1. Risk is defined as ---

2. What is the difference between cyber security risk and any other risk?

3. What is risk management?

4. The goal of any risk response is achieve a balance of ______________________vs___________________

5. A loss occurs with __________________

6. Explain a 4 by 5 probability and impact matrix

7. There are three pillars(key components) in Cyber security risk ; identify each pillar and define it

8. Define what a threat is and give one example

9. Which is not a component of risk management:

Identifying risks

Assessing risks

Eliminating risks

Prioritizing risks

10. Which is not an accurate statement

A. You can reduce the impact of a threat

B. You can reduce the potential for a threat to occur

C. Threats can be eliminated

D. Threats are always present

11. Define what vulnerability is and give one source of a vulnerability

12. Identify theft is not:

Deliberate use of someone else’s identity

Fraud

Electronically altering data

Used for financial gain

13. Which is not an example of an exploit mitigation

A. Version control

B. Strong patch management

C. Policies and procedures

D. Incident response

14. There are 4 risk response options, name them

15. What is residual risk?

6. Define risk appetite

17. Define PII

18. Which is NOT a purpose of employee risk training?

They can develop a mitigation

They know how to recognize a risk

They know how to respond to a possible risk

All are purposes of a risk training program.

19. Which is NOT PII?

Driver’s license number

Computer IP address

Social Security Number

Towson ID number

20. Which is not true about compliance?

A. Compliance means you must comply with applicable laws

B. You are expected to be aware of compliance regulations and their relevance

C. Ignorance of the laws is no excuse

D. A company can determine what they must comply with

21. We discussed multiple compliance regulations, FISMA, HIPPA, GLBA, SOX, FERPA

Which is used to protect medical information? HIPPA

Which is used to protect Student Information?

T/F GLBA is a subset of FISMA that TU must comply with.

Who is required to comply with FISMA?

22. Which is not true of the NIST Cyber security Risk Management framework (CRMF)

A. Cyber security is managed at multiple organizational levels

B. Security is integrated into the system development life cycle

C. Cyber security risks are identified on a quarterly basis

D. The First stage requires a system inventory to be developed

23. Risk mitigation starts with a strong asset inventory. Give 4 pieces of information would be required in an asset inventory besides the system’s name and acronym.

24. Which factor below is not considered when determining mission criticality of a system?

A. Vital or an organization

B. If system fails the company cannot perform essential functions

C. Monetary loss

D. Legal and compliance requirements

25. Calculate the FIPS 199 system categorization for a Payroll system

26. What is the acronym (or name) of the federal organization that writes all federal cyber security and Risk Management standards, guidelines, and special publications?

27. There are three types of information, Public, Proprietary and private, which one requires the most protection?

28. What is a security control? Why would you use one?

29. Where would you find the control for the policy and procedures for the Contingency Planning (CP)) family?

30. What control family would you use if you wanted to make sure only the people that needed the information could see it?

31. What is the purpose of a system security plan?

32. Why is continuous monitoring important?