01: According to your textbook which of the following is NOT part of risk analysis: Determine how likely each risk is to occur Identify any risks to assets Implement an acceptable use policy Determine the value of assets02: A risk is defined as: A weakness in a system A potential for exploit of a weakness in a system The existence of a weakness in a system and the potential for an exploit An attempted security attack03: If a manager obtains insurance for damage to an asset, this is called risk transference: True False04: Managers should declare financial statements about asset values: True False05: A principle that a single person should not have authority to execute a critical task is called: Access control Separation of duties (or privileges) Discretionary control Confidentiality06: Unauthorized alteration of information is a breach of: Confidentiality Integrity AvailabilityProtocol07: Of the two types of attackers, which has the potential to do the most damage? Malicious Outsiders Non-Malicious Insiders Non-Malicious Outsiders Malicious Insiders08: When controlling information such that only those who get the information are those who require it to do their job is called on a need to know basis: True False09: Planning to have a hot site to restart operations in the case of a fatal incident is part of having a: Risk Assessment Plan Disaster Recovery Plan Vulnerability Assessment Plan Business Continuity Plan10: Planning for a co-location to continue business as usual in the case of an incident that disrupts operations at one site is part of having a: Risk Assessment Plan Disaster Recovery Plan Vulnerability Assessment Plan Business Continuity Plan11: SLE represents: The proportion of assets that would be destroyed by a risk Damage to an asset each time a risk would incur in a year Number of times a risk may occur in a year Damage to an asset incurred cumulatively for each year of the assets lifetime12: Privilege creep means: An administrator gives him or herself the ability to examine private accounts An attacker uses a rootkit to escalate privileges to execute system functions When someone changes roles, they accrue both old and new privileges even if they are not needed When a user logs in as a normal user, the executes an su to become a superuser13: The four choices that managers have when managing risks are, (1) risk avoidance, (2) risk prosecution, (3) risk acceptance, (4) risk transference. True False14: The encryption algorithm AES avoids security through obscurity: True False15: A security policy is a written document only: True False16: Even though very simplistic, security checklists such as the ISO 27000: 27001/27002 (17799) also known as the ISO 27000 (or ISO27K) family of standards is useful for security auditing in preparation for or as part of a security certification: True False17: Conducting background checks on employees is illegal in the United States: True False18: Least privilege means allocating only the minimum set of privileges required to perform a job function: True FalseShort Essay:19: Give a brief explanation of the differences between risk assessment and risk management. Give as an example the name of at least one standard or framework that is used for each one:20: Briefly describe what responsibilities managers have in terms of security. In this description, note that managers in this context are not security officers or officers of a company and do NOT have fiduciary responsibilities. In other words, what are minimum security standards managers must adhere to regardless of their position?