Scribd
Upload
51 views4 pages

Quizz 3

Com512

Uploaded by

Instalo PC games
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
51 views4 pages

Quizz 3

Com512

Uploaded by

Instalo PC games
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

CH 9 assessment

1. A control/countermeasure will reduce or eliminate a threat or vulnerability


2. Controls can be identified based on their function. The functions are preventive,
detective, and corrective.
3. The primary objectives of a control are prevent, recover and detect.
4. Intrusion detection system is a detective type of control.
5. The three common methods of implementing controls are procedural, technical and
physical.
6. An access control is used to ensure that users have the rights and permissions they need
to perform their jobs and no more.
7. Logon identifiers help ensure that users cannot deny taking a specific action such as
deleting a file that is called nonrepudiation.
8. Audit trails should be used to ensure that users understand what they can and cannot do
on systems within the network.
9. Encryption can be used to ensure confidentiality of sensitive data.
10. Who, what, when and where details of an event should be logged in an audit log.
11. An organization wants to issue certificates for internal systems such as internal web
server. A certificate authority will need to be installed to issue and manage certificates.
12. DRP is a procedural control.
13. PKI is a technical control.
14. CCTV is a physical control
15. The web of trust do not has a centralized trust model.
Chapter 10 assessment

1. A business impact analysis is used to identify the impact on an organization if a risk


occurs.
2. MAO is not the minimal acceptable outage that a system or service can experience before
its mission is affected.
3. An organization wants to have an agreement with a vendor for an expected level of
performance for a service that includes ensuring that monetary penalties are assessed if
the minimum uptime requirements are not met. It should use SLA.
4. Critical business functions would be used to identify mission-critical systems.
5. An organization can use logon banners, posters and emails to remind users of an AUP’s
content.
6. Organizations that violate GDPR rules may be fined $22 million or 41 percent of their
annual global turnover which is greater.
7. Defense in depth helps reduce security gaps even if a security control fails.
8. An organization can be fined $25000 for HIPAA related mistakes.
9. If an organization is a federal agency it is governed by FISMA.
10. If an organization’s employees handle health-related information it is governed by
HIPAA.
11. If an organization is registered with the Securities and Exchange Commission it is
governed by SOX.
12. If an organization receives E-Rate funding it is governed by CIPA.
13. A CBA has been performed on a prospective control. The CBA indicates the cost of the
control is about the same as the control’s projected benefits. It should identify ROI.
14. Loss before control – Loss after control is a valid formula used to identify the projected
benefits of a control.
15. A CBA cant be used to justify the purchase of a control.
Chapter 11

1. A in place countermeasure is one that has been approved and has a date for
implementation.
2. A single risk can be mitigated by more than one countermeasure.
3. The formula for risk is Risk = Threat x Vulnerability
4. An account management policy include details on how to create accounts, details on
when accounts should be disabled and password policy.
5. A password policy include length of password.
6. The mitigation plan will include details on how and when to implement approved
countermeasures.
7. A countermeasure is being reviewed to be added to the mitigation plan. Initial purchase
cost, facility cost, installation cost, training cost should be considered.
8. Power and air conditioning are considered facility costs for the implementation of a
countermeasure.
9. One month is a reasonable amount of time for an account management policy to be
completed and approved.
10. Threat likelihood/impact matrix can be used to determine the priority of a
countermeasure.
11. Verify risk elements should be done first to implement a mitigation plan.
12. Two possible countermeasures are being evaluated to mitigate a risk, but management
wants to purchase only one. CBA can be used to determine which countermeasure
provides the better cost benefit.
13. A cost-benefit analysis is being performed to determine whether a countermeasure should
be used. Project benefit – cost of countermeasures should be applied.
14. Recommend countermeasures, risk to be mitigated costs and annual project benefits
should be included in a cost-benefit analysis report.
15. NIST 800-63 do not provides guidance on a risk management strategies and policies.
Chapter 12

1. The MAO (maximum acceptable outage) identifies maximum acceptable downtime


for a system.
2. Stakeholders can determine what functions are considered critical business functions.
3. The BIA is part of business continuity plan BCP.
4. Scope defines the boundaries of a business impact analysis.
5. Two objectives of BIA are identifying critical resources and identifying critical
business functions.
6. In developing a BIA when calculating the cost to determine the impact of an outage
for a specific system, both the direct and indirect cost should be calculated.
7. In a BIA the maximum amount of data loss an organization can accept is called
recovery point objectives.
8. Recovery time objective is the time required for a system to be recovered.
9. The RTO applies to any systems or functions whereas the RPO refers only to data
housed in databases.
10. In a BIA loss of sales is a direct cost of the impact of an outage for a specific system.
11. Top-down approach in which CBFs are examined first is a type of approach that BIA
use.
12. Mission-critical business functions are considered vital to an organization. They are
derived from critical success factors.
13. In developing a BIA, the critical business functions should be mapped to IT systems.
14. Starting with clear objectives and using different data collection methods are
considered best practices related to a BIA.
15. A CBA is not an important part of BIA.

You might also like