QUESTION 9

Discuss the difference between a qualitative risk assessment and a quantitative risk assessment. When would you recommend using a quantitative risk assessment over a qualitative risk assessment?

QUESTION 10

A document used to track the progress of remediating identified risk.

	a.	Risk Assessment
	b.	POA&M
	c.	Risk Profile
	d.	Vulnerability Assessment

1 points

QUESTION 11

If a hacker hacks in to a hospital and changes a patients blood type on his patient healthcare record, which of the following security services was the one that was principally violated?

	a.	Integrity
	b.	Authentication
	c.	Availability
	d.	Confidentiality

1 points

QUESTION 12

What are valid contents of a risk management plan?

	a.	Scope
	b.	POA&M
	c.	Objectives
	d.	Recommendations
	e.	All of the above

1 points

QUESTION 13

Which of the following is not a U.S. Government risk management initiative or program?

	a.	ITIL
	b.	DHS NCCIC
	c.	MITREs CVE List
	d.	US-CERT

1 points

QUESTION 14

The possibility that a negative event will occur is known as a/an:

	a.	exploit
	b.	risk
	c.	threat
	d.	vulnerablity

1 points

QUESTION 15

A weak password, or a firewall that has been improperly configured, is considered a/an:

	a.	threat
	b.	vulnerability
	c.	exploit
	d.	risk

1 points

QUESTION 16

You are a very small company that sells healthcare insurance plans. You estimate that the breach of your customer database will cost you $200,000, and that this might happen once in 5 years. A vendor wants to sell you a Data Loss Prevention (DLP) solution that would cost $50,000 per year. Which of the following is the best course of action?

	a.	Spend whatever it takes to ensure that this data is safe.
	b.	Accept the risk,
	c.	Spend the $50,000 to mitigate the risk
	d.	Spend $25,000 on cyber insurance to transfer the risk

1 points

QUESTION 17

NISTs Special Publication 800-30 describes what

	a.	How to perform a risk assessment
	b.	A framework of good practices
	c.	Certification and accreditation practices
	d.	Maturity levels associated with CMMI

1 points

QUESTION 18

A risk handling technique in which the organization chooses to simply do nothing, as the cost of the risk being actualized is lower than the cost of the security control, is known as

	a.	Acceptance
	b.	Avoidance
	c.	Mitigation
	d.	Transfer

1 points

QUESTION 19

Which of the following is an example of an intangible asset?

	a.	Server software
	b.	Sales database
	c.	Good will or the branding that is associated with a well-liked product
	d.	Server hardware

1 points

QUESTION 20

Which of the following is the formula used to calculate the risk that remains after you apply controls?

	a.	ALE=SLExARO
	b.	Risk=Threat X Vulnerability
	c.	Residual Risk = Total Risk - Controls
	d.	Total Risk=Thrat X Vulnerability X Assest Value

1 points

QUESTION 21

A policy that has been implemented that requires two different individuals perform different functions. An example is with a Certificate Authority that issues digital certificates where one role can only identify-proof the person the requesting the certificate and issue a request, and a different person can actually issue the digital certificate.

	a.	Job Rotation
	b.	Need to Know
	c.	Acceptable Use
	d.	Separation of Duties