Module 4: Risk Management
Indicate whether the statement is true or false.
____ 1. NIST developed the Cybersecurity Framework as a mandatory set of standards to manage risks to critical infrastructure.
____ 2. Risk tolerance is the acceptable level of risk a company is willing to take.
Identify the choice that best completes the statement or answers the question.
____ 3. Which of the following is not considered a basic security service?
|a. Confidentiality||c. Integrity|
|b. Authentication||d. Network Security|
____ 4. All of the following are standards defined in the NERC CIP standards, except:
|a. Personnel and Training||c. Authentication and Access Controls|
|b. Sabotage Reporting||d. Recovery Plans for Critical Cyber Assets|
____ 5. Continuous Monitoring activities occur under which Framework Core activity?
|a. Identify||c. Respond|
|b. Detect||d. Protect|
____ 6. An impact analysis is a part of which step in the risk management process?
|a. Risk control||c. Risk identification|
|b. Risk assessment||d. Risk mitigation|
____ 7. Which risk handling method reduces the likelihood of the risk occurring to as low as zero?
|a. Mitigation||c. Transference|
|b. Avoidance||d. Acceptance|
Select all the choices that apply.
____ 8. Which of the following are a part of the Framework Processes?
|a. Framework Profile||c. Framework Implementation Tiers|
|b. Framework Drivers||d. Framework Core Functions|
Complete each sentence.
9. The Framework ________________ provide background on how an organization views cybersecurty risk and the processes that are in place to manage that risk.
10. ____________________ is defined as the process of identifying vulnerabilities and taking carefully reasoned steps to ensure the confidentiality, integrity, and availabiliity of the information system.
For the answers to these questions, email your name, the name of your college or other institution, and your position there to firstname.lastname@example.org. CyberWatch West will email you a copy of the answer key.