Ch. 5 – Risk Management – Flashcards
Unlock all answers in this set
Unlock answersquestion
The determination of the extent to which an organization's info assets are exposed to risk and the assignment of a risk rating or score to each information asset. Pg 231
answer
Risk assessment
question
The application of controls that reduce the risks to an organization's info assets to an acceptable level. Pg 231
answer
Risk control
question
The ordering and documentation of risks to an organization's info assets. Pg 231
answer
Risk identification
question
The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level. Pg 231
answer
Risk management
question
What are the 5 risk control strategies?
answer
Defense, transfer, mitigation, acceptance, and termination
question
The computed value of the ALE compares the costs and benefits of a particular control alternative, to determine whether the control is worth it's cost.
answer
False- CBA determines
question
The __________ plan specifies the actions an organization can and should take while an adverse event (that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization) is in progress.
answer
Incident response (IR)
question
A(n) _________ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment.
answer
Field change order (FCO)
question
To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited.
answer
True
question
__________ is the process of comparing other organizations' activities against the practices used in one's own organization to produce results it would like to duplicate.
answer
Benchmarking
question
__________-based measures are comparisons based on observed numerical data, such as numbers of successful attacks.
answer
Metrics
question
__________-based measures are performance measures or metrics based on intangible activities.
answer
Process
question
__________ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders.
answer
Operational
question
The expected percentage of loss that would occur from a particular attack in a cost-benefit analysis.
answer
Exposure factor (EF)
question
__________, often called recommended practices, are security efforts that seek to provide a superior level of performance in the protection of information.
answer
Best business practices
question
Within data classification schemes, it is important that all categories used be __________ and mutually exclusive.
answer
Comprehensive
question
Cost Benefit Analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended. Pg 273
answer
False
question
__________ is an assessment of user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders. Pg 283
answer
Operational/behavioral feasibility
question
__________ is an assessment of how well the proposed information security alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization. Pg 283
answer
Organizational feasibility
question
An assessment of whether the organization can acquire the technology necessary to implement and support the proposed control. Pg 283
answer
Technical feasibility
question
An assessment of which controls can and cannot occur based on the consensus and relationships among communities of interest. Pg 283
answer
Political feasibility
question
__________ addresses are sometimes called electronic serial numbers or hardware addresses. All network interface hardware devices have a unique address number as part of the TCP/IP standard.
answer
MAC (media access control)
question
Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems.
answer
Not management
question
The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment.
answer
True
question
__________ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede.
answer
DR (disaster recovery)
question
Management of classified data includes its storage and __________.
answer
Distribution, portability, destruction
question
Residual risk is the risk that that has not been removed, shifted, or planned for after vulnerabilities have been completely resolved.
answer
False
question
Comprehensive means that all information assets must fit in the list somewhere, and mutually exclusive means that an information asset should fit in only one category.
answer
True
question
If the acceptance strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and portray an apathetic approach to security in general
answer
True
question
Baselining is the comparison of past security activities and events against the organization's current performance. Pg 282
answer
True
question
In the early IT days, establishing a competitive business model, method, or technique enabled an organization to provide a product or service that was superior and created a(n) competitive advantage.
answer
True
question
Cost __________ ?is the process of preventing the financial impact of an incident by implementing a control.
answer
Avoidance
question
A __________ is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.
answer
Security clearance scheme
question
The most common mitigation plans are __________ plans.
answer
Contingency
question
A document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings.
answer
TVA (threats-vulnerabilities-assets) worksheet
question
A pairing of an asset with a threat and an identification of vulnerabilities that may exist between the two. This pairing is often expressed in the format TxVyAz, where there may be one or more vulnerabilities between Threat X and Asset Z.
answer
TVA (threats-vulnerabilities-assets) triplets
question
__________ is the expected percentage of loss that would occur from a particular attack.
answer
Exposure factor
question
Risk Control Strategies (begins pg. 268)
answer
- Defense control strategy: Attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. - Transfer control strategy: Attempts to shift residual risk to other assets, other processes, or other organizations. - Mitigation control strategy: attempts to reduce impact of a successful attack through planning and prep - Acceptance control strategy: Indicates and organization is willing to accept the current level of risk. - Termination control strategy: eliminates all risk associated with an information asset by removing it from service.
question
Contingency Plans
answer
- Incident Response plan: the actions an organization can & should take whole an incident is in progress. - Disaster Recovery plan: Most common, includes all prep for the recovery process, strategies to limit loss during a disaster, and detailed steps to follow in aftermath. - Business Continuity plan: Includes steps necessary to ensure the continuation of the organization when the disaster's scope or scale exceeds the ability of the DR plan to restore operations, usually through relocation of critical business functions.
question
The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a __________.
answer
Cost-Benefit analysis (CBA)
question
The calculation of the likelihood of an attack multiplied by the attack frequency to determine the expected number of losses within a specified time range is called the __________.
answer
Loss frequency
question
When determining the relative importance of each asset, refer to the organization's mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts.
answer
True
question
Some information security experts argue that it is virtually impossible to determine the true value of information and information-bearing assets.
answer
True
question
__________ is the probability that a specific vulnerability within an organization will be the target of an attack.
answer
Likelihood
question
A best practice proposed for a small to medium business will be similar to one used to help design control strategies for a large multinational company.
answer
False
question
When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as __________.
answer
Standards of due care
question
_________ assigns a status level to employees to designate the maximum level of classified data they may access.
answer
Security clearance scheme
question
__________ is simply how often you expect a specific type of attack to occur.
answer
Annualized rate of occurrence (ARO)
question
The __________ is the difference between an organization's observed and desired performance.
answer
Performance gap
question
In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack, with the SLE being the product of the asset's value and the __________.
answer
Exposure factor
question
In a __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria and then summing and ranking those scores.
answer
Weighted factor analysis
question
Identifying human resources, documentation, and data information assets of an organization is __________ difficult than identifying hardware and software assets.
answer
More
question
__________ risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset less the effect of asset value-reducing safeguards.
answer
Residual
question
_________ equals the probability of a successful attack times the expected loss from a successful attack plus an element of uncertainty.
answer
Not loss frequency
question
__________ risk assessment is based on categorical or non-numeric values, rather than numbers.
answer
Qualitative
question
__________ risk assessment is based on numbers.
answer
Quantitative
question
__________ is the first phase of risk management.
answer
Risk identfication
