BCS Level 4 Award in Risk Assessment QAN 603/0830/8

Transcription

1 S Level 4 ward in Risk ssessment QN 603/0830/8 Specimen Paper Record your surname / last / family name and initials on the answer sheet. Specimen paper only 20 multiple-choice questions 1 mark awarded to each question. Mark only one answer to each question. There are no trick questions. number of possible answers are given for each question, indicated by either... or. Your answers should be clearly indicated on the answer sheet. opying of this paper is expressly forbidden without the direct approval of S, The hartered Institute for IT. This qualification is regulated by Ofqual (in England). Page 1 of 6 opyright S 2017 S Level 4 ward in Risk ssessment Specimen Paper

2 1 Which role is defined as the 'person or entity with the accountability and authority to manage a risk'? Risk manager. Risk owner. Risk assessor. Risk analyst. 2 Which of the following is a 'threat actor'? Flood. SQL injection. isgruntled insider. Failure to encrypt. 3 What risk management term OUL be described as the overall amount of risk judged appropriate for an organisation to tolerate, agreed at board level? Risk appetite. Risk index. Residual risk. Risk acceptance. 4 Which might indicate the relative severity of a risk? Timeline. RG status. ependency model. Financial statement. Page 2 of 6 opyright S 2017 S Level 4 ward in Risk ssessment Specimen Paper

3 5 Which is NOT one of the five steps of risk management? sset identification. Threat and vulnerability identification. Impact identification. Risk mitigation. 6 What is a flood? Threat. Vulnerability. Exploit. Impact. 7 What is 'a weakness of an asset or group of assets that can be exploited by one or more threats'? ttack. Vulnerability. Impact. Exploit. 8 What is the PRIMRY benefit of using threat intelligence? It provides positive attribution against attackers. It permits a proactive approach to managing information risk. It provides access to government intelligence resources. It removes the need for risk analysis. 9 Which attack vector is MOST commonly used to deliver a spear phishing attack? SQL injection. US memory stick. Web browser. . Page 3 of 6 opyright S 2017 S Level 4 ward in Risk ssessment Specimen Paper

4 10 What is the difference between a vulnerability assessment and a penetration test? vulnerability assessment looks for known vulnerabilities - a penetration test exploits found vulnerabilities. There is no difference. vulnerability assessment is a desktop exercise - a penetration test operates on the live environment. vulnerability assessment is performed during working hours - a penetration test at night. 11 Which is the EST reason for using a single risk assessment method? Licensing costs are reduced. Skills requirement is limited. Results are comparable across the organisation. Results form a convenient shorthand. 12 What term EST describes the OTVE risk assessment method? Qualitative. Quantitative. Quotient assessment. Quality assurance. 13 From which organisation does the OIT risk management framework originate? Information Security Forum (ISF). IS. NIST. NIS. Page 4 of 6 opyright S 2017 S Level 4 ward in Risk ssessment Specimen Paper

5 14 What is the MIN disadvantage of using the ESG Information ssurance Standard 1 and 2 risk methodology? The tool will not run on MS Windows versions later than XP. ll practitioners must be security cleared to V. The methodology is only available to HMG departments. The method and supporting tool is no longer supported. 15 Which of the following are taken into account when choosing a risk assessment methodology? a) ost. b) ata protection. c) ommercial restrictions. d) Skill requirements. a, b and d only. a, c and d only. a, b and c only. b, c and d only. 16 What is a zero-day vulnerability? n undisclosed vulnerability that can exploited before mitigations are developed. vulnerability that is attacked 'zero-days' after MS 'patch Tuesday'. vulnerability that is exploited by rapidly developed malware - that takes 'zerodays' to implement. legacy vulnerability that has never been exploited - until now. 17 Which is an example of risk transference? Installing firewalls. uying insurance. Outsourcing infrastructure. nalysing control gaps. Page 5 of 6 opyright S 2017 S Level 4 ward in Risk ssessment Specimen Paper

6 18 Who is NORMLLY responsible for decisions relating to the management of a specific information security risk? The Senior Information Risk Owner (SIRO). The ata Protection Officer (PO). The Information sset Owner (IO). The hief Information Security Officer (ISO). 19 Which of the following is a MJOR disadvantage of a qualitative risk assessment method? omplexity. Lack of standards. Subjectivity. Requires special tools. 20 What is the MOST significant barrier to using vulnerability research methods? Expense. Ethics. Time. Quality. -End of Paper- Page 6 of 6 opyright S 2017 S Level 4 ward in Risk ssessment Specimen Paper