Module 6 Quiz Assessing Cybersecurity in the Subcategories

Module 6 Quiz Assessing Cybersecurity in the Subcategories

Module 6 Quiz 1) Which of the following statements about Cybersecurity Assessments is not correct? A. Assessments show where are we now (Current Profile) and often where we need to be (Target Profile) B. Assessments include reviews of cybersecurity related activities and processes C. Assessments are generally compared to external standard(s), compliance obligations, and/or cybersecurity requirements D. Assessments always follow audits to take steps to reduce risk and be compliant D: is the correct answer. Assessments often precede audits to take steps to reduce risk and be compliant.

Module 6 Quiz 2) Which of the following is the best definition of an Assessment Project Standard? A. It consists of electronic method(s) of conducting the assessment, tracking the results, recommendations, and possibly the timeline and budget. B. It is the measure against which the organization assesses its cybersecurity activities and processes. It is pre-selected and allows the organization to compare to existing best practices and guidance in an objective manner C. It is the expectations for completion of various phases of the project D. It is the staff who will be part of the assessment process B: is the correct answer. A, C, and D are Tools, Timeline, and Team, respectively.

Module 6 Quiz 3) Which of the following is optional but recommended for at least the first Cybersecurity Assessment Project? A. B. C. D. Project Champion Standard Outside assessor Plan C: is the correct answer. The outside assessor provides an external unbiased view, expertise related to the standard, and other benefits.

Module 6 Quiz 4) Who is required to approve the Project Plan? A. B. C. D. Outside assessor Project Champion Project Team Executive leadership D: is the correct answer. The Project Plan must be approved and supported by executive leadership (or the equivalent).

Module 6 Quiz 5) Which of the following is defined as: a weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability? A. Likelihood B. Risk C. Impact D. Exploit A: is the correct answer. Likelihood is the determined probability of a threat exploiting a vulnerability. It, along with Impact, is one of the

Module 6 Quiz 6) Which of the following is not a component of a Cybersecurity Assessment? A. B. C. D. Timeline Tool(s) Audit Plan C: is the correct answer. A Cybersecurity Assessment may precede an Audit, but an Audit is generally not part of the Assessment. The components are: Standard, Team, Plan, Timeline, and Tool(s).

Module 6 Quiz 7) Which of the following is true of the Project Team? A. Based on the Standard for entering, analyzing, reviewing data, and assessing risk B. Includes technical and non-technical roles C. Includes a maximum of 10 individuals D. Made up exclusively of security personnel B: is the correct answer. A is the definition of a Project Tool. In relation to C: and D: , the Project Team size is dependent on organizational needs and can include personnel from various areas.

Module 6 Quiz 8) A Cybersecurity Assessment should be conducted: A. B. C. D. One time Monthly When required for audit purposes Regularly based on organizational policy and compliance obligations D: is the correct answer. Assessments should be done regularly because technologies and threats change. The frequency must be documented in policy and may be partially based on compliance obligations.

Module 6 Quiz 9) Which of the following is the best definition of a threat? A. The combination of likelihood and impact B. The schedule for project activities and deliverables C. Anything that could adversely affect the organization D. A countermeasure to secure an asset C: is the correct answer. A is Risk. B is the Project Timeline. D is a Control.

Module 6 Quiz 10) Which of the following is the best example of a Cybersecurity Assessment Project Standard? A. B. C. D. NIST CSF ISO 27001: 2013 Compliance obligations PII A: is the correct answer. B: is an Informative Reference. Although compliance obligations (C: ) must be part an assessment project, they aren’t the main Standard. PII (D: ) stands for Personally Identifiable Information and is data that must be protected, but is not a Standard.

End of Module 6 Quiz End of quiz for Module 6: Assessing Cybersecurity in the Subcategories