ISOL 533 Midterm 2 (2019)

IMPORTANT: AFTER PURCHASE, OPEN THIS PAGE AGAIN AND SCROLL DOWN BELOW TO DOWNLOAD FILES WITH ANSWERS.

1. What are the elements of the security triad?

2. Risk __________ is the practice of identifying, assessing, controlling, and mitigating risks.

3. Another term for risk mitigation is _______.

4. What is NOT a step in risk management?

5. Companies use risk management techniques to differentiate ___________ from _________?

6. Total risk = _______________

7. What is a major type of vulnerability for the user domain?

8. What are often the weakest links in IT security?

9. What is the area that is inside the firewall?

10. What is the primary reason to avoid risk?

11. What is one source of risk reduction?

12. What is NOT an example of unintentional threat?

13. __________ damage for the sake of doing damage, and they often choose targets of opportunity.

14. _________ are acts that are hostile to an organization.

15. A(n) __________ is a computer joined to a botnet.

16. What is the most commonly seen attack?

17. What can you control about threat/vulnerability pairs?

18. A _____________ policy governs how patches are understood, tested, and rolled out to systems and clients.

19. What is a security policy?

20. A teenager learning about computers and programming for the first time writes a simple program meant to disrupt the function of his sister’s computer. While she’s hanging out with friends at the mall, he enters his sister’s IP address, launches the program, and waits to see what will happen. The teenager is an example of a ___________.

21. What is a publicly traded company?

22. What are the seven COBIT enablers?

23. FERPA applies to all of the following, EXCEPT ______________.

24. What ensures that federal agencies protect their data and assigns specific responsibilities for federal agencies?

25. CIPA is ________________.

26. When a fiduciary does not exercise due diligence, it can be considered __________.

27. HIPAA requires that your insurance company sets standards for the protection of your data and the systems that handle that data’s ________________.

28. When your bank or credit card company sends you a notification of changes in how it collects or shares data, it is sending that notification in compliance with ________________.

29. What is NOT one of the three primary bureaus of the FTC?

30. When companies are expected to adhere to the laws that they are affected by, this is commonly known as _______________.

31. Choose the most accurate statement with respect to creating a risk management plan.

32. You are creating objectives for your risk management plan. What do you NOT include at this stage?

33. In a CBA, if the benefits of a control outweigh the costs of implementing that control, then the control can be implemented to reduce risk. However, if the cost outweighs the benefit, then ______________.

34. POAM stands for _________.

35. When a stakeholder’s involvement in a project helps that stakeholder have ownership of the project, the ownership is also known as a(n) ___________.

36. What are the four major categories of reporting requirements?

37. All of the following are steps involved in creating an affinity diagram, EXCEPT:

38. You use ________________ to communicate a risk and the resulting impact.

39. A(n) _____________ is a process used to determine how to manage risk.

40. After you collect data on risks and recommendations, you include that information in a report, and you give that report to management. Why do you do this?

41. _____________ is the likelihood that a threat will exploit a vulnerability.

42. What is the Delphi Method?

43. Qualitative RAs determine the level of risk based on the __________ and _________ of risk.

44. If you know an SLE is $100 and the associated ARO is 5 months, then what is the ALE?

45. What is NOT a benefit of a quantitative RA?

46. All of the following are major components of RAs, EXCEPT:

47. What does RAID stand for?

48. You run a bank and wish to update your physical security at each branch of your bank and to update the technological security of the bank’s private financial data. What is the best way to determine whether physical security or technological security has a higher priority of protection?

49. When should you perform a risk assessment?

50. ___________ is the negative result if the risk occurs.

51. The _____________ define(s) what the system does.

52. An exploit assessment is also known as a(n) ___________.

53. What is NOT something to consider when determining the value of an asset?

54. _____________ value is the cost to purchase a new asset.

55. What is NOT a way that you can determine the value of an asset?

56. What may occur if you do NOT include the scope of the RA when defining it?

57. How do you start a risk assessment?

58. A cold site is _________________.

59. All of the following are reasons why configuration management is an important risk management process, EXCEPT:

60. Threat ___________ is a process used to identify possible threats on a system.

61. A(n) _________ provides access to a private network over a public network such as the internet.

62. The two categories of IP are _______________ and _______________.

63. __________ refer(s) to when users or customers need a system or service.

64. How can you determine the importance of a system?

65. A failover cluster requires at least __________ node(s).

66. What is NOT a way that you can measure the value of a system when determining if the system requires five nines?

67. What is NOT one of the three primary types of business liability insurance?

68. What is NOT one of the words in the ETL acronym?

69. A ___________ plan can help ensure that mission-critical systems continue to function after a disaster.

70. Most organizations use __________ to track hardware assets.

71. Penetration testing is also known as ____________ testing.

72. A __________ grants the authority to perform an action on a system. A __________ grants access to a resource.

73. In a SQL injection attack, an attacker can _________________.

74. Primary considerations for assessing threats based on historical data in your local area are _______ and ________.

75. What are the seven domains of a typical IT infrastructure?

76. What are some of the best practices you can use when evaluating potential threats for each of the domains?

77. Why is system testing performed?

78. What is NOT a benefit of the tools commonly used to perform vulnerability scans?

79. Functionality testing is primarily used with ____________.

80. Ideally, when should you perform threat modeling?