CPSA Study Notes Exam Questions
and Answers28
Risk Management Process (Format:
1. answer
2. answer
etc.) - ANSWERS-1. Risk Assessment
2. Risk Treatment
3. Controls implementation
4. Supervision and Evaluation
Risk Assessment is done based on (Format:
1. answer
2. answer
etc) - ANSWERS-1. Asset value
2. Vulnerability
3. Threat
4. Probability
5. Impact
The steps involved in Risk Assessment are (Format:
1. R
2. V
3. P) - ANSWERS-1. Resource Identification
2. Vulnerability and threat identification
,3. Probability and impact analysis
Define resource - ANSWERS-Anything of value to a company
A vulnerability is a security hole or weakness in a system, these include: (Format:
1. answer
2. answer
etc) - ANSWERS-1. Errors in code
2. Misconfiguration
3. Inadequate access control
4. Inadequate natural disaster protection
5. Social engineering
A threat is the circumstances or activities that may use vulnerabilities on resources. These
include: (Format: 1, 2 and 3)
Order: E, D and H - ANSWERS-External, Deliberate actions and Human error
Name the 4 methods of dealing with Risk (Format: 1, 2, 3 and 4)
Order: M, A, T and Ac - ANSWERS-Mitigation, Avoidance, Transference and Acceptance
Why would a company choose Acceptance when dealing with risk? - ANSWERS-Budget
What does transference mean when dealing with risk? - ANSWERS-Outsource or insure
Security controls can be (Format: 1, 2, 3)
Order: P, D, R - ANSWERS-Preventative, Detective, Reactive
, Types of Security controls (Format: 1, 2, 3)
Order: P, T, A - ANSWERS-Physical, Technical, Administrative
Risk Management Reports should be: (Format 1, 2) - ANSWERS-Clear and easy to understand,
Management friendly
Why is Risk management a repetitive process? 4 reasons(Format:
1. answer
2. answer
etc)
Order: B, I, (S or H), H - ANSWERS-1. Business systems will change over time
2. Information systems will change over time
3. Software and Hardware update/replacement is inevitable
4. Human resources will fluctuate
Name the 6 concepts in Threat Modelling STRIDE (Format:
1. answer
2. answer
etc) - ANSWERS-1. Spoofing
2. Tampering
3. Repudiation
4. Information Disclosure
5. Denial of Service
6. Elevation of Privilege
and Answers28
Risk Management Process (Format:
1. answer
2. answer
etc.) - ANSWERS-1. Risk Assessment
2. Risk Treatment
3. Controls implementation
4. Supervision and Evaluation
Risk Assessment is done based on (Format:
1. answer
2. answer
etc) - ANSWERS-1. Asset value
2. Vulnerability
3. Threat
4. Probability
5. Impact
The steps involved in Risk Assessment are (Format:
1. R
2. V
3. P) - ANSWERS-1. Resource Identification
2. Vulnerability and threat identification
,3. Probability and impact analysis
Define resource - ANSWERS-Anything of value to a company
A vulnerability is a security hole or weakness in a system, these include: (Format:
1. answer
2. answer
etc) - ANSWERS-1. Errors in code
2. Misconfiguration
3. Inadequate access control
4. Inadequate natural disaster protection
5. Social engineering
A threat is the circumstances or activities that may use vulnerabilities on resources. These
include: (Format: 1, 2 and 3)
Order: E, D and H - ANSWERS-External, Deliberate actions and Human error
Name the 4 methods of dealing with Risk (Format: 1, 2, 3 and 4)
Order: M, A, T and Ac - ANSWERS-Mitigation, Avoidance, Transference and Acceptance
Why would a company choose Acceptance when dealing with risk? - ANSWERS-Budget
What does transference mean when dealing with risk? - ANSWERS-Outsource or insure
Security controls can be (Format: 1, 2, 3)
Order: P, D, R - ANSWERS-Preventative, Detective, Reactive
, Types of Security controls (Format: 1, 2, 3)
Order: P, T, A - ANSWERS-Physical, Technical, Administrative
Risk Management Reports should be: (Format 1, 2) - ANSWERS-Clear and easy to understand,
Management friendly
Why is Risk management a repetitive process? 4 reasons(Format:
1. answer
2. answer
etc)
Order: B, I, (S or H), H - ANSWERS-1. Business systems will change over time
2. Information systems will change over time
3. Software and Hardware update/replacement is inevitable
4. Human resources will fluctuate
Name the 6 concepts in Threat Modelling STRIDE (Format:
1. answer
2. answer
etc) - ANSWERS-1. Spoofing
2. Tampering
3. Repudiation
4. Information Disclosure
5. Denial of Service
6. Elevation of Privilege
