1. In which of the 7 IT domains is a database considered a major component of risk?

System/Application Domain

2. What are the risk management techniques? avoid, transfer, mitigate, or accept

3. What is a CBA? A cost-benefit analysis (CBA) is used to help determine which controls or countermeasures to implement. A CBA compares the business impact with the cost to implement a control. 4. What are the techniques for mitigating vulnerabilities? Alter the physical environment Change procedures Add fault tolerance Modify the technical environment Train employees

5. A DoS attack is a threat action affecting which IT domain? WAN Domain

6. Which type of organization does FERPA/Sarbanes Oxley/HIPAA/PCI apply? FERPA applies to all schools that receive any funding from the U.S. Department of Education. Sarbanes-Oxley Act (SOX) applies to any company that is publicly traded.

HIPAA applies to any organization handles health information. The Payment Card Industry Data Security Standard (PCI DSS) is an international security standard. The purpose is to enhance security of credit card data.

7. To which of the following does FERPA apply? Any state or local educational agency Any institution of higher education Any community college Any school or agency offering a preschool program Any other education institution

8. Which of the standards contains eight principles specific to security? Control Objectives for Information and related Technology (COBIT)

9. Which of the standards gives detailed descriptions of IT practices and comprehensive checklists, tasks, and procedures that can be tailored by IT organizations to fit their needs? The International Organization for Standardization (ISO)

10. Which agency enforces the SOX? What is SOX? The SEC or Securities Exchange Commission

11. What are the steps in the risk control process? Identify threats and vulnerabilities Identify the likelihood that a risk will occur Identify asset values Determine the impact of a risk

Determine the usefulness of a safeguard or control

12. What/who is responsible for planning, budgeting, and performance of information system security? A small organization may have a single IT section that is responsible for all IT systems and processes. A larger organization may have multiple IT sections or divisions, so various managers or management teams oversee different IT systems. User and computer management - This section performs the day-today management of the network and accounts. It may also include basic security measures. 13. Who must make trade-off decisions regarding system security? Management may determine that the CBA for a recommendation doesn't justify the cost. For another recommendation, they may decide they want to accept the risk. 14. Who develops appropriate training materials for risk management? Administrative Security Controls o Awareness and training-Many organizations regularly take steps to raise the security awareness of personnel. This can be done through formal training, posters, and e-mails, for example. 15. What are the goals of an organizations risk management group?

The practice of identifying, assessing, controlling, and mitigating risks. o Risk assessment o Identify risks to manage o Selection of controls o Implementation and testing of controls o Evaluation of controls

16. What are the steps in a Risk Assessment (RA)? Identify threats and vulnerabilities Identify the likelihood that a risk will occur Identify asset valuesDetermine the impact of a risk Determine the usefulness of a safeguard or control

17. Why is RA a good idea? The RA will help identify the most important systems to protect.

18. What are the types of RA? Quantitative - This is an objective method. It uses numbers such as actual dollar values. Qualitative - This is a subjective method. It uses relative values based on opinions from experts. 19. What are threats? A threat is any potential danger. The danger can be to the data, the hardware, or the systems.

20. What is scope? The scope identifies the boundaries of the plan. The boundaries could include the entire organization or a single system. Without defined boundaries, the plan can get out of control. 21. What are the techniques for identifying threats? There are two primary techniques you can use to identify threats. You can review historical data. You can also perform threat modeling. 22. What is administrative control? Administrative controls refer to the written documents an organization uses for security. 23. Audits are part of what type of assessment? Vulnerability Assessments

24. What are technical controls? Technical controls are software tools that automate protection. o Logon identifier o Session timeout o System logs and audit trails o Data range and reasonableness checks o Firewalls and router tables o Encryption o Public key infrastructure 25. What are the types of risk mitigation security controls?

NIST SP 800-53, "Recommended Security Controls for Federal Information Systems and Organizations"

Implementation method COBIT - Control Objectives for Information and related Technology

26. Risk mitigation planning starts with? Start by identifying assets

27. Identifying the criticality of business operations is a step in what? Critical business operations Customer service delivery Mission-critical business systems, applications, and data access Seven domains of a typical IT infrastructure Information systems security gap

28. What documents identifies an expected level of performance between organizations? A service level agreement (SLA) is a document that identifies an expected level of performance. 29. When reviewing the R = T V for any given scenario, and examining a previous employee (T) with a (V) of interactive accounts that are not deleted, what is an effective counter measure? Account management policy Script to deactivate accounts Restrict access to employees only

30. Costs incurred in the reduction of risk often also include _____ costs.

Initial purchase cost Facility costs Installation costs Training costs

31. In risk management, MAO stands for? Maximum acceptable outage (MAO) - The MAO identifies the maximum acceptable downtime for a system. Critical business functions (CBFs) - Any functions considered vital to an organization. Critical success factors (CSFs) - Any element necessary to perform the mission of an organization. 32. In a BIA, the loss of immediate sales and cash flow is an example of what? Direct Costs

33. What is the most important item when identifying recovery requirements? Recovery time objective (RTO) and recovery point objective (RPO).

34. Preliminary system information, system points of contact (POC), system resources, critical roles, and tables linking and identifying resources can all are found in a ________. Business Impact Analysis

35. How does a company meet its business continuity objectives? Identify critical business functions (CBFs) Identify critical processes supporting the CBFs

Identify critical IT services supporting the CBFs, including any dependencies

Determine acceptable downtimes for CBFs, processes, and IT service

36. What focuses on restoring and recovering IT functions? Disaster Recovery Plan (DRP)

37. What has a key objective to identify the CBFs as well as the critical processes supporting the CBFs? Business Impact Analysis (BIA)

38. What determines the acceptable downtimes for CBFs, processes, and IT service in BIA? Maximum Acceptable Outage (MAO).

39. Who is the person who usually manages multiple BCP projects within a large organization? BCP Program Manager (PM)

40. EMT, DAT, TRT team members work as what? BCP Team

41. Critical success factors for DRP plans are: Management support Knowledge and authority for DRP developers Identification of primary concerns, such as recovery time objectives and alternate location needs A disaster recovery budget

42. What is the primary purpose of DRP? Saving lives Ensuring business continuity Recovering after a disaster

43. Which of the following is required by DRP developers when creating the DRP? Knowledge of Disaster Recovery Knowledge of How the Organization Functions Authority

44. Which of the following is the best choice for site selection? A hot site

45. Which of the following is a drawback of a hot site? Hot sites are expensive to maintain.

46. Which of the following is referred to as an imminent threat of violation? A computer incident is a violation, or imminent threat of a violation, of a security policy or security practice. 47. The CIRT document mostly used by incident professionals to develop incident response is NIST SP 800-61. It uses the following models for teams: CIRT Distributed Incident Response Teams (DIRT) what else of the following should be included in this list? Central incident response team Distributed incident response teams Coordinating team

48. In CIRT a forensics investigation has how many phases? Acquire the evidence Authenticate the evidence Analyze the evidence

49. How many phases are used in incident handling processes for CIRT that uses NIST SP 800-61 standard? Preparation Detection and analysis Containment, eradication, and recovery Post-incident recovery

50. Which of the following features helps a CIRT plan to reduce risk? Eradicate the incident