Management of Information Security Notes Chapter 8 -- Risk Assessment
Likelihood is the overall rating of the probability that a specific vulnerability will be exploited.
True
Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability
True
The amount of danger posed by a threat is sometimes difficult to assess. It may be simply the impact of a threat attacking the organization, or it may reflect the amount of damage that the threat could create or the frequency with which an attack can occur.
True
Which of the following activities is part of the risk identification process?
Assigning a value to each information asset
A ranked vulnerability risk worksheet assigns a ranked value or impact weight to each information asset.
False
Assessing risks includes assigning a value to each information asset.
False
The data classification scheme for an information asset could include confidential, internal, and private. Each of these classification categories designates the level of protection needed for a particular information asset.
False
The first stage in the Risk Identification process is to develop an inventory of information assets.
False
The ultimate goal of risk identification is to assess the circumstances and setting of each information asset to reveal any threats.
False
To make the process of analyzing threats less daunting, steps in the threat and vulnerability identification processes should be handled jointly.
False
Which of the following is the final step in the risk identification process of information assets?
Listing by order of importance
The ____ is also referred to as an electronic serial number.
MAC address
____ elements are divided into three categories: applications, operating systems, or security components.
Software
A TVA spreadsheet combines prioritized lists of assets and threats to identify vulnerabilities and provide a prioritized list of efforts relating to the implementation of needed controls.
True
A well-developed risk management program consists of two formal processes: risk identification and assessment and risk control.
True
A(n) comprehensive classification of information assets means that all inventoried assets fit into a category.
True
Assigning a value to each information asset is part of the identification process.
True
During risk identification, managers identify the organization's information assets, classify and categorize them into useful groups, and prioritize them by their overall importance.
True
Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.
likelihood
The ____ is an attribute that can be helpful in analyzing threat outbreaks when certain manufacturers announce specific vulnerabilities.
manufacturer name
The relative value of an information asset depends on how much ____ it generates—or, in the case of a nonprofit organization, how critical it is to service delivery.
revenue
The process of assigning relative values to information assets helps to ensure that assets with higher values are protected first.
True
In a TVA worksheet, along one asset lies the prioritized set of ____, along the other the prioritized set of ____.
assets, threats
The inventory should also reflect the ____________________ and security priority assigned to each information asset.
sensitivity
A(n) ____________________ number uniquely identifies a specific device.
serial
Knowing the enemy means that the threats facing an organization's information assets should be identified, examined, and ____________________.
understood
Deliberate software attacks include worms, denial of service, macros, and ____.
viruses
Risk is the likelihood of the occurrence of a(n) ____ multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability.
vulnerability
The final step in the risk identification process is to list the assets in order of importance. This goal can be achieved by using a(n) ____ worksheet.
weighted factor analysis
Almost every organization is aware of its image in the local, national, and international spheres. Loss or ____ of some assets would prove especially embarrassing.
...
The process of evaluating potential weaknesses in each information asset is known as ____________________ identification.
...
Which of the following activities is part of the risk assessment process?
Calculating the risks to which assets are exposed in their current setting
Determining the likelihood that vulnerable systems will be attacked by specific threats is part of the risk identification process.
False
People are divided into insiders (employees) and outsiders (nonemployees). Outsiders come in two categories: either they hold trusted roles and have correspondingly greater authority and accountability, or they are regular staff without any special privileges.
False
Risk Analysis is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be controlled or mitigated.
False
The ____ is an effective attribute for tracking network devices and servers, but rarely applies to software.
IP address
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
Manufacturer's part number
Weighting criteria can be used to assess the value of information assets or impact evaluation.
True
Examples of technical software failures or errors include code problems, unknown loopholes, and ____.
bugs
As each information asset is identified, ____________________, and classified, a relative value must also be assigned to it.
categorized
As each information asset is identified, categorized, and ____, a relative value must also be assigned to it.
classified
Classification categories must be ____________________ and mutually exclusive.
comprehensive
Classification categories must be ____ (all inventoried assets fit into a category) and ____ (each asset is found in only one category).
comprehensive, mutually exclusive
Risk management is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be
controlled
Piracy and copyright infringement are examples of the threat of compromise to ____________________ property.
intellectual
The sample classification scheme for an information asset of confidential, ____ and public, designates the level of protection needed for a particular information asset.
internal
A(n) ____________________ defense is the foundation of any information security program.
layered
The standard IT system components include: people, data, networks, hardware, software, and ____________________.
procedures
A press release is likely to fall under the ____ data classification scheme.
public
One of the calculations that guides corporate spending on controls is the cost of ____ operations if an attack occurs and is successful.
recovery