The performance of the risk assessment takes several specific steps. Having a clear definition of the system to be assessed is the first step. Whenever possible, the management structure should be considered to ensure easy implementation of the recommendations.
Next, threats and vulnerabilities are identified. Relevant threat/vulnerability pairs identify actual risks. Then, controls to mitigate these risks are evaluated. These recommendations along with a CBA are presented to management for a decision. Finally, a POAM is used to track the approved recommendations.
A company is beginning a risk assessment for a system. Both the ____________ characteristics and the mission of the system should be defined in the early stages of the risk assessment.
Tactical
Strategic
Operational
Visionary
Which of the following should be identified during a risk assessment?
Assets
Threats
Vulnerabilities
Controls
All of the above
Of the following choices, which would be considered an asset?
Hardware
Software
Personnel
Data and information
All of the above
When defining the system for the risk assessment, what should be included?
Only the title of the system
The current configuration of the system
A list of possible attacks
A list of previous risk assessments
Which of the following is not included in a risk assessment?
Organizational mission
People
Nations
Risk management
None of the above
Which type of assessment can be performed to identify weaknesses in a system without exploiting the weaknesses?
Vulnerability assessment
Risk assessment
Exploit assessment
Penetration test
An acceptable use policy is an example of a(n) ________ control.
An organization requires users to log on with tokens. This is an example of a(n) ________ control.
Video cameras are used to monitor the entrance of secure areas of a building. This is an example of a(n) ________ control.
Which of the following should be matched with a control to mitigate a relevant risk?
Threats
Vulnerabilities
Threat/vulnerability pair
Residual risk
What does a qualitative risk assessment use to prioritize a risk?
Probability and impact
SLE, ARO, and ALE
Safeguard value
Cost-benefit analysis
What does a quantitative risk assessment use to prioritize a risk?
Probability and impact
SLE, ARO, and ALE
Safeguard value
Cost-benefit analysis
An organization purchased a control and installed it on several servers. This control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased?
The cost and time to implement the control
The operational impact of the control
The in-place and planned controls
The impact of the risk
What is included in a risk assessment that helps justify the cost of a control?
Probability and impact
ALE
CBA
POAM
What is created with a risk assessment to track the implementation of the controls?