5.4.2 Risk Management and Security Controls Quiz Answers
5.4.2 Risk Management and Security Controls Quiz. Cyber Threat Management Module 5 Quiz Answers
1. The CEO of a company is concerned that if a data breach should occur and customer data is exposed, the company could be sued. The CEO makes the decision to buy insurance for the company. What type of risk mitigation is the CEO implementing?
- avoidance
- transference
- reduction
- mitigation
Explanation: Buying insurance transfers the risk to a third party.
2. Which type of security control includes backup and restore operations, as well as fault-tolerant data storage?
- deterrent
- recovery
- detection
- compensative
Explanation: Recovery security controls restore resources, functions and capabilities back to a normal state after a violation of a security policy.
3. Based on the risk management process, what should the cybersecurity team do as the next step when a cybersecurity risk is identified?
- Frame the risk.
- Assess the risk.
- Monitor the risk.
- Respond to the risk.
Explanation: Risk management is a formal process that reduces the impact of threats and vulnerabilities. The process involves four general steps:
- Frame the risk – Identify the threats throughout the organization that increase risk.
- Assess the risk – Once a risk has been identified, it is assessed and analyzed to determine the severity that the threat poses.
- Respond to the risk – Develop an action plan to reduce overall organization risk exposure. Management should rank and prioritize threats and a team determines how to respond to each threat.
- Monitor the risk – Continuously review risk reductions due to elimination, mitigation and transfer actions.
4. Which two types of controls are effective after a violation of a security policy occurs? (Choose two.)
- corrective
- recovery
- preventive
- deterrent
- compensative
Explanation: Organizations will implement corrective access controls after a system experiences a threat. Recovery security controls restore resources, functions and capabilities back to a normal state after a violation of a security policy.
5. Which statement describes a cybersecurity risk?
- It is a weakness in information systems.
- It is a threat which causes loss of assets.
- It is the probability of loss due to a threat.
- It is the damage incurred by an event which causes disruption of network services.
Explanation: Risk is the probability of loss due to a threat that damages information systems or organizational assets. Vulnerability is a weakness in information systems.
6. A warning banner that lists the negative outcomes of breaking company policy is displayed each time a computer user logs in to the machine. What type of access control is implemented?
- masking
- preventive
- deterrent
- detective
Explanation: Deterrents are implemented to discourage or mitigate an action or the behavior of a malicious person.
7. What is the first step in the risk management process that helps to reduce the impact of threats and vulnerabilities?
- Frame the risk.
- Assess the risk.
- Monitor the risk.
- Respond to the risk.
Explanation: Risk management is a formal process that reduces the impact of threats and vulnerabilities. The process involves four general steps:
- Frame the risk – Identify the threats throughout the organization that increase risk.
- Assess the risk – Once a risk has been identified, it is assessed and analyzed to determine the severity that the threat poses.
- Respond to the risk – Develop an action plan to reduce overall organization risk exposure. Management should rank and prioritize threats and a team determines how to respond to each threat.
- Monitor the risk – Continuously review risk reductions due to elimination, mitigation and transfer actions.
8. A public cloud service company provides data storage services to multiple customers. The company decides to purchase an insurance policy to cover the data loss due to natural disasters. Which risk management action level has the service company taken to manage the potential risk?
- accept
- transfer
- mitigation
- avoidance
Explanation: Risk management is the identification, evaluation, and prioritization of risks. Organizations manage risk in one of four ways:
- Avoidance (Elimination) – Risk avoidance is the complete removal or elimination of risk from a specific threat.
- Mitigation (Reduction) – Risk mitigation involves implementing controls that allow the organization to continue to perform an activity while using mechanisms to reduce the risk from a particular threat.
- Transfer – Organizations can transfer risk from specific threats to a third party person or another organization.
- Accept – Accepting risk involves the identification of the threats but not implementing mitigation processes based on a conscious decision.
9. A user is asked to perform a risk analysis of a company. The user asks for the company asset database that contains a list of all equipment.The user uses this information as part of a risk analysis. Which type of risk analysis could be performed?
- exposure factor
- hardware
- quantitative
- qualitative
Explanation: Physical items can be assigned a value for quantitative analysis.
10. Which access control should the IT department use to restore a system back to its normal state?
- corrective
- detective
- preventive
- compensative
Explanation: Access control prevents an unauthorized user from gaining access to sensitive data and networked systems. There are several technologies used to implement effective access control strategies.
11. A user is asked to evaluate the security posture of a company. The user looks at past attempts to break into the company and evaluates the threats and exposures to create a report. Which type of risk analysis could the user perform?
- qualitative
- objective
- subjective
- opinion
Explanation: Two approaches to risk analysis are quantitative and qualitative. Qualitative analysis is based on opinions and scenarios.