Module 7: Asset and Risk Management Quiz Answers

Cybersecurity Essentials Module 7 Quiz Answers

Module 7: Asset and Risk Management Quiz Question Answers

1. An @Apollo employee has completed a six-month project to identify all data stores and catalog their location. The next step is to classify the data and produce some criteria for data sensitivity. What steps can be taken to classify the data? (Select two correct answers)

Identify data sensitivity
Treat all the data the same
Determine how often data is backed up
Establish the owner of the data
Determine permissions for the data
Determine the user of the data

Explanation: Categorizing data is a process of determining first who owns the data then determining the sensitivity of the data.

2. @Apollo hires a new security officer. One of the officer’s first projects is to take an inventory of the company assets and create a comprehensive database. What information should be captured in the asset database? (Select three correct answers)

Users
Operating systems
Workstations
Groups
Passwords
Hardware network devices

Explanation: Assets include all hardware devices and their operating systems.

3. An employee is asked to evaluate the security posture of @Apollo. They look at past attempts to break into the company and evaluates the threats and exposures to create a report, which also takes into consideration what is most important for @Apollo. What type of risk analysis are they performing?

Qualitative
Quantitative
Opinion
Exposure factor

4. You are asked to perform a risk analysis of an organization. You request the organization’s asset database that contains a list of all equipment along with its value to the organization. Which type of risk analysis could you perform based on this information?

Qualitative
Quantitative
Hardware
Exposure factor

Explanation: A qualitative or quantitative risk analysis is used to identify and prioritize threats to the organization.

5. What will an organization evaluate when performing a qualitative risk analysis? (Select two correct answers)

The annual rate of occurrence
The impact of a threat
The exposure factor
The likelihood of a threat
The replacement cost of the asset

Explanation: Qualitative risk analysis uses opinions and scenarios plotting the likelihood of a threat against its impact. For example, a server failure may be likely, but its impact may only be marginal.

6. Which of the following is used to calculate the threshold for evaluating the cost/benefit ratio of a given countermeasure?

7. @Apollo performs a risk analysis for its storage area network. The total asset value is $250,000. The team has identified drive failure as one threat event. The manufacturer’s data and company records provide the following data: EF = 5% and ARO = 2. What is the SLE?

$12,500
$25,000
$50,000
$100,000

8. You have implemented policies and procedures in your organization that deal with how sensitive information needs to be handled. What control type did you implement?

Administrative controls
Physical controls
Technical controls
Logical controls

Explanation: Administrative controls consist of procedures and policies that an organization puts into place when dealing with sensitive information. These controls determine how people act.

9. Matching. Select from lists and then submit.
Part of asset management is the understanding of an asset’s lifecycle. Put the five states of the asset lifecycle in the correct order.

1 – Procurement
2 – Deployment
3 – Utilization
4 – Maintenance
5 – Disposal

10. An organization takes responsible steps to eliminate risk. Some risks still exist, but the team implements multiple controls to prevent potential loss. What term best describes this practice?

Due care
Negligence avoidance
Due diligence
Risk mitigation

Explanation: Exercising due diligence involves taking reasonable steps to eliminate risk. Some risks still exist, but multiple controls are implemented to prevent potential loss.