CHAPTER SUMMARY

The performance of the risk assessment takes several specific steps. Having a clear definition of the system to be assessed is the first step. Whenever possible, the management structure should be considered to ensure easy implementation of the recommendations.

Next, threats and vulnerabilities are identified. Relevant threat/vulnerability pairs identify actual risks. Then, controls to mitigate these risks are evaluated. These recommendations along with a CBA are presented to management for a decision. Finally, a POAM is used to track the approved recommendations.

KEY CONCEPTS AND TERMS

asset valuation

audit trail

blacklist

change management

configuration management

control

countermeasure

exploit assessment

Group Policy

host-based intrusion detection system (HIDS)

in-place control

operational impact

planned control

procedural control

threat modeling

vulnerability assessment

whitelist

CHAPTER 6 ASSESSMENT

  1. A company is beginning a risk assessment for a system. Both the ____________ characteristics and the mission of the system should be defined in the early stages of the risk assessment.
    1. Tactical
    2. Strategic
    3. Operational
    4. Visionary
  2. Which of the following should be identified during a risk assessment?
    1. Assets
    2. Threats
    3. Vulnerabilities
    4. Controls
    5. All of the above
  3. Of the following choices, which would be considered an asset?
    1. Hardware
    2. Software
    3. Personnel
    4. Data and information
    5. All of the above
  4. When defining the system for the risk assessment, what should be included?
    1. Only the title of the system
    2. The current configuration of the system
    3. A list of possible attacks
    4. A list of previous risk assessments
  5. Which of the following is not included in a risk assessment?
    1. Organizational mission
    2. People
    3. Nations
    4. Risk management
    5. None of the above
  6. Which type of assessment can be performed to identify weaknesses in a system without exploiting the weaknesses?
    1. Vulnerability assessment
    2. Risk assessment
    3. Exploit assessment
    4. Penetration test
  7. An acceptable use policy is an example of a(n) ________ control.
  8. An organization requires users to log on with tokens. This is an example of a(n) ________ control.
  9. Video cameras are used to monitor the entrance of secure areas of a building. This is an example of a(n) ________ control.
  10. Which of the following should be matched with a control to mitigate a relevant risk?
    1. Threats
    2. Vulnerabilities
    3. Threat/vulnerability pair
    4. Residual risk
  11. What does a qualitative risk assessment use to prioritize a risk?
    1. Probability and impact
    2. SLE, ARO, and ALE
    3. Safeguard value
    4. Cost-benefit analysis
  12. What does a quantitative risk assessment use to prioritize a risk?
    1. Probability and impact
    2. SLE, ARO, and ALE
    3. Safeguard value
    4. Cost-benefit analysis
  13. An organization purchased a control and installed it on several servers. This control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased?
    1. The cost and time to implement the control
    2. The operational impact of the control
    3. The in-place and planned controls
    4. The impact of the risk
  14. What is included in a risk assessment that helps justify the cost of a control?
    1. Probability and impact
    2. ALE
    3. CBA
    4. POAM
  15. What is created with a risk assessment to track the implementation of the controls?
    1. CBA
    2. POAM
    3. ALE
    4. SLE
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.129.148.210