Management of Information Security Notes Chapter 9 — Controlling Risk
Once a control strategy has been selected and implemented, controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk.
monitored and measured
The four categories of controlling risk include avoidance, mitigation, transference and _____.
The ____________________ assessment, tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures.
Risk ____________________ defines the quantity and nature of risk that an organization is willing to accept.
Mitigation depends on the ability to detect and respond to an attack as quickly as possible .
____________________ is a risk management framework developed to help organizations to understand, analyze, and measure information risk.The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.
Factor Analysis of Information Risk
A cost-benefit analysis is conducted by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy
annualized cost of the safeguard
Reducing the impact of a successful attack on an organization’s system falls under the ____ risk control strategy.
Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the ____ consequences of the vulnerability.
economic and non-economic
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
Building executive consensus
The ____________________ Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.
Cost Benefit Analysis is determined by calculating the single loss expectancy before new controls minus the annualized loss expectancy after controls are implemented minus the annualized cost of the safeguard.
Economic and non-economic effects of a weakness must be evaluated after a strategy for dealing with a particular vulnerability has been selected.
Common sense dictates that an organization should spend more to protect an asset than its value.
OCTAVE is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detective controls.
Residual risk is a combined function of all but which of the following?
Residual risk less a factor of error
____________________ is a is a combined function of (1) a threat less the effect of threat-reducing safeguards; (2) a vulnerability less the effect of vulnerability-reducing safeguards; and (3) an asset less the effect of asset value-reducing safeguards.
Avoidance of risk is accomplished through the application of procedures, training and education and the implementation of technical security controls and safeguards.
One of the most common methods of obtaining user acceptance and support is via user
Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____________________ organization would do in similar circumstances.
An alternate set of possible risk control strategies includes all but which of the following?
Obscurity: Hiding critical security assets in order to protect them from attack
Behavioral feasibility refers to user acceptance and support, management acceptance and support, and the system’s compatibility with the requirements of the organization’s stakeholders.
Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____ organization would do in similar circumstances.
According to the Microsoft Risk Management Approach, risk management is not a stand-alone subject and should be part of a general governance program to allow the organization’s management to evaluate the organization’s operations and make better, more informed decisions.
A system’s exploitable vulnerabilities are usually determined after the system is designed.
Asset valuation must account for value _____.
All of these
Economic feasibility is a standard that is commonly used when evaluating a project that implements information security safeguards.
The final choice of a risk control strategy may call for a balanced mixture of controls that provides the greatest value for as many asset-threat pairs as possible.
___ feasibility determines acceptable practices based on consensus and relationships among the communities of interest.
The goal of information security is to bring residual risk in line with an organization’s risk appetite.
The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge was designed for large organizations with 300 or more users, while OCTAVE-Allegro was designed for smaller organizations of about 100 users.
The effectiveness of controls should be ____________________ and measured regularly once a control strategy has been selected.
A single loss expectancy is calculated by multiplying the asset value by the ____.
A cost benefit analysis (CBA) result is obtained from the difference between the pre-control and the ____________________ annualized loss expectancy (ALE).
The ____ is the indication of how often you expect a specific type of attack to occur.
In the Cost-Benefit Analysis Formula presented in the text, ALE is calculated by ____.
SLE * ARO
The Single Loss Expectancy (SLE) is the result of the asset’s value (AV) multiplied by the ____________________ factor.
The risk control strategy of avoidance means understanding the consequences and avoiding risk by not placing a system in a situation that could result in a loss..
The element of remaining risk after vulnerabilities have been controlled is referred to as ____________________ risk.
Avoidance of risk is the choice to forgo the use of security measures and accept loss in the event of an attack.
In an economic feasibility study, the ____________________ is the value to the organization of using controls that prevent losses related to a particular vulnerability.
The Annualized Loss Expectancy in the CBA formula is determined as ____.
SLE * ARO
Some organizations document the outcome of the control strategy for each information asset-threat pair in a(n) _____, which includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual.
Risk appetite (also known as risk tolerance) is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
Mitigation of risk involves applying safeguards that eliminate or reduce the remaining uncontrolled risks.
An organization that chooses to outsource its risk management practice to independent consultants is taking the ____ control approach.
The goal of information security is to bring residual risk to zero.
At a minimum, each information asset-threat pair should have a(n) ____ that clearly identifies any residual risk that remains after the proposed strategy has been executed.
documented control strategy
Which of the following is not an example of a disaster recovery plan?
Information gathering procedures
____ is the process of assigning financial value or worth to each information component.
Get access to
MOney BackBecome a Member
Guarantee No Hidden
Guarantee No Hidden