1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 103
Выбрать главу

122. b. Risk mitigation involves the selection and implementation of security controls to reduce risks to an acceptable level. Risk analysis is the same as risk assessment. Risk management includes both risk analysis and risk mitigation.

123. Which of the following is closely linked to risk acceptance?

a. Risk detection

b. Risk prevention

c. Risk tolerance

d. Risk correction

123. c. Risk tolerance is the level of risk an entity or a manager is willing to assume or accept to achieve a potential desired result. Some managers accept more risk than others do because of their personal affinity toward risk.

124. The amount of risk an organization can handle should be based on which of the following:

a. Technological level

b. Acceptable level

c. Affordable level

d. Measurable level

124. b. Often, losses cannot be measured in monetary terms alone, such as loss of customer confidence and loyalty. Risk should be handled at an acceptable level for an organization. Both affordable and technological levels vary with the type of organization (e.g., small, medium, or large size and technology dependent or not).

125. In terms of information systems security, a risk is defined as which of the following combinations?

a. Attack plus vulnerability

b. Threat plus attack

c. Threat plus vulnerability

d. Threat plus breach

125. c. Vulnerability is a weakness in security policy, procedure, personnel, management, administration, hardware, software, or facilities affecting security that may allow harm to an information system. The presence of vulnerability does not in itself cause harm. It is a condition that may allow the information system to be harmed by an attack. A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction or modification of data or denial-of-service. An attack is an attempt to violate data security. A risk is the probability that a particular threat can exploit a particular vulnerability of a system. An exposure is an instance of vulnerability in which losses may result from the occurrence of one or more attacks. A countermeasure is any action, control, device, procedure, technique, or other measure that reduces the vulnerability of a threat to a system. A breach is the successful circumvention or disablement of a security control, with or without detection, which if carried to completion, could result in a penetration of the system.

126. Risk management is made up of primary and secondary activities. Which of the following is an example of a secondary activity?

a. Risk analysis data

b. Risk assessment

c. Risk mitigation

d. Risk methodology

126. a. Risk management must often rely on speculation, best guesses, incomplete data, and many unproven assumptions. The risk-based data are another source of uncertainty and are an example of a secondary activity. Data for risk analysis normally come from two sources: statistical data and expert analysis. Both have shortcomings; for example, the sample may be too small, or expert analysis may be subjective based on assumptions made.

Risk assessment, the process of analyzing and interpreting risk, is composed of three basic activities: (i) determining the assessment’s scope and methodology, (ii) collecting and synthesizing data, and (iii) interpreting the risk. A risk assessment methodology should be a relatively simple process that could be adapted to various organizational units and involves a mix of individuals with knowledge of the business operations and technical aspects of the organization’s systems and security controls.

Risk mitigation involves the selection and implementation of cost-effective security controls to reduce risk to a level acceptable to management, within applicable constraints. Risk methodology is a part of risk assessment. It can be formal or informal, detailed or simplified, high or low level, quantitative (computationally based) or qualitative (based on descriptions or rankings), or a combination of these. No single method is best for all users and all environments. The other three choices are examples of primary activities.

127. From a risk management viewpoint, which of the following options is not acceptable?

a. Accept the risk

b. Assign the risk

c. Avoid the risk

d. Defer the risk

127. d. “Deferring risk” means either ignoring the risk at hand or postponing the issue until further consideration. If the decision to defer the risk is a calculated one, it is hoped that management had the necessary data.

“Accept the risk” is satisfactory when the exposure is small and the protection cost is high. “Assign the risk” is used when it costs less to assign the risk to someone else than to directly protect against it. “Avoid the risk” means placing necessary measures so that a security incident will not occur at all or so that a security event becomes less likely or costly.

128. What is an attacker repeatedly using multiple different attack vectors repeatedly to generate opportunities called?

a. Adverse action

b. Advanced threat

c. Threat agent

d. Threat source

128. b. An advanced (persistent) threat is conducted by an adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception), to generate opportunities to achieve its objectives. The advanced threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.

Adverse actions are actions performed by a threat agent on an asset. These actions influence one or more properties of an asset from which that asset derives its value. A threat consists of a threat agent, a targeted asset, and an adverse action of that threat agent on that asset. Threat agents are entities that can adversely act on assets. Examples of threat agents include hackers, users, computer processes, software development staff, and accidental/intentional errors. Threat agents and threat sources are the same in that their intents and methods are targeted at the intentional exploitation of vulnerability or a situation and the methods that may accidentally trigger vulnerability.

129. What does a “deviation from an organization-wide approved security policy” mean?

a. Risk acceptance

b. Risk assignment

c. Risk reduction

d. Risk containment

129. a. To deviate from an organization-wide approved security policy, the business unit management needs to prepare a letter explaining the reason for the deviation and recognizing and accepting the related risk. Risk assignment is transferring risk to a third party. Risk reduction and risk containment deal with limiting risk by implementing controls.

130. When performing risk analysis, annual loss exposure is calculated as which of the following?

a. Impact multiplied by frequency of occurrence

b. Impact minus frequency of occurrence

~ 103 ~