This chapter covered important elements of risk mitigation throughout an organization. Controls are implemented to mitigate risk by reducing the impact of threats or reducing vulnerabilities, and the effectiveness of the controls can be measured against those two requirements. They should be most effective at preventing risk for any critical business operations in an organization.
Legal compliance issues for IT have grown important in recent years. More laws and regulations apply, and the cost for noncompliance can be expensive. Therefore, taking the time to identify relevant laws and guidelines is important because regulations can have varying impacts on an organization and they should be considered when implementing supporting controls.
A ________ is used to identify the impact on an organization if a risk occurs.
MAO is the minimal acceptable outage that a system or service can experience before its mission is affected.
True
False
An organization wants to have an agreement with a vendor for an expected level of performance for a service that includes ensuring that monetary penalties are assessed if the minimum uptime requirements are not met. What should you use?
MAO
BIA
SLA
IDS
What would be used to identify mission-critical systems?
Critical outage times
Critical business functions
PCI DSS review
Disaster recovery plan
What can an organization use to remind users of an AUP’s contents?
Logon banners
Posters
Emails
All of the above
Organizations that violate GDPR rules may be fined ____________ or _______________ of their annual global turnover, whichever is greater.
Which of the following strategies helps reduce security gaps even if a security control fails?
Access control implementation
Critical business factor analysis
Defense in depth
Business impact analysis
How much can an organization be fined in a year for HIPAA-related mistakes?
$100
$1,000
$25,000
$250,000
What determines whether an organization is governed by FISMA?
Whether it is registered with the Securities and Exchange Commission
Whether its employees handle health-related information
Whether it receives E-Rate funding
Whether it is a federal agency
What determines whether an organization is governed by HIPAA?
Whether it is registered with the Securities and Exchange Commission
Whether its employees handle health-related information
Whether it receives E-Rate funding
Whether it is a federal agency
What determines whether an organization is governed by SOX?
Whether it is registered with the Securities and Exchange Commission
Whether its employees handle health-related information
Whether it receives E-Rate funding
Whether it is a federal agency
What determines whether an organization is governed by CIPA?
Whether it is registered with the Securities and Exchange Commission
Whether its employees handle health-related information
Whether it receives E-Rate funding
Whether it is a federal agency
A CBA has been performed on a prospective control. The CBA indicates the cost of the control is about the same as the control’s projected benefits. What should be done?
Identify the ROI
Purchase the control
Cancel the purchase of the control
Redo the CBA
Which of the following is a valid formula used to identify the projected benefits of a control?
Loss after control − Loss before control
Loss before control − Loss after control
Cost of control + Losses
Cost of control/12
A CBA can be used to justify the purchase of a control.