14. There are 4 risk response options, name them

(3) []15. What is residual risk?

(2) []16. Define risk appetite

(6) []17. Define PII

(2) []18. Which is NOT a purpose of employee risk training?

They can develop a mitigation

They know how to recognize a risk

They know how to respond to a possible risk

All are purposes of a risk training program.

(2) []19. Which is NOT PII?

Drivers license number

Computer IP address

Social Security Number

Towson ID number

(2) []20. Which is not true about compliance?

A. Compliance means you must comply with applicable laws

B. You are expected to be aware of compliance regulations and their relevance

C. Ignorance of the laws is no excuse

D. A company can determine what they must comply with

(8) []21. We discussed multiple compliance regulations, FISMA, HIPPA, GLBA, SOX, FERPA

Which is used to protect medical information? HIPPA

Which is used to protect Student Information?

T/F GLBA is a subset of FISMA that TU must comply with.

Who is required to comply with FISMA?

(2) []22. Which is not true of the NIST Cyber security Risk Management framework (CRMF)

A. Cyber security is managed at multiple organizational levels

B. Security is integrated into the system development life cycle

C. Cyber security risks are identified on a quarterly basis

D. The First stage requires a system inventory to be developed

(4) []23. Risk mitigation starts with a strong asset inventory. Give 4 pieces of information would be required in an asset inventory besides the systems name and acronym.

(2) []24. Which factor below is not considered when determining mission criticality of a system?

A. Vital or an organization

B. If system fails the company cannot perform essential functions

C. Monetary loss

D. Legal and compliance requirements

(4) []25. Calculate the FIPS 199 system categorization for a Payroll system

(2) []26. What is the acronym (or name) of the federal organization that writes all federal cyber security and Risk Management standards, guidelines, and special publications?

(2) []27. There are three types of information, Public, Proprietary and private, which one requires the most protection?

(3) []28. What is a security control? Why would you use one?

(2) [] 29. Where would you find the control for the policy and procedures for the Contingency Planning (CP)) family?

(2) []30. What control family would you use if you wanted to make sure only the people that needed the information could see it?

(2) []31. What is the purpose of a system security plan?

(2) []32. Why is continuous monitoring important?