Question Details

CIS 502 Week 1 Chapter 6 Q: Which of the following methods are involved in performing process/policy review?
  
Risk assessment and risk exchange
  
Risk exchange and risk sharing
  
Risk management and risk assessment
  
Risk management and risk exchange


Q: Which of the following allocates subjective and intangible values to the loss of an asset?
  
Business continuity planning
  
Disaster recovery planning
  
Qualitative risk analysis
  
Quantitative risk analysis


Q: Which of the following are the main principles in all security programs?
  
Disclosure, alteration, and distribution
  
Disclosure, alteration, and availability
  
Disclosure, integrity, and availability
  
Confidentiality, integrity, and availability

Q: Which of the following is the qualitative method of risk analysis?
  
Scenario analysis
  
Internal loss method
  
Business process modeling (BPM) and simulation
  
Statistical process control (SPC)


Q: Which of the following security procedures is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat?
  
Risk acceptance
  
Risk management
  
Risk assessment
  
Risk identification


Q: Which of the following allocates subjective and intangible values to the loss of an asset?
  
Business continuity planning
  
Quantitative risk analysis
  
Qualitative risk analysis
  
Disaster recovery planning

Q: Which of the following is NOT a purpose of risk analysis?
  
To assist the auditor to identify the risks and threats
  
To ensure absolute safety during the audit
  
To support risk-based audit decisions
  
To assist the auditor to determine the audit objectives

Q: Which of the following statements is not true?
  
Risks to an IT infrastructure are all computer based.
  
The process by which the goals of risk management are achieved is known as risk analysis.
  
IT security can provide protection only against logical or technical attacks.
  
An asset is anything used in a business process or task.



Q: Which of the following statements most closely depicts the difference between qualitative risk analysis and quantitative risk analysis?
  
A quantitative risk analysis doesn't use hard costs of losses; a qualitative risk analysis does.
  
Less guesswork is used in a quantitative risk analysis.
  
A quantitative risk analysis can't use a number of calculations.
  
A qualitative risk analysis uses a number of complex calculations.



Q: Which of the following would generally notbe considered an asset in a risk analysis?
  
A development process
  
Users' personal files
  
A proprietary system resource
  
An IT infrastructure


Q: Which of the following are NOT outlined in the employment agreement?
  
Rules and restrictions of the organization
  
Names of all employees in the organization
  
Details of the job description, violations, and consequences
  
Security policies


Q: Which of the following is a type of risk under separation of duties?
  
Unauthorized transactions
  
Incompatible responsibilities
  
Maintaining unauthorized custody of assets
  
Recording transactions


Q: Which of the following is the goal of risk mitigation?
  
To define the acceptable level of risk the organization can tolerate and reduce risk to that level
  
To analyze and remove all vulnerabilities and threats to security within the organization
  
To analyze the effects of a business disruption and prepare the company's response
  
To define the acceptable level of risk the organization can tolerate and assign any costs associated with loss or disruption to a third party

Q: Which of the following statements is true for qualitative risk assessment?
  
Collecting data on each and every process for qualitative risk assessment is very easy
  
SLE and ARO are needed for qualitative risk assessment
  
Cost is generally significantly higher than the cost of quantitative analysis
  
Cost is generally significantly lower than the cost of quantitative analysis

Q: Which of the following types of agreement creates a confidential relationship between the parties to protect any type of confidential and proprietary information or a trade secret?
  
Non-price competition
  
CNC
  
NDA
  
SLA


Q: Why is training required for new employees?
  
To meet regulatory compliances
  
To comply with all standards, guidelines, and procedures mandated by the security policy
  
To improve the possibility for career advancement of the IT staff
  
To improve awareness of the need to protect system resources



Q: Which of the following are used to ensure that organizations providing services to internal and/or external customers maintain an appropriate level of service agreed upon by both the service provider and the vendor?
  
Underpinning Contract
  
Configuration Management Database
  
Operational Level Agreement
  
Service Level Agreement

Q: Which of the following is the process of teaching employees to perform their work tasks and to agree with the security policy?
  
Training
  
Provisioning
  
Awareness
  
Logging



Q: Which of the following is a prerequisite to security training?
  
Awareness
  
Resolution
  
Logging
  
Provisioning

Q: Security awareness training, strong password policies, and robust pre-employment checks come under __________.
  
Physical access controls
  
Preventive administrative controls
  
Technical controls
  
Data access controls