INMT441 Exam 3 Test Questions Complete Solutions

INMT441 Exam 3 Test Questions Complete Solutions When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being __________. - Answer -exploited The ISO 27005 Standard for Information Security Risk Management includes all but which of the following stages? a. risk assessment b. risk treatment c. risk communication d. risk determination - Answer -d. risk determination The ISO 27005 Standard for InfoSec Risk Management has a five-stage management methodology that includes risk treatment and risk communication. - Answer -true The risk treatment strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk treatment strategy. __________ - Answer -true The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk treatment strategy, also known as the avoidance strategy. __________ - Answer -false Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? a. residual risk b. risk appetite c. risk assurance d. risk termination - Answer -b. risk appetite The risk treatment strategy that seeks to reduce the impact of a successful attack through the use of IR, DR, and BC plans is __________. - Answer -mitigation Explain two practical guidelines to follow in risk treatment strategy selection. - Answer - The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility - Answer -true To keep up with the competition, organizations must design and create a __________ environment in which business processes and procedures can function and evolve effectively. - Answer -secure NIST's Risk Management Framework follows a three-tiered approach, with most organizations working from the top down, focusing first on aspects that affect the entire organization, such as __________. a. governance b. information and information flows c. policy d. environment of operation - Answer -a. governance Describe operational feasibility. - Answer -an examination of how well a particular solution fits within the organization's culture and the extent to which users are expected to accept the solution The defense risk treatment strategy may be accomplished by outsourcing to other organizations. - Answer -false Application of training and education among other approach elements is a common method of which risk treatment strategy? a. mitigation b. defense c. acceptance d. transferal - Answer -b. defense In a cost-benefit analysis, the expected frequency of an attack expressed on a per-year basis is known as the annualized risk of likelihood. __________ - Answer -false Which of the following is NOT one of the methods noted for selecting the best risk management model? a. use the methodology most similar to what is currently in use b. study known approaches and adapt one to the specifics of the organization c. hire a consulting firm to provide a proprietary model d. hire a consulting firm to develop a proprietary model - Answer -a. use the methodology most similar to what is currently in use