MISY 5325-MIDTERM EXAM WITH QUESTIONS
AND CORRECT ANSWERS NEW MODIFIED
GRADED A+ TESTED AND APPROVED
The formulas used in a quantitative risk assessment typically look at a single
year. The calculations can become quite complex if other costs are included.
Which of the following is not usually included in the calculations?
A. Annualized Rate of Occurrence (ARO)
B. Single Loss Expectancy (SLE)
C. Annualized Loss Expectancy (ALE)
D. Cost to maintain a control
--ANSWER--The cost to maintain a control
In a risk assessment, which of the following refers to how responsibilities are
assigned?
a. Operational characteristics
b. Management operations
c. Configuration management
d. Management structure
--ANSWER--Management structure
Page 1 of 84
,Which of the following is not true of data and information assets?
a. Access controls protect data from unauthorized disclosure.
b. Backups protect data when it becomes corrupted or accidentally deleted.
c. Data classified at different levels, such as public and private, receives the
same levels of protection.
d. Many organizations don't recognize the value of their data until it is lost.
--ANSWER--Data classified at different levels, such as public and private,
receives the same levels of protection.
_________ are acts that are hostile to an organization.
A) Intentional threats
B) Unintentional threats
C) Human threats
D) All threats
--ANSWER--Intentional threats
Which of the following is often the weakest link in IT security?
A. physical security
B. people
Page 2 of 84
,C. use of pass-phrases
D. use of computer firewalls
--ANSWER--People
A new company does not have a lot of revenue for the first year. Installing
antivirus software for all the company's computers would be very costly, so the
owners decide to forgo purchasing antivirus software for the first year of the
business. In what domain of a typical IT infrastructure is a vulnerability
created?
A) workstation domain
B) malware domain
C) LAN domain
D) WAN domain
--ANSWER--Workstation Domain
Companies use risk assessment strategies to differentiate ___________ from
_________.
A) vulnerabilities, weaknesses
B) vulnerabilities, threats
C) risks, threats
D) severe risks, minor risks
Page 3 of 84
, --ANSWER--Severe risks, minor risks
What is the primary reason security professionals automate some processes?
A) To create security policies
B) To enforce the principle of least privilege
C) To enforce the principle of need to know
D) To reduce human error
--ANSWER--To reduce human error
Which of the following is not a risk management step?
A. eliminating all risks
B. identifying risks
C. taking steps to reduce risk to an accepted level
D. assessing risks
--ANSWER--Eliminating all risks
A _____________ policy governs how patches are understood, tested, and
rolled out to systems and clients.
a) patch mitigation
b) patch management
Page 4 of 84
AND CORRECT ANSWERS NEW MODIFIED
GRADED A+ TESTED AND APPROVED
The formulas used in a quantitative risk assessment typically look at a single
year. The calculations can become quite complex if other costs are included.
Which of the following is not usually included in the calculations?
A. Annualized Rate of Occurrence (ARO)
B. Single Loss Expectancy (SLE)
C. Annualized Loss Expectancy (ALE)
D. Cost to maintain a control
--ANSWER--The cost to maintain a control
In a risk assessment, which of the following refers to how responsibilities are
assigned?
a. Operational characteristics
b. Management operations
c. Configuration management
d. Management structure
--ANSWER--Management structure
Page 1 of 84
,Which of the following is not true of data and information assets?
a. Access controls protect data from unauthorized disclosure.
b. Backups protect data when it becomes corrupted or accidentally deleted.
c. Data classified at different levels, such as public and private, receives the
same levels of protection.
d. Many organizations don't recognize the value of their data until it is lost.
--ANSWER--Data classified at different levels, such as public and private,
receives the same levels of protection.
_________ are acts that are hostile to an organization.
A) Intentional threats
B) Unintentional threats
C) Human threats
D) All threats
--ANSWER--Intentional threats
Which of the following is often the weakest link in IT security?
A. physical security
B. people
Page 2 of 84
,C. use of pass-phrases
D. use of computer firewalls
--ANSWER--People
A new company does not have a lot of revenue for the first year. Installing
antivirus software for all the company's computers would be very costly, so the
owners decide to forgo purchasing antivirus software for the first year of the
business. In what domain of a typical IT infrastructure is a vulnerability
created?
A) workstation domain
B) malware domain
C) LAN domain
D) WAN domain
--ANSWER--Workstation Domain
Companies use risk assessment strategies to differentiate ___________ from
_________.
A) vulnerabilities, weaknesses
B) vulnerabilities, threats
C) risks, threats
D) severe risks, minor risks
Page 3 of 84
, --ANSWER--Severe risks, minor risks
What is the primary reason security professionals automate some processes?
A) To create security policies
B) To enforce the principle of least privilege
C) To enforce the principle of need to know
D) To reduce human error
--ANSWER--To reduce human error
Which of the following is not a risk management step?
A. eliminating all risks
B. identifying risks
C. taking steps to reduce risk to an accepted level
D. assessing risks
--ANSWER--Eliminating all risks
A _____________ policy governs how patches are understood, tested, and
rolled out to systems and clients.
a) patch mitigation
b) patch management
Page 4 of 84
