Chapter 04: Risk Management

TRUE/FALSE

1. The general management of an organization must structure the IT and

information security functions to defend the organization’s information assets.

ANS: T PTS: 1 REF: 118

2. “If you realize you do not know the enemy, you will gain an advantage in
every battle." (Sun Tzu)

ANS: F PTS: 1 REF: 119

3. Information security managers and technicians are the creators of

information.

ANS: F PTS: 1 REF: 119

4. Risk control is the application of controls to reduce the risks to an

organization’s data and information systems.

ANS: T PTS: 1 REF: 119

5. Know yourself means identifying, examining, and understanding the threats

facing the organization.

ANS: F PTS: 1 REF: 120

6. Once the organizational threats have been identified, an assets identification

process is undertaken.

ANS: F PTS: 1 REF: 121

7. Identifying human resources, documentation, and data information assets of

an organization is less difficult than identifying hardware and software assets.

ANS: F PTS: 1 REF: 123

8. You should adopt naming standards that do not convey information to

potential system attackers.

ANS: T PTS: 1 REF: 124

9. Examples of exceptionally grave damage include armed hostilities against the

United States or its allies and disruption of foreign relations vitally affecting the national
security.

ANS: T PTS: 1 REF: 127

10. Comprehensive means that an information asset should fit in only one
category.

ANS: F PTS: 1 REF: 130

11. A certificate authority should actually be categorized as a software security

component.
ANS: T PTS: 1 REF: 130

12. When determining the relative importance of each asset, refer to the
organization’s mission statement or statement of objectives to determine which elements are
essential, which are supportive, and which are merely adjuncts.

ANS: T PTS: 1 REF: 130-131

13. The amount of money spent to protect an asset is based in part on the value of
the asset.

ANS: T PTS: 1 REF: 132

14. The value of intellectual property influences asset valuation.

ANS: T PTS: 1 REF: 133

15. You cannot use qualitative measures to rank values.

ANS: F PTS: 1 REF: 135

16. Protocols are activities performed within the organization to improve

security.

ANS: F PTS: 1 REF: 145

17. Eliminating a threat is an impossible proposition.

ANS: F PTS: 1 REF: 147

18. To determine if the risk is acceptable or not, you estimate the expected loss
the organization will incur if the risk is exploited.

ANS: T PTS: 1 REF: 149

19. If every vulnerability identified in the organization is handled through

mitigation, it may reflect an inability to conduct proactive security activities and an apathetic
approach to security in general.

ANS: F PTS: 1 REF: 149

20. Leaving unattended computers on is one of the top information security

mistakes made by individuals.

ANS: T PTS: 1 REF: 151

21. Some argue that it is virtually impossible to determine the true value of
information and information-bearing assets.

ANS: T PTS: 1 REF: 153

22. CBAs cannot be calculated after controls have been functioning for a time.

ANS: F PTS: 1 REF: 155

23. Metrics-based measures are generally less focused on numbers and more
strategic than process-based measures.
ANS: F PTS: 1 REF: 157

24. Best business practices are often called recommended practices.

ANS: T PTS: 1 REF: 158

25. A best practice proposed for a small home office setting is appropriate to help
design control strategies for a multinational company.

ANS: F PTS: 1 REF: 159

26. One problem with benchmarking is that there are many organizations that are
identical.

ANS: F PTS: 1 REF: 160

27. Internal benchmarking can provide the foundation for baselining.

ANS: F PTS: 1 REF: 161

28. Organizations should communicate with system users throughout the

development of the security program, letting them know that change are coming.

ANS: T PTS: 1 REF: 162

29. Every organization should have the collective will and budget to manage
every threat by applying controls.

ANS: F PTS: 1 REF: 163

30. The results from risk assessment activities can be delivered in a number of
ways: a report on a systematic approach to risk control, a project-based risk assessment, or a
topic-specific risk assessment.

ANS: T PTS: 1 REF: 164

MODIFIED TRUE/FALSE

1. Establishing a competitive business model, method, or technique enabled an

organization to provide a product or service that was superior and created a(n) competitive
advantage. _________________________

ANS: T PTS: 1 REF: 118

2. Risk control is the examination and documenting of the security posture of an

organization’s information technology and the risks it faces. _________________________

ANS: F, identification

PTS: 1 REF: 119

3. Mutually exclusive means that all information assets must fit in the list
somewhere. _________________________

ANS: F, Comprehensive
PTS: 1 REF: 129

4. One way to determine which information assets are critical is by evaluating

how much of the organization’s revenue depends on a particular asset.
_________________________

ANS: T PTS: 1 REF: 131

5. Each of the threats faced by an organization must be examined to assess its

potential to endanger the organization and this examination is known as a threat profile.
_________________________

ANS: F, assessment

PTS: 1 REF: 134

6. Risk evaluation assigns a risk rating or score to each information asset.

_________________________

ANS: F, assessment

PTS: 1 REF: 141

7. Policies are documents that specify an organization’s approach to security.

_________________________

ANS: T PTS: 1 REF: 144

8. Program-specific policies address the specific implementations or

applications of which users should be aware. _________________________

ANS: F, Issue

PTS: 1 REF: 144

9. The most common of the mitigation procedures is the disaster recovery plan.
_________________________

ANS: T PTS: 1 REF: 148

10. The mitigate control strategy attempts to reduce the impact caused by the
exploitation of vulnerability through planning and preparation.
_________________________

ANS: T PTS: 1 REF: 148

11. Likelihood risk is the risk to the information asset that remains even after the
application of controls. _________________________

ANS: F, Residual

PTS: 1 REF: 144

12. A(n) disaster recovery plan dictates the actions an organization can and
perhaps should take while an incident is in progress. _________________________

ANS: F, incident response

PTS: 1 REF: 148

13. Benefit is the value that an organization realizes by using controls to prevent
losses associated with a specific vulnerability. _________________________

ANS: T PTS: 1 REF: 153

14. A(n) exposure factor is the expected percentage of loss that would occur from
a particular attack. _________________________

ANS: T PTS: 1 REF: 154

15. ALE determines whether or not a particular control alternative is worth its
cost. _________________________

ANS: F, CBA

PTS: 1 REF: 155

16. A(n) qualitative assessment is based on characteristics that do not use

numerical measures. _________________________

ANS: T PTS: 1 REF: 155

17. Qualitative-based measures are comparisons based on numerical standards,

such as numbers of successful attacks. _________________________

ANS: F
Metrics
Quantitative

PTS: 1 REF: 157

18. Within best practices, the optimum standard is a subcategory of practices that
are typically viewed as “the best of the best.” _________________________

ANS: F, gold

PTS: 1 REF: 158

19. Security efforts that seek to provide a superior level of performance in the
protection of information are referred to as best business practices.
_________________________

ANS: T PTS: 1 REF: 158

20. In information security, benchmarking is the comparison of security

activities and events against the organization’s future performance.
_________________________

ANS: F, baselining

PTS: 1 REF: 161

21. Operational feasibility is also known as behavioral feasibility.

_________________________

ANS: T PTS: 1 REF: 162

 22. Within organizations, technical feasibility defines what can and cannot occur
based on the consensus and relationships between the communities of interest.
_________________________

ANS: F, political

PTS: 1 REF: 163

23. Risk measure defines the quantity and nature of risk that organizations are
willing to accept as they evaluate the tradeoffs between perfect security and unlimited
accessibility. _________________________

ANS: F, appetite

PTS: 1 REF: 163

24. Major risk is a combined function of (1) a threat less the effect of threat-
reducing safeguards, (2) a vulnerability less the effect of vulnerability reducing safeguards,
and (3) an asset less the effect of asset value-reducing safeguards.
_________________________

ANS: F, Residual

PTS: 1 REF: 164

25. When the organization is pursuing an overall risk management program, it

requires a(n) systematic report that enumerates the opportunities for controlling risk.
_________________________

ANS: T PTS: 1 REF: 164

MULTIPLE CHOICE

1. Risk ____ is the application of controls to reduce the risks to an

organization’s data and information systems.
a. management c. identification
b. control d. security
ANS: B PTS: 1 REF: 119

2. The concept of competitive ____ refers to falling behind the competition.

a. disadvantage c. failure
b. drawback d. shortcoming
ANS: A PTS: 1 REF: 119

3. The first phase of risk management is ____.

a. risk identification c. risk control
b. design d. risk evaluation
ANS: A PTS: 1 REF: 119

4. ____ addresses are sometimes called electronic serial numbers or hardware

addresses.
a. HTTP c. DHCP
b. IP d. MAC
ANS: D PTS: 1 REF: 124

5. Many corporations use a ____ to help secure the confidentiality and integrity
of information.
a. system classification c. data hierarchy
scheme
b. data restoration d. data classification
scheme scheme
ANS: D PTS: 1 REF: 126

6. A(n) ____ is an authorization issued by an organization for the repair,

modification, or update of a piece of equipment.
a. IP c. CTO
b. FCO d. HTTP
ANS: B PTS: 1 REF: 125

7. The military uses a ____-level classification scheme.

a. three c. five
b. four d. six
ANS: C PTS: 1 REF: 126

8. In the U.S. military classification scheme, ____ data is any information or

material the unauthorized disclosure of which reasonably could be expected to cause damage
to the national security.
a. confidential c. top secret
b. secret d. sensitive
ANS: A PTS: 1 REF: 126

9. Management of classified data includes its storage and ____.

a. distribution c. destruction
b. portability d. All of the above
ANS: D PTS: 1 REF: 128

10. There are individuals who search trash and recycling — a practice known as
____ — to retrieve information that could embarrass a company or compromise information
security.
a. side view c. recycle diving
b. dumpster diving d. garbage collection
ANS: B PTS: 1 REF: 129

11. In a(n) ____, each information asset is assigned a score for each of a set of
assigned critical factor.
a. OPSEC c. weighted factor
analysis
b. COMSEC d. data classification
scheme
ANS: C PTS: 1 REF: 133

12. ____ equals likelihood of vulnerability occurrence times value (or impact)
minus percentage risk already controlled plus an element of uncertainty.
a. Probability c. Possibility
b. Risk d. Chance
ANS: B PTS: 1 REF: 144

13. The ____ security policy is an executive-level document that outlines the
organization’s approach and attitude towards information security and relates the strategic
value of information security within the organization.
a. general c. issue-specific
b. agency d. system-specific
ANS: A PTS: 1 REF: 144

14. The ____ security policy is a planning document that outlines the process of
implementing security in the organization.
a. program c. issue-specific
b. agency d. system-specific
ANS: A PTS: 1 REF: 144

15. ____ policies address the particular use of certain systems.

a. Systems-specific c. Network-specific
b. General d. Platform-specific
ANS: A PTS: 1 REF: 144-145

16. The ____ strategy attempts to prevent the exploitation of the vulnerability.
a. suspend control c. transfer control
b. defend control d. defined control
ANS: B PTS: 1 REF: 146

17. The ____ strategy attempts to shift risk to other assets, other processes, or
other organizations.
a. transfer control c. accept control
b. defend control d. mitigate control
ANS: A PTS: 1 REF: 147

18. The actions an organization can and perhaps should take while an incident is
in progress should be specified in a document called the ____ plan.
a. BC c. IR
b. DR d. BR
ANS: C PTS: 1 REF: 148

19. ____ plans usually include all preparations for the recovery process,
strategies to limit losses during the disaster, and detailed steps to follow when the smoke
clears, the dust settles, or the floodwaters recede.
a. IR c. BC
b. DR d. BR
ANS: B PTS: 1 REF: 148

20. The ____ strategy is the choice to do nothing to protect a vulnerability and to
accept the outcome of its exploitation.
a. avoidance of risk c. mitigation
b. transference d. accept control
ANS: D PTS: 1 REF: 149
 21. The formal decision making process used when considering the economic
feasibility of implementing information security controls and safeguards is called a(n) ____.
a. ARO c. ALE
b. CBA d. SLE
ANS: B PTS: 1 REF: 152

22. ____ is simply how often you expect a specific type of attack to occur.
a. ARO c. ALE
b. CBA d. SLE
ANS: A PTS: 1 REF: 154

23. When organizations adopt levels of security for a legal defense, they may
need to show that they have done what any prudent organization would do in similar
circumstances. This is referred to as a(n) ____.
a. due diligence action c. golden standard
action
b. best practice d. standard of due care
ANS: D PTS: 1 REF: 157

24. ____ feasibility analysis examines user acceptance and support, management
acceptance and support, and the overall requirements of the organization’s stakeholders.
a. Organizational c. Operational
b. Technical d. Political
ANS: C PTS: 1 REF: 162

25. Risk ____ defines the quantity and nature of risk that organizations are
willing to accept as they evaluate the tradeoffs between perfect security and unlimited
accessibility.
a. benefit c. acceptance
b. appetite d. avoidance
ANS: B PTS: 1 REF: 163

COMPLETION

1. ____________________ involves three major undertakings: risk

identification, risk assessment, and risk control.

ANS: Risk management

PTS: 1 REF: 119

2. ____________________ is the process of identifying risk, as represented by

vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to
reduce this risk to an acceptable level.

ANS: Risk management

PTS: 1 REF: 119

3. ____________________ are defined as information and the systems that use,

store, and transmit information.

ANS: Assets
PTS: 1 REF: 120

4. ____________________ components account for the management of

information in all its states: transmission, processing, and storage.

ANS: Data

PTS: 1 REF: 123

5. For hardware devices, the ____________________ number is used by the

network operating system to identify a specific network device.

ANS:
electronic serial
MAC address
hardware address

PTS: 1 REF: 124

6. All information that has been approved by management for public release has
a(n) ____________________ classification.

ANS: external

PTS: 1 REF: 126

7. Overriding an employee’s security ____________________ requires that the

need-to-know standard be met.

ANS: clearance

PTS: 1 REF: 127

8. A(n) ____________________ desk policy requires that employees secure all

information in appropriate storage containers at the end of each day.

ANS: clean

PTS: 1 REF: 129

9. Once the inventory and value assessment are complete, you can prioritize
each asset using a straightforward process known as ____________________ analysis.

ANS: weighted factor

PTS: 1 REF: 133

10. After identifying and performing the preliminary classification of an

organization’s information assets, the analysis phase moves on to an examination of the
____________________ facing the organization.

ANS: threats

PTS: 1 REF: 134

11. You can assess the relative risk for each of the vulnerabilities by a process
called risk ____________________.
ANS: assessment

PTS: 1 REF: 140-141

12. ____________________ is the probability that a specific vulnerability within

an organization will be successfully attacked.

ANS: Likelihood

PTS: 1 REF: 142

13. Security ____________________ are the technical implementations of the

policies defined by the organization.

ANS: technologies

PTS: 1 REF: 145

14. The ____________________ strategy is the risk control strategy that

attempts to prevent the exploitation of the vulnerability.

ANS: defend control

PTS: 1 REF: 146

15. The ____________________ control strategy attempts to reduce the impact

caused by the exploitation of vulnerability through planning and preparation.

ANS: mitigation

PTS: 1 REF: 148

16. Of the three types of mitigation plans, the _________________________

plan is the most strategic and long term.

ANS:
BC
Business Continuity
BC (business continuity)
business continuity (BC)

PTS: 1 REF: 148

17. Cost ____________________ is the process of preventing the financial

impact of an incident by implementing a control.

ANS: avoidance

PTS: 1 REF: 152

18. Asset ____________________ is the process of assigning financial value or

worth to each information asset.

ANS: valuation

PTS: 1 REF: 153

 19. A single loss ____________________ is the calculation of the value
associated with the most likely loss from an attack.

ANS: expectancy

PTS: 1 REF: 154

20. ____________________ is the process of seeking out and studying the

practices used in other organizations that produce results you would like to duplicate in your
organization.

ANS: Benchmarking

PTS: 1 REF: 156

21. The difference between an organization’s measures and those of others is

often referred to as a performance ____________________.

ANS: gap

PTS: 1 REF: 157

22. Due ____________________ is the demonstration that the organization is

diligent in ensuring that the implemented standards continue to provide the required level of
protection.

ANS: diligence

PTS: 1 REF: 157

23. A(n) ____________________ is a “value or profile of a performance metric

against which changes in the performance metric can be usefully compared.”

ANS: baseline

PTS: 1 REF: 161

24. Operational ____________________ analysis examines user acceptance and

support, management acceptance and support, and the overall requirements of the
organization’s stakeholders.

ANS: feasibility

PTS: 1 REF: 162

25. Behavioral feasibility is also known as _________________________.

ANS: operational feasibility

PTS: 1 REF: 162

ESSAY

1. Describe five new subdivisions of information system components of

SecSDLC/risk management.

ANS:
People comprise employees and nonemployees.

Procedures fall into two categories: IT and business standard procedures, and IT and business
sensitive procedures.

Data components account for the management of information in all its states: transmission,
processing, and storage.

Software components are assigned to one of three categories: applications, operating systems,
or security components.

Hardware is assigned to one of two categories: the usual systems devices and their
peripherals, and the devices that are part of information security control systems.

Hardware components are separated into two categories: devices and peripherals, and
networks.

PTS: 1 REF: 122-123

2. List seven key areas identified by Microsoft as best security practices for
home users.

ANS:
1. Use antivirus software.
2. Use strong passwords.
3. Verify your software security settings.
4. Update product security.
5. Build personal firewalls.
6. Back up early and often.
7. Protect against power surges and loss.

PTS: 1 REF: 159

3. List Microsoft’s “Ten Immutable Laws of Security” in any order

ANS:
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your
computer anymore.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer
anymore.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your
computer anymore.

Law #4: If you allow a bad guy to upload programs to your Web site, it’s not your Web site
anymore.

Law #5: Weak passwords trump strong security.

Law #6: A machine is only as secure as the administrator is trustworthy.

Law #7: Encrypted data is only as secure as the decryption key.

Law #8: An out-of-date virus scanner is only marginally better than no virus scanner at all.

Law #9: Absolute anonymity isn’t practical, in real life or on the Web.
Law #10: Technology is not a panacea.

PTS: 1 REF: 160