CHAPTER SUMMARY
This chapter covered important elements of risk mitigation throughout an organization. Controls are implemented to mitigate risk by reducing the impact of threats or reducing vulnerabilities, and the effectiveness of the controls can be measured against those two requirements. They should be most effective at preventing risk for any critical business operations in an organization.
Legal compliance issues for IT have grown important in recent years. More laws and regulations apply, and the cost for noncompliance can be expensive. Therefore, taking the time to identify relevant laws and guidelines is important because regulations can have varying impacts on an organization and they should be considered when implementing supporting controls.
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
- A ________ is used to identify the impact on an organization if a risk occurs.
- MAO is the minimal acceptable outage that a system or service can experience before its mission is affected.
- True
- False
- An organization wants to have an agreement with a vendor for an expected level of performance for a service that includes ensuring that monetary penalties are assessed if the minimum uptime requirements are not met. What should you use?
- MAO
- BIA
- SLA
- IDS
- What would be used to identify mission-critical systems?
- Critical outage times
- Critical business functions
- PCI DSS review
- Disaster recovery plan
- What can an organization use to remind users of an AUP’s contents?
- Logon banners
- Posters
- Emails
- All of the above
- Organizations that violate GDPR rules may be fined ____________ or _______________ of their annual global turnover, whichever is greater.
- Which of the following strategies helps reduce security gaps even if a security control fails?
- Access control implementation
- Critical business factor analysis
- Defense in depth
- Business impact analysis
- How much can an organization be fined in a year for HIPAA-related mistakes?
- $100
- $1,000
- $25,000
- $250,000
- What determines whether an organization is governed by FISMA?
- Whether it is registered with the Securities and Exchange Commission
- Whether its employees handle health-related information
- Whether it receives E-Rate funding
- Whether it is a federal agency
- What determines whether an organization is governed by HIPAA?
- Whether it is registered with the Securities and Exchange Commission
- Whether its employees handle health-related information
- Whether it receives E-Rate funding
- Whether it is a federal agency
- What determines whether an organization is governed by SOX?
- Whether it is registered with the Securities and Exchange Commission
- Whether its employees handle health-related information
- Whether it receives E-Rate funding
- Whether it is a federal agency
- What determines whether an organization is governed by CIPA?
- Whether it is registered with the Securities and Exchange Commission
- Whether its employees handle health-related information
- Whether it receives E-Rate funding
- Whether it is a federal agency
- A CBA has been performed on a prospective control. The CBA indicates the cost of the control is about the same as the control’s projected benefits. What should be done?
- Identify the ROI
- Purchase the control
- Cancel the purchase of the control
- Redo the CBA
- Which of the following is a valid formula used to identify the projected benefits of a control?
- Loss after control − Loss before control
- Loss before control − Loss after control
- Cost of control + Losses
- Cost of control/12
- A CBA can be used to justify the purchase of a control.
- True
- False
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.