Question 1 : Historically, a web server attached to the public Internet has a probability of being successfully attacked .90 in each year. To which of the following quantitative elements would this most likely relate?
a. EF
b. ARO
c. ALE
d. SLE
Question 2 : An organization that accepts credit card payments, would be expected to be compliant with which of the following laws or standards?
a. PCI-DSS
b. HIPAA
c. GLBA
d. FISMA
Question 3 : The act of taking advantage of a weakness within a system to gain unauthorized access is best described as a/an:
a. vulnerability
b. exploit
c. risk
d. threat
Question 4 : A risk handling technique in which the company chooses to do nothing about the risk, as the cost of implementing a contro would be more expensive than the impact if the risk were actualized is known as
a. Share or Transfer
b. Mitigation
c. Avoidance
d. Acceptance
Question 5 : Which of the following is not a U.S. Government risk management initiative or program?
a. ITIL
b. US-CERT
c. DHS' NCCIC
d. MITRE's CVE List
Question 6 : Under FISMA, how often are federal agencies expected to have an independent compliance audit to ensure that security controls are effectively managing risk?
a. Every three years
b. Never
c. Quarterly
d. Annually
Question 7 : Students at the University of the Cumberlands have some expectation of privacy afforded to them under which Federal Act?
a. SOX
b. CIPA
c. FERPA
d. FISMA
Question 8 : Which of the following NIST documents addresses how to effectively manage risk?
a. SP 800-55
b. SP 800-41
c. SP 800-53
d. SP 800-30
Question 9 : What are valid contents of a risk management plan?
a. Recommendations
b. Scope
c. Objectives
d. All of the above
e. POA&M
Question 10 : The amount of money that a negative event will cost us, each time that it occurs.
a. Annualized Rate of Occurrence (ARO)
b. Annual Loss Expectancy (ALE)
c. Single Loss Expectancy (SLE)
d. Exposure Factor (EF)
Question 11 : You are a very small company that sells healthcare insurance plans. You estimate that the breach of your customer database will cost you $100,000, and that this might happen once in 5 years. A vendor wants to sell you a Data Loss Prevention (DLP) solution that would cost $30,000 per year. Which of the following is the best course of action?
a. Spend $25,000 on cyber insurance to transfer the risk
b. Spend the $30,000 to mitigate the risk
c. Spend whatever it takes to ensure that this data is safe. Its sensitive data, after all!
d. Accept the risk
Question 12 : A type of redundant site that has all of the hardware, software, telecommunication lines, an data already configured and ready to go in the event of a disaster is known as a/an
a. warm site
b. alternate site
c. cold site
d. hot site
Question 13 : Implementing an Intrustion Detection System that allows you to watch for hackers in real-time is an example of
a. Risk monitoring
b. Vulnerabiity assessment
c. Risk assessment
d. Risk response
Question 14 : A tool used to find open ports on a system is
a. Nessus
b. Wireshark
c. John the Ripper
d. Nmap
Question 15 : A risk assessment that uses numerical values to assess the likelihood and impact of a threat to a system is a ____________ risk assessment
a. Quantitative
b. Qualitative
c. Objective
d. Subjective
Question 16 : A method that shows a list of project tasks that must be completed on time so that the project is not delayed.
a. Risk Management Plan
b. Milestone Plan Chart
c. Critical Path Chart
d. Gannt Chart
Question 17 : A document used to track the progress of remediating identified risk.
a. POA&M, or risk register
b. Risk Profile
c. Vulnerability Assessment
d. Risk Assessment
Question 18 : This Act applies to financial oganizations
a. Sabanes-Oxley (SOX)
b. FERPA
c. GLBA
d. FISMA
Question 19 : Which of the following is not considered a method by which we would harden a server againsts attacks?
a. Enable a firewall
b. Change default passwords
c. Reverse engineer a patch to look for vulnerabilities
d. Remove unused services
Question 20 : This Act applies to security and privacy expectations of healthcare organizations.
a. HIPAA
b. GLBA
c. FERPA
d. FISMA
Question 21 : A policy that has been implemented that requires two different individuals perform different functions. An example is with a Certificate Authority that issues digital certificates where one role can only identify-proof the person the requesting the certificate and issue a request, and a different person can actually issue the digital certificate.
a. Job Rotation
b. Need to Know
c. Separation of Duties
d. Acceptable Use
Question 22 : If a hacker hacks in to a bank and transfers money out of one account into his account, which of the following security services was the one that was principally violated?
a. Integrity
b. Confidentiality
c. Availability
d. Access Control
Question 23 : The area inside the firewall is considered to be the
a. Secured Domain
b. Workstation Domain
c. User Domain
d. LAN Domain
Question 24 : Which of the following is an example of an intangible asset?
a. Sales database
b. "Good will" or the branding that is associated with a well-liked product
c. Server hardware
d. Server software
Question 25 : The possibility that a negative event will occur is known as a/an:
a. threat
b. risk
c. vulnerablity
d. exploit
Question 26 : A weak password, or a firewall that has been improperly configured, is considered a/an:
a. vulnerability
b. threat
c. risk
d. exploit
Question 27 : Which of the following is not a source that would be used to assess an organziation's vulnerabilities?
a. System Logs
b. Prior events
c. Audits
d. Acutuary tables
Question 28 : Which of the following is the formula used to calculate the risk that remains after you apply controls?
a. Risk=Threat X Vulnerability
b. Residual Risk = Total Risk - Controls
c. ALE=SLExARO
d. Total Risk=Thrat X Vulnerability X Assest Value
Question 29 : Which of the following is not a fundamental component of an IT risk management plan?
a. Risk assessment
b. Risk reporting
c. Risk identification
d. Risk planning
Question 30 : You have a healthcare organization and would like medical personnel to be able to remotely log in to the network (the Remote Access Domain). Which of the following would be the best technique or tool that you would implement to help mitigate risk to this domain?
a. Implement automated server scanning
b. Implement Web content filters
c. Implement a VPN encrypted tunnel
d. Implement automatic account lockout after 3 failed attempts
Question 31 : Discuss one role that would participate in risk management and describe that one role's resposnibilities with respect to risk management.
Question 32 : In your own words, explain why it can be difficult to perform a quantitative risk assessment for a system. Do NOT copy in information or discuss what a quantitative risk assessment is. One, or two, short sentences is all that is required, or expected, for this answer.