FiltersDone

Question type

Essay

Multiple Choice

Short Answer

True False

Matching

Exam 9: Risk Management: Controlling Risk

Show Answer

Share

---

All types

Filters

Study FlashcardsPractice ExamLearn

Question 21

True/False

Review LaterAdd Note

Review Later

Communicating new or revised policy to employees is adequate to assure compliance.

A) True
B) False

Correct Answer

verified

Show Answer

Question 22

True/False

Review LaterAdd Note

Review Later

When a vulnerability (flaw or weakness)exists,you should implement security policies to reduce the likelihood of a vulnerability being exercised._________________________

A) True
B) False

Correct Answer

verified

Show Answer

Question 23

Multiple Choice

Review LaterAdd Note

A cost-benefit analysis is calculated by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy

____________________ is a risk management framework developed to help organizations to understand,analyze,and measure information risk.The outcomes are more cost-effective information risk management,greater credibility for the information security profession,and a foundation from which to develop a scientific approach to information risk management.

Common sense dictates that an organization should spend more to protect an asset than its value.

Step-by-step rules to regain normalcy is covered by which of the following plans in the mitigation control approach?

The Microsoft Risk Management Approach includes four phases.Which of the following is NOT one of them?

Cost Benefit Analysis is determined by calculating the single loss expectancy before new controls minus the annualized loss expectancy after controls are implemented minus the annualized cost of the safeguard._________________________

Which of the following is NOT a valid rule of thumb on risk control strategy selection?

Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____________________ organization would do in similar circumstances.

A system's exploitable vulnerabilities are usually determined after the system is designed.

____ feasibility is also referred to as behavioral feasibility.

Avoidance of risk is the choice to forgo the use of security measures and accept loss in the event of an attack._________________________

Asset evaluation is the process of assigning financial worth to each information asset._________________________

Mitigation depends on the ability to detect and respond to an attack as quickly as possible ._________________________

The only use of the acceptance strategy that industry practices recognize as valid occurs when the organization has done all but which of the following?

The ____ is the calculation of the value associated with the most likely loss from an attack.

The Microsoft Risk Management Approach includes four phases: assessing risk,conducting decision support,implementing controls and measuring program effectiveness._________________________

____ is the choice to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.

The final choice of a risk control strategy may call for a balanced mixture of controls that provides the greatest value for as many asset-threat pairs as possible.