Chapter 14 Risk Analysis, Incident Response, and Contingency Planning

Which of the following is not a common type of contingency plan?

A. Business impact

B. Incident response

C. Disaster recovery

D. Business continuity

A. Business impact

Which of the following is not a risk management technique?

A. Avoidance

B. Mitigation

C. Elimination

D. Acceptance

C. Elimination

Which of the following is a type of risk assessment that uses scenarios and ratings systems to calculate risk and potential harm?

A. Continuous

B. Quantitative

C. Probability-based

D. Qualitative

D. Qualitative

You are analyzing a risk to an asset valued at $500,000. You have determined that the exposure factor is 25 percent. What is the single loss expectancy (SLE)?

$125,000

You are analyzing a risk. You have determined that the single loss expectancy (SLE) is $1,800 and the annual rate of occurrence (ARO) is 6. What is the annualized loss expectancy (ALE)?

$10,000

What do you compare in a risk level matrix when evaluating the elements of a risk?

Threat likelihood and impact

What type of risk assessment uses monetary values to assess a risk?

Quantitative

Which of the following is not true of risk management?

A. When risk is realized, it negatively affects an organization's profits.

B. Risk management helps an organization prioritize its information security practices according to the profitability of those practices.

C. Risk management makes sure that an organization spends its limited resources wisely and in ways that enhance business goals.

D. An organization uses risk management to plan and prioritize its information security activities.

B. Risk management helps an organization prioritize its information security practices according to the profitability of those practices.

A basic risk management plan includes which of the following?

A. Risk assessment, risk response, employee training, and continuous monitoring

B. Risk assessment, Sarbanes-Oxley Act (SOX) compliance review, tactical planning, and continuous monitoring

C. Risk assessment, risk response, personnel reviews, Federal Information Security Modernization Act (FISMA) compliance review

D. Risk assessment, risk response, tactical planning, regulatory compliance review

A. Risk assessment, risk response, employee training, and continuous monitoring

____________ includes identification of the threats and vulnerabilities to the organization's IT resources and determining the impact of those threats and vulnerabilities.

Risk assessment

An organization responds to risk according to which of the following?

A. Monitoring plan

B. Operations plan

C. Business strategy

D. Tactical plan

C. Business strategy

Why is continuous monitoring an important activity in risk management?

It helps staff determine whether controls can respond to technology changes.

Which of the following is true of a risk assessment team?

A. Team members must approach every risk assessment subjectively.

B. Although the team collects information about assets and risks, it should not be responsible for reporting results to executive management.

C. Team members should represent all areas involved in a business process workflow.

D. Team members should not work in the same area that is being reviewed as part of the assessment.

C. Team members should represent all areas involved in a business process workflow.

A risk assessment scope:

should be narrow

An organization has a database that holds information on its trade secrets. The database is critical to the organization's business. An internal review shows that system administrators share a single administrator account with a weak password to access the database. After discussing possible scenarios with IT security staff and gathering their opinions, the organization determines that a weak, shared password leaves the database vulnerable to attack. The organization decides to require its system administrators to use different accounts with multifactor authentication to access this critical resource. Which of the following best describes the activity that took place?

A. A qualitative risk analysis

B. A quantitative risk analysis

C. A disaster recovery plan analysis

D. An incident response plan analysis

A. A qualitative risk analysis

Which of the following is not typically included in an incident response plan?

A. Asset valuation

B. Investigation

C. Containment or mitigation

D. Recovery

A. Asset valuation

Which of the following is designed to help an organization continue to operate during and after a disruption?

A. Incident response plan

B. Business continuity plan

C. Disaster recovery plan

D. Risk mitigation plan

B. Business continuity plan

Which of the following is a backup site that contains some, but not all, of the equipment that an organization will need to continue operations in the event of a disaster?

A. Hot

B. Cold

C. Warm

D. Mirrored

C. Warm

When testing a disaster recovery plan, which test involves bringing backup sites online and using historical business data to test how those systems operate?

Parallel

There are several types of people involved in an incident. Which of the following is in charge of coordinating the response to a particular incident?

A. Victim

B. Incident reporter

C. Primary handler

D. Secondary handler

C. Primary handler

True or False? In risk analysis, annualized loss expectancy (ALE) is the amount of money that an organization will lose if a risk is realized.

False

True or False? In risk analysis, the annual rate of occurrence (ARO) is how many times a specific risk might occur during a one-year time frame.

True

True or False? Qualitative risk analysis does not require risk assessment team members to deduce the costs of assets, controls, and potential harm.

True

True or False? The problem with qualitative risk assessments is that the organization has no way to determine the amount of money to spend on controls.

True

True or False? Risk response is the set of actions taken by executive management to reduce risk to an acceptable level.

True

True or False? An organization must remove members from a risk assessment team if they are unable to be objective.

True

True or False? After a quantitative risk analysis, the risk team should review risks with high annualized loss expectancies (ALEs) and high annual rate of occurrences (AROs) to recommend controls.

True

True or False? A risk management project manager is not necessarily on the risk management team but helps the team meet its project goals and final deliverable.

True

True or False? Risk acceptance occurs when an organization takes no action against a potential risk.

True

True or False? There are currently no U.S. laws that require federal agencies and other organizations to engage in regular risk assessment and management activities.

False

True or False? Curious employees can pose a threat to security when there are no access controls for sensitive files stored on IT resources.

True

True or False? Depending on the methodology a risk assessment team uses, likelihood and potential loss can be stated as either a qualitative measure or a quantitative measure.

True

True or False? One negative aspect of qualitative risk assessments is that they are subjective and therefore cannot be used to make cost-benefit decisions.

True

True or False? Strategic plans help to limit the financial loss an organization might experience due to an adverse event and minimize the length of time that services and processes are interrupted.

False

True or False? An incident is any event that adversely impacts an organization's equipment, data, or other resources.

True

True or False? Incident triage, investigation, and containment are basic parts of a business continuity plan.

False

True or False? The first phase in incident response is containment, in which the potential incident is initially assessed.

False

True or False? "Incident response" is a reactive term that describes how an organization responds to an incident, whereas "incident handling" is a proactive term that describes how an organization manages an incident.

False

True or False? During a disaster, the amount of time an organization's critical processes and resources can be offline before the organization experiences irreparable harm is called the maximum tolerable downtime (MTD).

True

True or False? Under common law, a person has a duty to report any crime that he or she witnesses.

False