Why is it important to prioritize IT risks, threats, and vulnerabilities?

To have the right data points for a qualitative analysis

To plan on avoiding risk.

To establish the budget to develop the plan outline

Critical items can be addressed first

When developing en executive summary, the primary focus of your message to executive management should be
centered on the possibility of breaking compliance laws and increasing the company's potential liability.

True

False
What would you recommend as a mitigation plan for employees who bring their own CDs and flash drives to work
and plug them into company workstations?
Conduct a cost-benefit analysis, add more storage for users to save their personal photos and music files.

Develop and acceptable use policy, disable USB ports on company workstations, and train employees on
company awareness

Only allow employees to insert CDs and flash drives on company workstations after business hours.

Call the police

What would be a good question to ask executive management when finalizing your IT risk-mitigation plan?
Is emergency budget funding set aside to address the critical "1" risks, threats, and vulnerabilities right away?

Did you upgrade your Intrusion Detection System?

We will be conducting thorough penetration testing. Can we have the CEO's password to his office laptop?

Will you be terminating employees who won't sign the security awareness training documents?
Which domain usually contains privacy data in systems, servers, and databases?
LAN-to-WAN domain

User domain

Systems/Application domain

Remote Access domain

Which if the domains can access privacy data and store it on local hard drives and disks?
User domain

Workstation domain

LAN domain

Remote Access domain

Why is the Remote Access domain the most risk-prone of the seven domains?
Login credentials could be stolen
 Data could be hijacked from unencrypted browser sessions

Web portal or VPN could be attacked

All of the above

Why must software updates and patches be tested in an isolated test environment before committing the changes to
live production?
To ensure that the IT department can maintain a QC engineer on the staff

To ensure that the changes function as designed without introducing new risks, threats, or vulnerabilities

To ensure that the changes make the system run faster, use less memory, and complete backups before the
users come back on the system the next day.

To ensure that the revision versions of the patches (version 1.0, version 2.0, etc) are readable.
A long-term risk-mitigation plan should include risk-mitigation policies, standards, procedures, and guidelines

True

False
Companies that are out of compliance on laws should delay remediation of non-compliance as a low priority. Other
more pressing matters such as employees inserting their own flash drives into company workstations or an operating
system with a known software vulnerability should be addressed first. then the company can worry about non-
compliant actions.

True

False