1. Risk is defined as ---
2. What is the difference between cyber security risk and any other risk?
3. What is risk management?
4. The goal of any risk response is achieve a balance of ______________________vs___________________
5. A loss occurs with __________________
6. Explain a 4 by 5 probability and impact matrix
7. There are three pillars(key components) in Cyber security risk ; identify each pillar and define it
8. Define what a threat is and give one example
9. Which is not a component of risk management:
Identifying risks
Assessing risks
Eliminating risks
Prioritizing risks
10. Which is not an accurate statement
A. You can reduce the impact of a threat
B. You can reduce the potential for a threat to occur
C. Threats can be eliminated
D. Threats are always present
11. Define what vulnerability is and give one source of a vulnerability
12. Identify theft is not:
Deliberate use of someone else’s identity
Fraud
Electronically altering data
Used for financial gain
13. Which is not an example of an exploit mitigation
A. Version control
B. Strong patch management
C. Policies and procedures
D. Incident response
14. There are 4 risk response options, name them
15. What is residual risk?
6. Define risk appetite
17. Define PII
18. Which is NOT a purpose of employee risk training?
They can develop a mitigation
They know how to recognize a risk
They know how to respond to a possible risk
All are purposes of a risk training program.
19. Which is NOT PII?
Driver’s license number
Computer IP address
Social Security Number
Towson ID number
20. Which is not true about compliance?
A. Compliance means you must comply with applicable laws
B. You are expected to be aware of compliance regulations and their relevance
C. Ignorance of the laws is no excuse
D. A company can determine what they must comply with
21. We discussed multiple compliance regulations, FISMA, HIPPA, GLBA, SOX, FERPA
Which is used to protect medical information? HIPPA
Which is used to protect Student Information?
T/F GLBA is a subset of FISMA that TU must comply with.
Who is required to comply with FISMA?
22. Which is not true of the NIST Cyber security Risk Management framework (CRMF)
A. Cyber security is managed at multiple organizational levels
B. Security is integrated into the system development life cycle
C. Cyber security risks are identified on a quarterly basis
D. The First stage requires a system inventory to be developed
23. Risk mitigation starts with a strong asset inventory. Give 4 pieces of information would be required in an asset inventory besides the system’s name and acronym.
24. Which factor below is not considered when determining mission criticality of a system?
A. Vital or an organization
B. If system fails the company cannot perform essential functions
C. Monetary loss
D. Legal and compliance requirements
25. Calculate the FIPS 199 system categorization for a Payroll system
26. What is the acronym (or name) of the federal organization that writes all federal cyber security and Risk Management standards, guidelines, and special publications?
27. There are three types of information, Public, Proprietary and private, which one requires the most protection?
28. What is a security control? Why would you use one?
29. Where would you find the control for the policy and procedures for the Contingency Planning (CP)) family?
30. What control family would you use if you wanted to make sure only the people that needed the information could see it?
31. What is the purpose of a system security plan?
32. Why is continuous monitoring important?