Risk Management in Information Systems Practice Exam
Course Introduction
This course provides a comprehensive overview of risk management principles and practices specific to information systems. Students will explore frameworks for identifying, assessing, and mitigating risks that threaten the confidentiality, integrity, and availability of information assets. The curriculum covers methodologies such as risk assessment, risk analysis, and risk treatment, with emphasis on aligning IT risk management strategies with organizational objectives and regulatory requirements. Key topics include threat modeling, vulnerability assessment, security controls selection, risk monitoring, and incident response planning, preparing students to develop, implement, and maintain robust risk management programs within modern information systems environments.
Recommended Textbook
Principles of Information Security 5th Edition by Michael E. Whitman
Available Study Resources on Quizplus 12 Chapters
696 Verified Questions
696 Flashcards
Source URL: https://quizplus.com/study-set/2374
Page 2
Chapter 1: Introduction to the Management of Information Security
Available Study Resources on Quizplus for this Chatper
63 Verified Questions
63 Flashcards
Source URL: https://quizplus.com/quiz/47110
Sample Questions
Q1) Which of the following is the first step in the problem-solving process?
A) Analyze and compare the possible solutions
B) Develop possible solutions
C) Recognize and define the problem
D) Select, implement and evaluate a solution
Answer: C
Q2) When voltage levels <U>lag</U>(experience a momentary increase),the extra voltage can severely damage or destroy equipment._________________________
A)True
B)False
Answer: False
Q3) A short-term interruption in electrical power availability is known as a ____.
A) fault
B) brownout
C) blackout
D) lag
Answer: A
Q4) A(n)____________________ is a potential weakness in an asset or its defensive control(s).
Page 3
Answer: vulnerability
To view all questions and flashcards with answers, click on the resource link above.
Chapter 2: Compliance: Law and Ethics
Available Study Resources on Quizplus for this Chatper
50 Verified Questions
50 Flashcards
Source URL: https://quizplus.com/quiz/47111
Sample Questions
Q1) <U>Deterrence</U> is the best method for preventing an illegal or unethical activity.____________
A)True
B)False
Answer: True
Q2) Which act is a collection of statutes that regulates the interception of wire,electronic,and oral communications?
A) The Electronic Communications Privacy Act of 1986
B) The Telecommunications Deregulation and Competition Act of 1996
C) National Information Infrastructure Protection Act of 1996
D) Federal Privacy Act of 1974
Answer: A
Q3) ___________________ is a subset of civil law that allows individuals to seek redress in the event of personal,physical,or financial injury.
Answer: tort law
Q4) Ethics carry the sanction of a governing authority.
A)True
B)False
Answer: False
To view all questions and flashcards with answers, click on the resource link above. Page 4
Chapter 3: Governance and Strategic Planning for Security
Available Study Resources on Quizplus for this Chatper
52 Verified Questions
52 Flashcards
Source URL: https://quizplus.com/quiz/47112
Sample Questions
Q1) Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?
A) modular continuous
B) elementary cyclical
C) time-boxed circular
D) traditional waterfall
Answer: D
Q2) Which of the following is a key advantage of the bottom-up approach to security implementation?
A) strong upper-management support
B) a clear planning and implementation process
C) utilizes the technical expertise of the individual administrators
D) coordinated planning from upper management
Answer: C
Q3) _________resources include people,hardware,and the supporting system elements and resources associated with the management of information in all its states.
Answer: Physical
To view all questions and flashcards with answers, click on the resource link above. Page 5
Chapter 4: Information Security Policy
Available Study Resources on Quizplus for this Chatper
56 Verified Questions
56 Flashcards
Source URL: https://quizplus.com/quiz/47113
Sample Questions
Q1) List the major components of the ISSP.
Q2) What are configuration rules?Provide examples.
Q3) A risk assessment is performed during which phase of the SecSDLC?
A) implementation
B) analysis
C) design
D) investigation
Q4) What is the final component of the design and implementation of effective policies?Describe this component.
Q5) The three types of information security policies include the enterprise information security policy,the issue-specific security policy,and the
security policy.
Q6) Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
A) Enterprise information security policy
B) User-specific security policies
C) Issue-specific security policies
D) System-specific security policies
Q7) How should a policy administrator facilitate policy reviews?
To view all questions and flashcards with answers, click on the resource link above. Page 6
Chapter 5: Developing the Security Program
Available Study Resources on Quizplus for this Chatper
55 Verified Questions
55 Flashcards
Source URL: https://quizplus.com/quiz/47114
Sample Questions
Q1) Threats from insiders are more likely in a small organization than in a large one.
A)True
B)False
Q2) An organization's information security program refers to theentire set of activities,resources,personnel,and technologies used by an organization to manage the risks to the information _______ of the organization.
Q3) Which of the following is an advantage of the user support group form of training?
A) Usually conducted in an informal social setting
B) Formal training plan
C) Can be live, or can be archived and viewed at the trainee's convenience
D) Can be customized to the needs of the trainee
Q4) What are some of the variables that determine how a given organization chooses to construct its InfoSec program?
Q5) Most information security projects require a trained project <U>developer</U>._________________________
A)True
B)False
To view all questions and flashcards with answers, click on the resource link above.
7
Chapter 6: Risk Management: Identifying and Assessing Risk
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/47115
Sample Questions
Q1) The <U>secretarial </U> community often takes on the leadership role in addressing risk.____________
A)True B)False
Q2) As part of the risk identification process,listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.
Q3) Describe the use of an IP address when deciding which attributes to track for each information asset.
Q4) Which of the following is an attribute of a network device is physically tied to the network interface?
A) Serial number
B) MAC address
C) IP address
D) Model number
Q5) An evaluation of the threats to information assets,including adetermination of their potential to endanger the organization is known as <U>exploit</U> assessment.____________
A)True B)False
To view all questions and flashcards with answers, click on the resource link above. Page 8
Chapter 7: Risk Management: Controlling Risk
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/47116
Sample Questions
Q1) Also known as an economic feasibility study,the formal assessment and presentation of the economic expenditures needed for a particular security control,contrasted with its projected value to the organization is known ascost-benefit<U> analysis</U> (CBA).____________
A)True
B)False
Q2) Unlike other risk management frameworks,FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
A)True
B)False
Q3) The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
A) risk assessment
B) risk treatment
C) risk communication
D) risk determination
Q4) What are the four phases of the Microsoft risk management strategy?
Q5) Discuss three alternatives to feasibility analysis.
Q6) Describe operational feasibility.
To view all questions and flashcards with answers, click on the resource link above. Page 9
Chapter 8: Security Management Models
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/47117
Sample Questions
Q1) Which piece of the Trusted Computing Base's security system manages access controls?
A) trusted computing base
B) reference monitor
C) covert channel
D) verification module
Q2) A TCSEC-defined covert channel,which transmit information by managing the relative timing of events.
A)blueprint
B)DAC
C)content-dependent access controls
D)rule-based access controls
E)separation of duties
F)sensitivity levels
G)storage channels
H)task-based controls
I)timing channels
J)TCB
Q3) Under what circumstances should access controls be centralized vs.decentralized?
Q4) Access controls are build on three key principles.List and briefly define them.
To view all questions and flashcards with answers, click on the resource link above. Page 10
Chapter 9: Security Management Practices
Available Study Resources on Quizplus for this Chatper
59 Verified Questions
59 Flashcards
Source URL: https://quizplus.com/quiz/47118
Sample Questions
Q1) A goal of 100 percent employee InfoSec training as an objective for the training program is an example of a performance __________.
Q2) An assessment of the performance of some action or process against which futureperformance is assessed.
A)accreditation
B)baseline
C)benchmarking
D)certification
E)due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37
Q3) Data or the trends in data that may indicate the effectiveness ofsecurity countermeasures or controls-technical and managerial-implemented in theorganization are known as<U> program </U>measurements.____________
A)True
B)False
To view all questions and flashcards with answers, click on the resource link above. Page 11
Chapter 10: Planning for Contingencies
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/47119
Sample Questions
Q1) A(n) <U>wrap-up</U> review is a detailedexamination and discussion of the events that occurred duringan incident or disaster,from first detection to final recovery.____________
A)True
B)False
Q2) Using standard digital forensics methodology,the first step is to analyze the EM data without risking modification or unauthorized access.
A)True
B)False
Q3) The ____________________ plan is a detailed set of processes and procedures that anticipate,detect,and mitigate the effects of an unexpected event that might compromise information resources and assets.
Q4) The four components of contingency planning are the ____________________,the incident response plan,the disaster recovery plan,and the business continuity plan.
Q5) When dealing with an incident,the incident response team must conduct a(n)____________________,which entails a detailed examination of the events that occurred from first detection to final recovery.
Q6) What are the major components of contingency planning?
Page 12
To view all questions and flashcards with answers, click on the resource link above.
Chapter 11: Personnel and Security
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/47120
Sample Questions
Q1) A security ____________________ is the typical information security entry-level position.
Q2) accountable for the day-to-day operation ofall or part of the InfoSec program and assigned objectives identified by the CISO
A)definers
B)builders
C)security manager
D)security technician
E)systems programmer
F)ethics officer
G)CISSP
H)SSCP
I)SANS
J)CCE
Q3) Which of the following is NOT a task that must be performed if an employee is terminated?
A) Former employee must return all media
B) Former employee's home computer must be audited
C) Former employee's office computer must be secured
D) Former employee should be escorted from the premises
To view all questions and flashcards with answers, click on the resource link above. Page 13
Chapter 12: Protection Mechanisms
Available Study Resources on Quizplus for this Chatper
61 Verified Questions
61 Flashcards
Source URL: https://quizplus.com/quiz/47121
Sample Questions
Q1) Describe and provide an example for each of the types of authentication mechanisms.
Q2) What is most commonly used for the goal of nonrepudiation in cryptography?
A) Block cipher
B) Secret key
C) PKI
D) Digital signature
Q3) An integrated system of software,encryption methodologies,protocols,legal agreements,and third-party services that enables users to communicate securelythrough the use of digital certificates.
A)VPN
B)transport mode
C)SSL
D)PKI
E)digital certificate
F)asymmetric encryption
G)Vernam cipher
H)transposition cipher
I)content filter
J)footprinting
To view all questions and flashcards with answers, click on the resource link above. Page 14