CP3302 – Chap4 – Flashcards
Unlock all answers in this set
Unlock answersquestion
What is risk management? Why is the identification of risks, by listing assets and their vulnerabilities, so important to the risk management process?
answer
- Risk management is the process of identifying vulnerabilities, to an organisation's information assets and infrastructure, and taking steps to ensure the confidentiality, integrity and availability in all components in the organisation's information system.
question
According to Sun Tzu, what two key understandings must you achieve to be successful in battle?
answer
1) If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
question
Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?
answer
- In an organisation, it is the responsibility of each community of interest to manage the risks that an organisation encounters. Each community of interest has a role to play. - Since the members of the information security community best understand the threats and attacks that introduce risk into the organisation, they often take a leadership role in addressing risk.
question
In risk management strategies, why must periodic review be a part of the process?
answer
Frequently, organizations implement control mechanisms, but then neglect the necessary pe- riodic review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they are still effective
question
What is residual risk?
answer
Even when vulnerabilities have been controlled as much as possible, there is often still some risk that has not been completely removed, shifted, or planned for. This remainder is called residual risk.
question
Risk identication is performed within a larger process of identifying and justifying risk controls, which is called ________
answer
risk management
question
The second major undertaking involved in risk management, after risk identication, is _______.
answer
risk assessment
question
For information security purposes, ______ are the systems that use, store, and transmit information.
answer
assets
question
The ______ community of interest should have the best understanding of threats and attacks and often takes a leadership role in addressing risks.
answer
information security
question
The ______ community of interest must assist in risk management by configuring and operating information systems in a secure fashion.
answer
information technology
question
The _____ community of interest must ensure sucient resources are allocated to the risk management process.
answer
general management
question
A risk management strategy calls on information security professionals to know their organization's _______.
answer
information assets
question
True or False: The traditional system component of software can be broken into two components when viewed from an information security perspective: operating systems and security components.
answer
False
question
True or False: Hardware networking components can be broken down into two subgroups when viewed from an information security perspective: Interanet components and Internet or DMZ (Demilitarized Zone) components.
answer
True
question
All network devices are assigned a unique number by the hardware at the network interface layer called the ______. (a) IP address (b) media access control (MAC) address (c) link address (d) network address
answer
b
question
_______ is the process of assigning scores for critical factors, each of which is weighted in importance by the organization.
answer
Weighted factor analysis
question
True or False: The purpose of a weighted factor analysis is to list assets in order of their importance to the organization.
answer
True
question
In order to ensure effort is spent protecting information that needs protecting, organizations implement ________.
answer
data classification schemes
question
When individuals are assigned security labels for access to categories of information, they have acquired a(n) ______.
answer
security clearance
question
The process of examining how each threat will affect an organization is called a(n) _______.
answer
threat assessment
question
True or False: Specific avenues that threat agents can exploit in attacks on information assets are called exploits or vulnerabilities.
answer
True
question
The process an organization uses to assign a risk rating or score to each information asset is a(n) _______.
answer
risk assessment
question
The overall rating of the probability that a specific vulnerability will be successfully exploited is its _______.
answer
likelihood
question
The amount of risk that remains after all controls are put in place as designed is called _______.
answer
residual risk
question
True or False: The process an organization uses to assign a risk rating or score to each information asset is a risk evaluation.
answer
False
question
The overall rating of the probability that a specific vulnerability will be successfully exploited is its ______. (a) probability (b) manageability (c) likelyhood (d) practability
answer
c
question
______ is the risk control strategy that attempts to prevent the exploitation of the vulnerability.
answer
Avoidance
question
_______ is the control approach that attempts to shift risk to other assets, other processes, or other organizations.
answer
Transference
question
The actions an organization can and perhaps should take while the incident is in progress should be defined in a document referred to as the _______.
answer
incident response plan (IRP)
question
The most common of the mitigation procedures is the _______.
answer
disaster recovery plan (DRP)
question
The _____ risk control strategy is the choice to do nothing to protect a vulnerability.
answer
acceptance
question
The calculation of the value associated with the most likely loss from an attack is called the _______.
answer
single loss expectancy (SLE)
question
How often a specifc type of attack is likely to occur is called the _______.
answer
annualized rate of occurrence (ARO)
question
A value calculated to show the estimated overall loss potential per risk per year is the _______.
answer
annualized loss expectancy (ALE)
question
_______ is the process of seeking out and studying the practices used in other organizations that produce the results you desire in your organization.
answer
Benchmarking
question
_______ addresses user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders.
answer
Operational feasibility
question
_______ examines whether or not the organization has the technology necessary to implement and support the control alternatives.
answer
Technical feasibility
question
______ is the process of avoiding the fnancial impact of an incident by implementing a control
answer
Cost avoidance
question
_______ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility
answer
Risk appetite
