ITSY1300 - Review - Chapter 5
true
To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited.
standards of due care
When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as ____________
annualized cost of a safeguard (ACS)
in a cost-benefit analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use.
transference
the ____________ control strategy attempts to shift risk to other assets, other processes, or other organizations
competitive advantage
the adoption and implementation of an innovative business model, method, technique, resource, or technology in order to outperform the competition
performance gaps
the difference between an organization's observed and desired performance
cost-benefit analysis
the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization
risk management
the process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level
risk assessment
A determination of the extent to which an organization's information assets are exposed to risk
security clearance
A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.
false
According to Sun Tzu, if you know your self and know your enemy you have an average chance to be successful in an engagement.
Quantitative Assessment
An asset valuation approach that attempts to assign absolute numerical measures.
qualitative assessment
An asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures
Benchmarking
An attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate
threat assessment
An evaluation of the threats to information assets, including a determination of their potential to endanger the organization.
political feasibility
An examination of how well a particular solution fits within the organization's political environment—for example, the working relationship within the organization's communities of interest or between the organization and its external environment.
organizational feasibility
An examination of how well a particular solution fits within the organization's strategic planning objectives and goals.
dumpster diving
An information attack that involves searching through a target organization's trash and recycling bins for sensitive information.
unclassified
Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered 'National Security Information', __________ data is the lowest level classification.
data classification scheme
Formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it
Single Loss Expectancy (SLE)
In a cost benefit analysis, the calculated value associated with the most likely loss from an attack. The SLE is the product of the asset's value and the exposure factor
Annualized Rate of Occurrence (ARO)
In a cost benefit analysis, the expected frequency of an attack, expressed on a per year basis
Exposure Factor (EF)
In a cost benefit analysis, the expected percentage of loss that would occur from a particular attack
Annualized Loss Expectancy (ALE)
In a cost benefit analysis, the product of the annualized rate of occurrence and single loss expectancy
Avoidance of competitive disadvantage
The adoption and implementation of a business model, method, technique, resource, or technology to prevent being outperformed by a competing organization; working to keep pace with the competition through innovation, rather than falling behind.
risk control
The application of controls that reduce the risks to an organization's information assets to an acceptable level
Loss Frequency
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range.
loss magnitude
The combination of an asset's value and the percentage of it that might be lost in an attack.
cost avoidance
The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.
attack success probability
The number of successful attacks that are expected to occur within a specified time period.
likelihood
The probability that a specific vulnerability within an organization will be the target of an attack
asset valuation
The process of assigning financial value or worth to each information asset.
risk appetite
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
Risk Identification
The recognition, enumeration, and documentation of risks to an organization's information assets.
Defense risk control strategy
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Also known as the avoidance strategy.
Mitigation Risk Control Strategy
The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.
transference risk control strategy
The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations.
Termination Risk Control Strategy
The risk control strategy that eliminates all risk associated with an information asset by removing it from service
Acceptance Risk Control Strategy
The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.
residual risk
The risk to information assets that remains even after current controls have been applied.
Operational Feasibility
an examination of how well a particular solution fits within the organization's culture and the extent to which users are expected to accept the solution
Technical Feasibility
an examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel