16.
A portion of the ______________ is the logical and practical investigation of business processes
and organizational policies. This process/policy review ensures that the stated and
implemented business tasks, systems, and methodologies are practical, efficient, cost-effective,
but most of all (at least in relation to security governance) that they support security
through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk.
- A.Hybrid assessment
- B.Risk aversion process
- C.Countermeasure selection
- D.Documentation review
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
| A portion of the documentation review is the logical and practical investigation of business processes and organizational policies. |
17.
Which of the following statements is not true?
- A.IT security can provide protection only against logical or technical attacks.
- B.The process by which the goals of risk management are achieved is known as risk analysis.
- C.Risks to an IT infrastructure are all computer based.
- D.An asset is anything used in a business process or task.
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| Risks to an IT infrastructure are not all computer based. In fact, many risks come from noncomputer sources. It is important to consider all possible risks when performing risk evaluation for an organization. Failing to properly evaluate and respond to all forms of risk, a company remains vulnerable. |
18.
Which of the following is n ot an element of the risk analysis process?
- A.Analyzing an environment for risks
- B.Creating a cost/benefit report for safeguards to present to upper management
- C.Selecting appropriate safeguards and implementing them
- D.Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process. |
19.
Which of the following would generally not be considered an asset in a risk analysis?
- A.A development process
- B.An IT infrastructure
- C.A proprietary system resource
- D.Users’ personal files
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
| The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis. |
20.
Which of the following represents accidental or intentional exploitations of vulnerabilities?
- A.Threat events
- B.Risks
- C.Threat agents
- D.Breaches
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
| Threat events are accidental or intentional exploitations of vulnerabilities. |
|
|
||||||||||||||||||||||||||||
