search
githubEdit

The information security risk assessment — Quiz

hashtag
The information security risk assessment

1. What is the primary purpose of an information security risk assessment within a GRC program? (Choose one answer) a) To achieve perfect, risk-free security across all systems b) To provide an evidence-based foundation for prioritizing security resources and treatment actions c) To eliminate the need for compliance audits by identifying all gaps beforehand d) To serve as a one-time project that defines an organization's permanent security policy

2. According to frameworks like NIST SP 800-30, which of the following best defines a "vulnerability"? (Choose one answer) a) A hurricane that could flood a data center b) A state-sponsored hacker group attempting to steal intellectual property c) An unpatched software flaw in an internet-facing server d) The financial loss incurred from a ransomware attack

3. An organization is performing its first broad risk assessment with limited historical data. It convenes workshops with experts to rate risks as "Low," "Medium," or "High." Which methodology is it using? (Choose one answer) a) Quantitative Risk Assessment b) Compliance-based Assessment c) Qualitative Risk Assessment d) Business Impact Analysis

4. During a risk assessment, the team determines that the cost to protect an old, isolated system would exceed the value of the system itself. They formally document the risk and decide to take no action. Which risk treatment option have they chosen? (Choose one answer) a) Mitigate b) Transfer c) Avoid d) Accept

5. How do the technical activities described in NIST SP 800-115 primarily support the risk assessment process defined in NIST SP 800-30? (Choose one answer) a) By providing the formal governance structure and policy mandates for the assessment b) By supplying the financial formulas for calculating Annualized Loss Expectancy (ALE) c) By generating empirical evidence on vulnerabilities and control effectiveness through testing, examination, and interviewing d) By defining the four canonical risk treatment options of mitigate, accept, avoid, and transfer

PreviousThe information security risk assessmentNextThe information security compliance audit

Last updated