CISSP Practice полностью

“Accept the risk” is satisfactory when the exposure is small and the protection cost is high. “Assign the risk” is used when it costs less to assign the risk to someone else than to directly protect against it. “Avoid the risk” means placing necessary measures so that a security incident will not occur at all or so that a security event becomes less likely or costly.

128. What is an attacker repeatedly using multiple different attack vectors repeatedly to generate opportunities called?

a. Adverse action

b. Advanced threat

c. Threat agent

d. Threat source

128. b. An advanced (persistent) threat is conducted by an adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception), to generate opportunities to achieve its objectives. The advanced threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.

Adverse actions are actions performed by a threat agent on an asset. These actions influence one or more properties of an asset from which that asset derives its value. A threat consists of a threat agent, a targeted asset, and an adverse action of that threat agent on that asset. Threat agents are entities that can adversely act on assets. Examples of threat agents include hackers, users, computer processes, software development staff, and accidental/intentional errors. Threat agents and threat sources are the same in that their intents and methods are targeted at the intentional exploitation of vulnerability or a situation and the methods that may accidentally trigger vulnerability.

129. What does a “deviation from an organization-wide approved security policy” mean?

a. Risk acceptance

b. Risk assignment

c. Risk reduction

d. Risk containment

129. a. To deviate from an organization-wide approved security policy, the business unit management needs to prepare a letter explaining the reason for the deviation and recognizing and accepting the related risk. Risk assignment is transferring risk to a third party. Risk reduction and risk containment deal with limiting risk by implementing controls.

130. When performing risk analysis, annual loss exposure is calculated as which of the following?

a. Impact multiplied by frequency of occurrence

b. Impact minus frequency of occurrence

c. Impact plus frequency of occurrence

d. Impact divided by frequency of occurrence

130. a. Quantitative means of expressing both potential impact and estimated frequency of occurrence are necessary to perform a risk analysis. The essential elements of a risk analysis are an assessment of the damage that can be caused by an unfavorable event and an estimate of how often such an event may happen in a period of time. Because the exact impact and frequency cannot be specified accurately, it is only possible to approximate the loss with an annual loss exposure, which is the product of the estimated impact in dollars and the estimated frequency of occurrence per year. The product of the impact and the frequency of occurrence would be the statement of loss.

131. A risk analysis provides management of all the following except:

a. Accepting the occurrence of a harmful event

b. Reducing the impact of occurrence of a harmful event

c. Ranking critical applications

d. Recognizing that a potential for loss exists

131. c. A risk analysis provides senior management with information to base decisions on, such as whether it is best to accept or prevent the occurrence of a harmful event, to reduce the impact of such occurrences, or to simply recognize that a potential for loss exists.

The risk analysis should help managers compare the cost of the probable consequences to the cost of effective safeguards. Ranking critical applications comes after the risk analysis is completed. Critical applications are those without which the organization could not function. Proper attention should be given to ensure that critical applications and software are sufficiently protected against loss.

132. Which of the following methods for handling risk involves a third party?

a. Accepting risk

b. Eliminating risk

c. Reducing risk

d. Transferring risk

132. d. An insurance company or a third party is involved in transferring risk. All the other three choices do not involve a third party because they are handled within an organization.