ITSY1300 - Review - Chapter 5

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

true

To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited.

standards of due care

When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as ____________

annualized cost of a safeguard (ACS)

in a cost-benefit analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use.

transference

the ____________ control strategy attempts to shift risk to other assets, other processes, or other organizations

competitive advantage

the adoption and implementation of an innovative business model, method, technique, resource, or technology in order to outperform the competition

performance gaps

the difference between an organization's observed and desired performance

cost-benefit analysis

the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization

risk management

the process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level

risk assessment

A determination of the extent to which an organization's information assets are exposed to risk

security clearance

A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.

false

According to Sun Tzu, if you know your self and know your enemy you have an average chance to be successful in an engagement.

Quantitative Assessment

An asset valuation approach that attempts to assign absolute numerical measures.

qualitative assessment

An asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures

Benchmarking

An attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate

threat assessment

An evaluation of the threats to information assets, including a determination of their potential to endanger the organization.

political feasibility

An examination of how well a particular solution fits within the organization's political environment—for example, the working relationship within the organization's communities of interest or between the organization and its external environment.

organizational feasibility

An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.

dumpster diving

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information.

unclassified

Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered 'National Security Information', __________ data is the lowest level classification.

data classification scheme

Formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it

Single Loss Expectancy (SLE)

In a cost benefit analysis, the calculated value associated with the most likely loss from an attack. The SLE is the product of the asset's value and the exposure factor

Annualized Rate of Occurrence (ARO)

In a cost benefit analysis, the expected frequency of an attack, expressed on a per year basis

Exposure Factor (EF)

In a cost benefit analysis, the expected percentage of loss that would occur from a particular attack

Annualized Loss Expectancy (ALE)

In a cost benefit analysis, the product of the annualized rate of occurrence and single loss expectancy

Avoidance of competitive disadvantage

The adoption and implementation of a business model, method, technique, resource, or technology to prevent being outperformed by a competing organization; working to keep pace with the competition through innovation, rather than falling behind.

risk control

The application of controls that reduce the risks to an organization's information assets to an acceptable level

Loss Frequency

The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range.

loss magnitude

The combination of an asset's value and the percentage of it that might be lost in an attack.

cost avoidance

The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.

attack success probability

The number of successful attacks that are expected to occur within a specified time period.

likelihood

The probability that a specific vulnerability within an organization will be the target of an attack

asset valuation

The process of assigning financial value or worth to each information asset.

risk appetite

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

Risk Identification

The recognition, enumeration, and documentation of risks to an organization's information assets.

Defense risk control strategy

The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Also known as the avoidance strategy.

Mitigation Risk Control Strategy

The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.

transference risk control strategy

The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations.

Termination Risk Control Strategy

The risk control strategy that eliminates all risk associated with an information asset by removing it from service

Acceptance Risk Control Strategy

The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.

residual risk

The risk to information assets that remains even after current controls have been applied.

Operational Feasibility

an examination of how well a particular solution fits within the organization's culture and the extent to which users are expected to accept the solution

Technical Feasibility

an examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel


Kaugnay na mga set ng pag-aaral

PSY 230 Chapter 14, 15, 16, & 17 Study Guide

View Set

Reproductive system concerns (Chapter 6): Clinical Scenario

View Set

Decision Mathematics 1 definitions

View Set

Nutrition & Drugs - Ch. 7 Proteins

View Set

World History Final Exam Multiple Choice Rev

View Set