1. What is the overall objective of an IT risk assessment?

a) To assist IT management in establishing a budget for countermeasures

b) To assist an organization in identifying risks and impacts

c) To convince the executive management on the importance of an Intrusion Detection System (IDF)

d) To determine which brand of firewall software to install on the CEO's laptop when traveling

2. Why is it difficult to conduct a quantitative risk assessment for an IT infrastructure ?

a) It is difficult to setup the rules in a firewall based on quantitative statistics and numbers

b) A quantitative analysis is subjective and is based on the opinions of experts which is time consuming to collect

c) A quantitative analysis requires IBM's SPSS statistical software which is $2500 per copy and is too expensive

d) Obtaining the correct information on liabilities and collecting accurate data cost elements is difficult and time consuming

3. What would be a valid reason to assign a "1 - CRITICAL" risk factor to a found vulnerability?

a) It was determined that the vulnerability could cause employees to open emails with a possible virus.

b) It was determined that the vulnerability could impact the time it would take to stock incoming parts in the warehouse.

c) It was determined that the vulnerability could be the greatest risk to the organization

d) It was determined that the vulnerability could close the factory for a couple of hours.

4. Three vulnerabilities were determined for an organization:

Employee Productivity

Compliance shortcomings

Vulnerability in protecting Intellectual Property

You are about to assign Risk factors "1" , "2" , and "3" to these vulnerabilities to present to management. How would you prioritize these risks ?

a) 1- Keeping Employee Productivity up is the most serious risk, then 2-Compliance, then 3- Intellectual Property

b) 1- Protecting Intellectual Property is the most serious risk, then 2-Employee Productivity, then 3- Compliance

c) 1-Compliance is the most serious risk, then 2-Intellectual Property, then 3-Employee Productivity

d) All three are equally important and should have equal rating factors.

5) A married man gets a new job in a company. After three months, he meets a younger woman in the finance department and they begin having an affair. The affair carries on openly in the workplace over the course of 6 months, then begins to sour when she discovers that he is already married. The relationship quickly changes to bickering and name-calling while at work. The woman eventually breaks off the relationship, quits her job, and sues the company for fostering a hostile work environment. True or False: Of the seven IT infrastructure domains, the USER domain was most at risk.

a) True

b) False

6) A young woman waits in a local deli to hear the coffee order come in by phone from the law firm close by. The law firm places the same order every morning. A delivery boy sets out to deliver the coffee but is met outside by the woman near the front of the firm's building. The woman smiles and claims she is one of the lawyers; she offers to bring the coffee upstairs for him and gives him a generous $10 tip. The boy shrugs, takes the money, gives her the coffee order, and heads back to the deli.

The woman enters the firm's lobby and tells the two security guards that she is the delivery girl from the deli and has the coffee order. She chats casually with one guard while she covertly peers over the shoulder of the 2nd guard and watches him enter the security codes to access the elevators on the lobby computer. The first guard takes the coffee and gives her a $2 tip. She gives them a big, friendly smile, says thank you, waves goodbye, and leaves the building.

10 days later she returns to the law firm at night, breaks into the building, accesses the elevators using the lobby computer, and breaks into the offices upstairs to steal vital case information.

Which domain was exploited by the woman perpetrator ?

a) The LAN domain

b) The User domain and the Remote Access domain

c) The Workstation domain

d) The System/Application domain

7) A pharmaceutical sales person has a route of doctor's offices that he visits to see if they need to replenish any of the drug supplies in the offices. He carries with him a tablet with a cellular data plan from which he can place orders. The transactions are processed in real-time via secure browser over the Internet to access the sales-order entry system. Which of the seven domains would have the primary focus of secure communications?

a) The User domain and Systems/Application domain

b) The WAN domain and the Systems/Application domain

c) The LAN-to-WAN doman

d) The Remote Access domain

8) Which of the threats below is primarily a risk to the Systems/Application domain ?

a) A fire destroys the primary data center

b) There is a major network outage

c) A hacker accesses the internal network from a public Internet cafe.

d) None of the above

9) Which of the following is NOT a LAN-to-WAN domain risk ?

a) VPN tunnel hardware is obsolete and needs upgrading to modern security levels

b) Weak ingress & egress traffic filtering between the internal network and the Internet

c) DDoS attack on DMZ and email server

d) Unauthorized access to business-owned workstations

10) Loss of production data is a Workstation domain risk.

a) True

b) False

11) Network performance that is slowed down by excessive Internet traffic is a top-level (1-rating) critical business risk ?

a) True

b) False