| 1. |
Risk management encompasses three processes: risk assessment, risk mitigation, and evaluation and assessment. |
|
|
True |
|
|
False |
| 2. |
Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organization’s missions.
|
|
|
True |
|
|
False |
| 3. |
The IT system’s system development life cycle (SDLC) has five phases: initiation, development or acquisition, implementation, operation or maintenance, and disposal. |
|
|
True |
|
|
False |
| 4. |
______________________ describes the characteristics of each SDLC phase and indicates how risk management can be performed in support of each phase. |
|
|
Table 2-1 |
|
|
Table 2-2 |
| 5. |
The ______________________ is responsible for the agency’s IT planning, budgeting, and performance including its information security components. Decisions made in these areas should be based on an effective risk management program. |
|
|
System and Information Owners |
|
|
Chief Information Officer (CIO) |
| 6. |
IT security practitioners (e.g., network, system, application, and database administrators; computer specialists; security analysts; security consultants) are responsible for proper implementation of security requirements in their IT systems.
|
|
|
True |
|
|
False |
| 7. |
Risk Assessment Methodology Flowchart is illustrated in _______________________. |
|
|
Figure 2-1 |
|
|
Figure 3-1 |
| 8. |
Cryptographic keys must be securely managed when cryptographic functions are implemented in various other controls. Cryptographic key management includes key generation, distribution, storage, and maintenance. |
|
|
True |
|
|
False |
| 9. |
________________________ the second process of risk management involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.
|
|
|
Risk assessment |
|
|
Risk mitigation |
| 10. |
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy is called ____________________________. |
|
|
Vulnerability |
|
|
Threat |
|
