1. Which formula is typically used to describe the components of
information security risks?
|A)||Risk = Likelihood X Vulnerability|
|B)||Risk = Threat X Vulnerability|
|C)||Risk = Threat X Likelihood|
|D)||Risk = Vulnerability X Cost|
Earl is preparing a risk register for his organization’s risk
management program. Which data element is LEAST likely to be
included in a risk register?
|A)||Description of the risk|
|C)||Risk survey results|
Alan is developing a business impact assessment for his
organization. He is working with business units to determine the
maximum allowable time to recover a particular function. What value
is Alan determining?
|A)||Recovery time objective (RTO)|
|B)||Recovery point objective (RPO)|
|C)||Business recovery requirements|
|D)||Technical recovery requirement|
Which one of the following is an example of a direct cost that
might result from a business disruption?
|B)||Lost market share|
Tom is the IT manager for an organization that experienced a
server failure that affected a single business function. What type
of plan should guide the organization’s recovery effort?
|A)||Disaster recovery plan (DRP)|
|B)||Business impact analysis (BIA)|
|C)||Business continuity plan (BCP)|
|D)||Service level agreement (SLA)|
Dawn is selecting an alternative processing facility for her
organization’s primary data center. She would like to have a
facility that balances cost and switchover time. What would be the
best option in this situation?
Holly would like to run an annual major disaster recovery test
that is as thorough and realistic as possible. She also wants to
ensure that there is no disruption of activity at the primary site.
What option is best in this scenario?:
|B)||Full interruption test|
George is the risk manager for a U.S. federal government agency.
He is conducting a risk assessment for that agency’s IT risk. What
methodology is best suited for George’s use?
|A)||Risk Management Guide for Information Technology Systems (NIST|
|B)||CCTA Risk Analysis and Management Method (CRAMM)|
|C)||Operationally Critical Threat, Asset, and Vulnerability|
|D)||ISO/IEC 27005, “Information Security Risk Management”|
A hospital is planning to introduce a new point-of-sale system
in the cafeteria that will handle credit card transactions. Which
one of the following governs the privacy of information handled by
those point-of-sale terminals?
|A)||Health Insurance Portability and Accountability Act (HIPAA)|
|B)||Payment Card Industry Data Security Standard (PCI DSS)|
|C)||Federal Information Security Management Act (FISMA)|
|D)||Federal Financial Institutions Examination Council (FFIEC)|
What is NOT one of the three tenets of information security?
Which one of the following is an example of a logical access
|A)||Key for a lock|
During which phase of the access control process does the system
answer the question, “What can the requestor access?”
Ed wants to make sure that his system is designed in a manner
that allows tracing actions to an individual. Which phase of access
control is Ed concerned about?
Risk can be represented by threat and vulnerability.
Thus, the correct option is B)
For risk management, definition of risk, its impact, and
mitigation steps are most important things. Thus, these factors
will be included in a risk register.
Thus, the correct option is C) Risk survey
Recovery time objective is the time in which a business or any
functional unit recovers after disaster. RPO does not tell about
recovery period. It tells for what time data might remain lost
before recovery. Other options tell about requirements.
Thus, the correct option is A) Recovery time Objective
Direct losses are monetized. In all options, lost market share
is the monetary lost.
Thus, the correct option is D) Facility
To develop strategies, a company always evaluate the
consequences of any interruption to critical business operations.
This evaluation is known as Business impact analysis.
Thus, the correct option is B) Business impact
Hot site is the exact copy of primary site which takes few hours
after disaster to be switched with minimal cost.
Thus, the correct option is A) Hot site.
In Full interruption test, complete business is stopped for a
period time. In Simulation test, some of activities are stopped.
Parallel testing and business activities can be done
Thus, the correct option is C) Parallel
NIST SP800-30 has been developed for risk assessment of federal
Thus, the correct answer is A) Risk Management Guide for
Information Technology Systems (NIST SP800-30).
Payment Card Industry data security standard is the organization
that controls cardholder data to reduce frauds.
Thus, the correct option is B) Payment Card Industry
data security standard (PCI DSS).
Three tenats of information security are confidentiality,
availability, and integrity.
Thus, the correct option is C) Safety.
Logical access control is the system which enables the
authorized users to access a specific system. Passwords is an
example of logical access control.
Thus, the correct option is B) Password.
What authorities a person is having, which controls he/she can
access is known as authorization.
Thus, the correct option is C)
Accountability means responsibility. It tells who is responsible
for the actions done.
Thus, the correct option is option D).