTC?

24. FERPA applies to all of the following, EXCEPT ______________.

25. What are the six principles of PCI DSS?

26. When a fiduciary does not exercise due diligence, it can be considered __________.

27. What are the seven COBIT enablers?

28. What is NOT a standard or guideline for compliance that exists to assess and improve security?

29. In relation to risk management, IP stands for _________.

30. What ensures that federal agencies protect their data and assigns specific responsibilities for federal agencies?

31. POAM stands for _________.

32. After you present your recommendations, the managers can ___________, ___________, or _____________ your recommendations.

33. What are the four major categories of reporting requirements?

34. When should you establish objectives for your risk management plan?

35. Costs for solutions are often ____________.

36. Choose the most accurate statement with respect to creating a risk management plan.

37. What is the purpose of a POAM?

38. All of the following are steps involved in creating an affinity diagram, EXCEPT:

39. A risk management PM is also sometimes called a(n) ________________.

40. In a risk management plan, how should you complete the step of describing the procedures and schedules for accomplishment?

41. Formulas for quantitative risk assessments usually look at a period of _____________.

42. What are the two primary methods used to create a risk assessment?

43. When should you perform a risk assessment?

44. All of the following are major components of RAs, EXCEPT:

45. ____________ assessments are objective, while ___________ assessments are subjective.

46. What is NOT a benefit of a qualitative RA?

47. You run a bank and wish to update your physical security at each branch of your bank and to update the technological security of the bank’s private financial data. What is the best way to determine whether physical security or technological security has a higher priority of protection?

48. What is the Delphi Method?

49. ___________ is the negative result if the risk occurs.

50. Why should the people on the RA team be different from the people responsible for correcting deficiencies?

51. ____________ is the process of determining fair market value of an asset.

52. What is NOT something to consider when determining the value of an asset?

53. _____________ value is the cost to purchase a new asset.

54. What is an example of a Group Policy?

55. ______________ refers to how responsibilities are assigned.

56. Threat ___________ is a process used to identify possible threats on a system.

57. What may occur if you do NOT include the scope of the RA when defining it?

58. Addresses ______________ are automatically marked as spam.

59. The _____________ define(s) what the system does.

60. An exploit assessment is also known as a(n) ___________.

61. What is NOT one of the words in the ETL acronym?

62. A ___________ plan can help you identify steps needed to restore a failed system.

63. __________ refer(s) to when users or customers need a system or service.

64. What is NOT a way that you can measure the value of a system when determining if the system requires five nines?

65. An operating system is an example of a(n) ___________.

66. Most organizations use __________ to track hardware assets.

67. BIA is an important part of a(n) _____________, and it can also be part of a(n) __________.

68. What are the steps of a BCP?

69. A ___________ plan can help ensure that mission-critical systems continue to function after a disaster.

70. The two categories of IP are _______________ and _______________.

71. What does the principle of least privilege have in common with the principle of need to know?

72. A (n) ____________ assessment attempts to identify vulnerabilities that can actually be exploited.

73. What is NOT a benefit of the tools commonly used to perform vulnerability scans?

74. When performing threat assessments, it’s important to ensure you understand the system or application you are evaluating. In order to understand a given system or application, you need to understand all of the following EXCEPT:

75. Piggybacking is also known as _____________.

76. How do attackers deface websites?

77. Risk = which of the following?

78. Penetration testing is also known as ____________ testing.

79. What is a transaction in a database?

80. You run a successful casual dining restaurant in Virginia and are reviewing historical data in an attempt to identify potential threats to your business. What would NOT be helpful to you in this process?