Jefferson ESL 63 – Which of the following is the formula
Question 1Which of the following is the formula used to calculate the risk that remains after you apply controls?Question 21Discuss the difference between a qualitative risk assessment and a quantitative risk assessment. When would you recommend using a quantitative risk assessment over a qualitative risk assessment?Question 19A document used to track the progress of remediating identified risk.a.Risk Profileb.Vulnerability Assessmentc.Risk Assessmentd.POA&M1 points Question 20A method that shows a list of project tasks that must be completed on time so that the project is not delayed.a.Critical Path Chartb.Risk Management Planc.Gannt Chartd.Milestone Plan ChartQuestion 17Which of the following is not considered a method by which we would harden a server againsts attacks?a.Change default passwordsb.Remove unused servicesc.Reverse engineer a patch to look for vulnerabilitiesd.Enable a firewall1 points Question 18This Act applies to financial oganizationsa.GLBAb.FISMAc.Sabanes-Oxley (SOX)d.FERPAQuestion 15This regulation applies to how institutions handle the privacy of your student records at the University.a.FERPAb.HIPAAc.GLBAd.CIPA1 points Question 16This Act applies to security and privacy expectations of healthcare organizations.a.HIPAAb.FISMAc.FERPAd.GLBAQuestion 13A policy that has been implemented that requires two different individuals perform different functions. An example is with a Certificate Authority that issues digital certificates where one role can only identify-proof the person the requesting the certificate and issue a request, and a different person can actually issue the digital certificate.a.Job Rotationb.Separation of Dutiesc.Acceptable Used.Need to Know1 points Question 14NIST’s Special Publication 800-30 describes whata.How to perform a risk assessmentb.Certification and accreditation practicesc.A framework of good practicesd.Maturity levels associated with CMMIQuestion 11The area inside the firewall is considered to be thea.User Domainb.Workstation Domainc.Secured Domaind.LAN Domain1 points Question 12If a hacker hacks in to a hospital and changes a patient’s blood type on his patient healthcare record, which of the following security services was the one that was principally violated? a.Confidentialityb.Authenticationc.Availabilityd.IntegrityQuestion 9The possibility that a negative event will occur is known as a/an:a.riskb.vulnerablityc.exploitd.threat1 points Question 10Which of the following is an example of an intangible asset?a.Sales databaseb.Server softwarec.“Good will” or the branding that is associated with a well-liked productd.Server hardwareQuestion 7What are valid contents of a risk management plan?a.All of the aboveb.Recommendationsc.Objectivesd.POA&Me.Scope1 points Question 8You are a very small company that sells healthcare insurance plans. You estimate that the breach of your customer database will cost you $200,000, and that this might happen once in 5 years. A vendor wants to sell you a Data Loss Prevention (DLP) solution that would cost $50,000 per year. Which of the following is the best course of action?a.Spend whatever it takes to ensure that this data is safe.b.Spend $25,000 on cyber insurance to transfer the riskc.Spend the $50,000 to mitigate the riskd.Accept the risk,Question 5A weak password, or a firewall that has been improperly configured, is considered a/an:a.threatb.riskc.exploitd.vulnerability1 points Question 6Which of the following is not a U.S. Government risk management initiative or program?a.DHS’ NCCICb.MITRE’s CVE Listc.ITILd.US-CERTa.Total Risk=Thrat X Vulnerability X Assest Valueb.Residual Risk = Total Risk – Controlsc.ALE=SLExAROd.Risk=Threat X Vulnerability1 points Question 2A risk handling technique in which the organization chooses to simply do nothing, as the cost of the risk being actualized is lower than the cost of the security control, is known asa.Mitigationb.Acceptancec.Avoidanced.TransferQuestion 3Which of the following is not a source that would be used to assess an organziation’s vulnerabilities?a.Prior eventsb.Acutuary tablesc.System Logsd.Audits1 points Question 4Historically, a web server attached to the public Internet has a probability of being successfully attacked .90 in each year. To which of the following quantitative elements would this most likely relate?a.EFb.AROc.SLEd.ALE