Test Bank for Management of Information Security 6th Edition Michael E. Whitman, Herbert J.

Test Bank for Management of Information Security

6th Edition Michael E. Whitman, Herbert J. Mattord,
ISBN-10: 133740571X, ISBN-13: 9781337405713

To download the complete and accurate content document, go to:

https://testbankbell.com/download/test-bank-for-management-of-information-security-
6th-edition-michael-e-whitman-herbert-j-mattord-isbn-10-133740571x-isbn-13-978133
7405713/

Visit TestBankBell.com to get complete for all chapters

Name: Class: Date:

chapter 6

Indicate whether the statement is true or false.

1. Having an established risk management program means that an organization's assets are completely protected.
a. True
b. False

2. Likelihood is the overall rating of the probability that a specific vulnerability will be exploited or attacked.
a. True
b. False

3. The IT community often takes on the leadership role in addressing risk.

a. True
b. False

4. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
a. True
b. False

5. MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially
foolproof.
a. True
b. False

Indicate whether the statement is true or false. If it is false, change the identified word(s) to make the statement
true.

6. The probability that a specific vulnerability within an organization will be the target of an attack is known as risk.
___________

7. The recognition, enumeration, and documentation of risks to an organization’s information assets is known as risk
control. __________

8. The information technology management community of interest often takes on the leadership role in addressing risk.
__________

9. When operating any kind of organization, a certain amount of debt is always involved. __________

10. A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict
the number of people who can access it is known as a data categorization scheme. __________

11. A prioritized list of assets and threats can be combined with exploit information into a specialized report known as a
TVA worksheet. __________

12. Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. __________

13. The degree to which a current control can reduce risk is also subject to calculation error. __________

Copyright Cengage Learning. Powered by Cognero. Page 1

Name: Class: Date:

chapter 6
14. Risk identification, risk analysis, and risk evaluation are part of a single function known as risk
protection. __________

15. An evaluation of the threats to information assets, including a determination of their potential to endanger the
organization, is known as exploit assessment. __________

Indicate the answer choice that best completes the statement or answers the question.

16. Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following
EXCEPT:
a. The organization’s governance structure
b. The organization’s culture
c. The maturity of the organization’s information security program
d. The threat environment—threats, known vulnerabilities, attack vectors

17. Which of the following attributes does NOT apply to software information assets?
a. serial number b. controlling entity
c. manufacturer name d. product dimensions

18. __________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood,
impact, and possibly a measure of uncertainty.
a. information asset value weighted table analysis
b. risk ranking worksheet
c. threat severity weighted table analysis
d. TVA controls worksheet

19. Which of the following is NOT among the typical columns in the risk rating worksheet?
a. uncertainty percentage b. impact
c. risk-rating factor d. likelihood

20. Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset
identification using this attribute difficult?
a. part number b. serial number
c. MAC address d. IP address

21. The __________ converts the instructions and perspectives provided to the RM framework team into cohesive
guidance that structures and directs all subsequent risk management efforts.
a. risk management policy
b. enterprise information security policy
c. risk control implementation policy
d. risk management board directive

22. The Risk Management Framework includes all of the following EXCEPT:
a. executive governance and support
b. framework design
c. process contingency planning
Copyright Cengage Learning. Powered by Cognero. Page 2
Name: Class: Date:

chapter 6

d. continuous improvement

23. Which of these denotes the identification, analysis, evaluation, and treatment of risk to information assets?
a. RM framework
b. RM process
c. RM initiative
d. RM leadership

24. An estimate made by the manager using good judgment and experience can account for which factor of risk
assessment?
a. risk determination b. assessing potential loss
c. likelihood and consequences d. uncertainty

25. Which of the following is an attribute of a network device built into the network interface?
a. serial number b. MAC address
c. IP address d. model number

26. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific
models of certain devices or software components?
a. name b. MAC address
c. serial number d. manufacturer’s model or part number

27. Which of the following activities is part of the risk identification process?
a. determining the likelihood that vulnerable systems will be attacked by specific threats
b. calculating the severity of risks to which assets are exposed in their current setting
c. assigning a value to each information asset
d. documenting and reporting the findings of risk analysis

28. Classification categories must be mutually exclusive and which of the following?
a. repeatable b. documentable
c. comprehensive d. selective

29. A well-defined risk appetite should have the following characteristics EXCEPT:
a. It is not limited by stakeholder expectations.
b. It acknowledges a willingness and capacity to take on risk.
c. It is documented as a formal risk appetite statement.
d. It is reflective of all key aspects of the business.

30. What is the final step in the risk identification process?

a. assessing values for information assets b. classifying and categorizing assets
c. identifying and inventorying assets d. ranking assets in order of importance

31. What is defined as specific avenues that threat agents can exploit to attack an information asset?
a. liabilities b. defenses
c. vulnerabilities d. obsolescence

Copyright Cengage Learning. Powered by Cognero. Page 3

Name: Class: Date:

chapter 6
32. Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating
the danger from possible threats, organizations often __________.
a. create a subjective ranking based on anticipated recovery costs
b. estimate cost from past experience
c. leave the value empty until later in the process
d. use a consultant to calculate an exact value

33. Factors that affect the external context and impact the RM process, its goals, and its objectives include the following
EXCEPT:
a. the organization's governance structure
b. the legal/regulatory/compliance environment—laws, regulations, industry
standards
c. the business environment—customers, suppliers, competitors
d. the threat environment—threats, known vulnerabilities, attack vectors

34. The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can
successfully anticipate future events or outcomes, is known as __________.
a. impact
b. likelihood
c. uncertainty
d. tolerance

35. Once an information asset is identified, categorized, and classified, what must also be assigned to it?
a. asset tag b. relative value
c. location ID d. threat risk

36. Data classification schemes should categorize information assets based on which of the following?
a. value and uniqueness b. sensitivity and security needs
c. cost and replacement value d. ease of reproduction and fragility

37. What is the risk to information assets that remains even after current controls have been applied?
a. residual risk
b. risk appetite
c. risk tolerance
d. risk avoidance

38. Once the members of the RM framework team have been identified, the governance group should communicate all of
the following for the overall RM program EXCEPT:
a. its personnel structure
b. its desired outcomes
c. its priorities
d. its intent

39. The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect
security and unlimited accessibility is known as __________.

Copyright Cengage Learning. Powered by Cognero. Page 4

Name: Class: Date:

chapter 6

a. residual risk
b. risk appetite
c. risk acceptance
d. risk avoidance

40. The identification, analysis, and evaluation of risk in an organization describes which of the following?
a. risk assessment b. risk determination
c. risk management d. risk reduction

41. Which of the following is NOT a task performed by the governance group during the framework design phase, in
cooperation with the framework team?
a. ensuring compliance with all legal and regulatory statutes and mandates
b. guiding the development of, and formally approving, the RM policy
c. recommending performance measures for the RM effort and ensuring that they
are compatible with other performance measures in the organization
d. specifying who will supervise and perform the RM process

42. Which of the following is not a role of managers within the communities of interest in controlling risk?
a. general management must structure the IT b. IT management must serve the IT needs of the broader
and InfoSec functions organization
c. legal management must develop corporate- d. InfoSec management must lead the way with skill,
wide standards professionalism, and flexibility

43. In the area of risk management, process communications is the necessary information flow within and between all of
the following EXCEPT:
a. the corporate change control officer
b. the governance group
c. the RM framework team
d. the RM process team during implementation

44. Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization’s
RM efforts?
a. RM framework
b. RM process
c. RM initiative
d. RM leadership

45. What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?
a. residual risk
b. risk appetite
c. risk tolerance
d. risk avoidance

46. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the
organization be combined to create?

Copyright Cengage Learning. Powered by Cognero. Page 5

Name: Class: Date:

chapter 6

a. risk exposure report b. threats-vulnerabilities-assets worksheet

c. costs-risks-prevention database d. threat assessment catalog

47. Which of the following is an example of a technological obsolescence threat?

a. hardware equipment failure b. unauthorized access
c. outdated servers d. malware

48. The probability that a specific vulnerability within an organization will be attacked by a threat is known as
__________.
a. impact
b. likelihood
c. uncertainty
d. tolerance

49. What should you be armed with to adequately assess potential weaknesses in each information asset?
a. properly classified inventory b. audited accounting spreadsheet
c. intellectual property assessment d. list of known threats

50. Which of the following activities is part of the risk evaluation process?
a. creating an inventory of information assets
b. classifying and organizing information assets into meaningful groups
c. assigning a value to each information asset
d. calculating the severity of risks to which assets are exposed in their current setting

51. The organization can perform risk determination using certain risk elements, including all but which of the following?
a. legacy cost of recovery b. impact (consequence)
c. likelihood of threat event (attack) d. element of uncertainty

52. An understanding of the potential consequences of a successful attack on an

information asset by a threat is known as __________.
a. impact
b. likelihood
c. uncertainty
d. tolerance

53. For an organization to manage its InfoSec risk properly, managers should understand how information is __________.
a. collected
b. processed
c. transmitted
d. all of these are needed

54. __________ is the risk assessment deliverable that places each information asset into a ranked list according to its
value based on criteria developed by the organization.
a. information asset value weighted table analysis
b. risk ranking worksheet
Copyright Cengage Learning. Powered by Cognero. Page 6
Name: Class: Date:

chapter 6

c. threat severity weighted table analysis

d. TVA controls worksheet

55. The risk assessment deliverable titled __________ serves to rank-order each threat to the organization’s information
assets according to criteria developed by the organization.
a. information asset value weighted table analysis
b. risk ranking worksheet
c. threat severity weighted table analysis
d. TVA controls worksheet

Enter the appropriate word(s) to complete the statement.

56. The assessment of the amount of risk an organization is willing to accept for a particular information asset is known as
risk __________.

57. The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect
security and unlimited availability is known as risk __________.

58. Classification categories must be __________ and mutually exclusive.

59. Risk __________ is an approach to combining risk identification, risk analysis, and risk evaluation into a single
strategy.

60. Risk __________ is the process of discovering and assessing the risks to an organization’s operations and determining
how those risks can be mitigated.

61. The recognition, enumeration, and documentation of risks to an organization’s information assets is known as risk
__________.

62. The evaluation and reaction to risk to the entire organization is known as __________.

63. As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted
__________ worksheet.

64. As each information asset is identified, categorized, and classified, a __________ value must also be assigned to it.

65. The document designed to regulate organizational efforts related to the identification, assessment, and treatment of
risk to information assets is known as the RM __________.

66. Assessing risks includes determining the __________ that vulnerable systems will be attacked by specific threats.

67. An evaluation of the threats to information assets, including a determination of their likelihood of occurrence and
potential impact of an attack, is known as threat __________.

a. risk management
b. risk assessment

Copyright Cengage Learning. Powered by Cognero. Page 7

Name: Class: Date:

chapter 6

c. classification categories
d. risk identification
e. field change order
f. threat assessment
g. risk appetite
h. qualitative assessment
i. residual risk
j. risk rating worksheet

68. Occurs when a manufacturer performs an upgrade to a hardware component at the customer’s premises.

69. The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

70. The quantity and nature of risk that organizations are willing to accept.

71. Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.

72. An approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.

73. Remains even after the current control has been applied.

74. The recognition, enumeration, and documentation of risks to an organization’s information assets.

75. An evaluation of the dangers to information assets, including a determination of their potential to endanger the
organization.

76. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.

77. Labels that must be comprehensive and mutually exclusive.

78. For the purposes of relative risk assessment, how is risk calculated?

79. What does it mean to "know the enemy" with respect to risk management?

80. Describe the use of an IP address when deciding which attributes to track for each information asset.

81. What strategic role do the InfoSec and IT communities play in risk management? Explain.

82. Why is threat identification so important in the process of risk management?

83. What are the included tasks in the identification of risks?

84. Briefly describe any three standard categories of information assets and their respective risk management components.

85. How should the initial inventory be used when classifying and categorizing assets?

Copyright Cengage Learning. Powered by Cognero. Page 8

Name: Class: Date:

chapter 6
Answer Key
1. False

2. True

3. False

4. True

5. False

6. False - likelihood

7. False - identification

8. False - InfoSec
False - information security

9. False - risk

10. False - classification

11. False - vulnerabilities

12. False - vulnerabilities

13. False - estimation

14. False - assessment

15. False - threat

16. d

17. d

18. b

19. a

20. d

21. a

22. c

23. b

24. d

Copyright Cengage Learning. Powered by Cognero. Page 9

Name: Class: Date:

chapter 6
25. b

26. d

27. c

28. c

29. a

30. d

31. c

32. a

33. a

34. c

35. b

36. b

37. a

38. a

39. b

40. a

41. d

42. c

43. a

44. a

45. c

46. b

47. c

48. b

49. a

50. d
Copyright Cengage Learning. Powered by Cognero. Page 10
Name: Class: Date:

chapter 6

51. a

52. a

53. d

54. a

55. c

56. tolerance

57. appetite

58. comprehensive

59. assessment

60. management

61. identification

62. enterprise risk management (ERM)

enterprise risk management
ERM

63. factor analysis

factor
table analysis
table

64. relative

65. policy

66. likelihood
probability

67. assessment

68. e

69. a

70. g

71. j

72. b

Copyright Cengage Learning. Powered by Cognero. Page 11

Name: Class: Date:

chapter 6
73. i

74. d

75. f

76. h

77. c

78. Risk equals likelihood of vulnerability occurrence multiplied by value (or impact), minus percentage risk already
controlled, plus an element of uncertainty.

79. Once an organization becomes aware of its weaknesses, managers can take up Sun Tzu’s second dictum: Know the
enemy. This means identifying, examining, and understanding the threats facing the organization’s information assets.
Managers must be fully prepared to identify those threats that pose risks to the organization and the security of its
information assets.

80. This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a
relational database and track software instances on specific servers or networking devices. Many larger organizations use
the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed,
making the use of IP numbers as part of the asset-identification process very difficult.

81. InfoSec - Because members of the InfoSec community best understand the threats and attacks that introduce risk, they
often take a leadership role in addressing risk.
IT - This group must help to build secure systems and ensure their safe operation. For example, IT builds and operates
information systems that are mindful of operational risks and have proper controls implemented to reduce risk.

82. Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every
information asset, then the project scope becomes too complex. To make the process less unwieldy, each step in the threat
identification and vulnerability identification processes is managed separately and then coordinated at the end. At every
step, the manager is called on to exercise good judgment and draw on experience to make the process function smoothly.

83. Creating an inventory of information assets

Classifying and organizing those assets meaningfully
Assigning a value to each information asset
Identifying threats to the cataloged assets
Pinpointing vulnerable assets by tying specific threats to specific assets

84. - The people asset is divided into internal personnel (employees) and external personnel
(nonemployees). Insiders are further divided into those employees who hold trusted roles
and therefore have correspondingly greater authority and accountability and those regular
staff members who do not have any special privileges. Outsiders consist of other users who
have access to the organization’s information assets, some trusted and some untrusted.
- Procedures are assets because they are used to create value for the organization. They
are divided into (1) IT and business standard procedures and (2) IT and business-sensitive
procedures.
- The data asset includes information in all states: transmission, processing, and storage.
This is an expanded use of the term “data,” which is usually associated with databases,
not the full range of information used by modern organizations.
- Software is divided into applications, operating systems, and security components. Software
Copyright Cengage Learning. Powered by Cognero. Page 12
Test Bank for Management of Information Security 6th Edition Michael E. Whitman, Herbert J.

Name: Class: Date:

chapter 6
that provides security controls may fall into the operating systems or applications
category, but is differentiated by the fact that it is part of the InfoSec control environment
and must therefore be protected more thoroughly than other systems components.
- Hardware is divided into (1) the usual systems devices and their peripherals and (2) the
devices that are part of InfoSec control systems. The latter must be protected more
thoroughly than the former.
- Networking components include networking devices (such as firewalls, routers, and
switches) and the systems software within them, which is often the focal point of attacks. Successful attacks can continue
against systems connected to the networks.

85. The inventory should reflect the sensitivity and security priority assigned to each information
asset. A classification scheme should be developed (or reviewed, if already in place) that
categorizes these information assets based on their sensitivity and security needs.

Copyright Cengage Learning. Powered by Cognero. Page 13

Visit TestBankBell.com to get complete for all chapters