Risk Management

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

All possible threats, assessment of potential impact loss of confidentiality, evaluation of critical organizational needs, & establish recovery priorities

What must be considered when a Risk Assessment is performed as part of the contingency response?

Threats, vulnerabilities, assets, and countermeasures

What must be identified for Risk-based Auditing?

Risk consequences

What places people at risk, system continuity and info at risk, organizational ops at risk as well as an organizational reputation at risk?

Mandatory access control policies

What policies support security labels as a means to restrict a subjects access to a particular object?

Retention policy

What policy is used when determining the disposition of information that is no longer required to support the main purpose of the business from an information security perspective?

Intentional insider

What presents the greatest area of concern for Security Management?

Risk monitoring

What process systematically tracks and evaluates the performance of Risk Mitigation actions?

Implementation of selected controls

What provides a measure of "Residual Risk" that is within management Risk Threshold?

Program Risk Management

What provides the ability to assess security need and capabilities, select appropriate safeguards, implement required controls, select adequate test controls, implement and manage changes and accept residual risk?

Cost-Benefit Analysis

What provides the cost of implementing the control and the associated measure of Risk reduction?

A balance between impact of risks and the cost of protective measures

What should the focus of operational risk centric Risk Analysis be based on?

Fault-Tree Analysis

What technique can be used to support reliability and safety analysis as well as provide a systematic description of hardware and human risk factors?

Users, disgruntled employees

What threat source is considered to be the most significant?

System Categorization, costs of testing, and overall benefit to organization.

What three aspects should be considered in Training & Education protocol?

Defined threat & a recognized vulnerability

What two things must exist for a security risk to be present?

Value analysis & sound business case

What two things should investments in risk management technologies be based on?

Identify the requirement, determination, data collection, analytical methodology, and Return of Investment.

What is required in identifying the appropriate Risk Analysis tool?

Building INFOSEC capabilities into commercial and federal ISs, & provide essential info to facilitate acceptance of Risk

What is the emphasis of Risk Management Framework?

Reduce the risk level to the IT system to an acceptable or reasonable level.

What is the goal of countermeasures?

Risk Analysis

What is the impact on system reliability, Security and speed and consequence of failure to mitigate identified risks?

Surveillance and reconstruction of events

What is the intent of Threat Monitoring?

Rules of Engagement

What is the most important piece of documentation in the whole penetration test process?

Compliance testing

What is used to determine whether unauthorized modifications were made to production programs?

Network vulnerability assessment

What type of assessment intends to identify known vulnerabilities that are based on common mis-configurations and missing updates?

Quantitative Risk Assessment

A process used to analyze numerically the probability of each risk and its consequence on operational or business objectives to include interviews, sensitivity analysis, decision tree analysis, and simulation.

Delphi

A security risk assessment and information gathering technique that uses the consensus of subject matter experts to determine operational and business risk.

Fault-Tree Analysis

A top-down, deductive failure analysis process in which an unwanted or undesired state of a system is analyzed using a Boolean logic to combine a series of lower-level events.

Focus of Risk Management

Ability to assess security needs and capabilities, select appropriate safeguards, develop an effective security design, implement required controls, select adequate test controls, implement and manage changes, accept residual risk

Encryption

An effective mechanism to facilitate protection and administration of individual user I&A but may require significant additional administration (key management, key control, key distribution)

Single Loss Expectancy x Annual Rate of Occurrence

Calculation for Annual Loss Expectancy (ALE)

Asset Value x Exposure Factor

Calculation for Single Loss Expectancy (SLE)

Risk Management Control

Focuses on stipulating info protection security policy, standards and guidelines and helps ensure System Security Policies are up-to-date and that all significant risks are addressed.

Federal law, national statutes, agency directives, component regulations, and organizational processes, procedures and protocols.

How are risk policies established?

Eliminate or reduce impact of system threat/vulnerability pair, add targeted controls to reduce capacity and motivation of threat force, reduce magnitude of adverse impact.

How can residual risk be mitigated?

Regularly

How often should risks be reviewed to ensure the initial risk acceptance rationale is still valid?

Organization objectives and risk tolerance levels

In an organization, what two things should be analyzed when defining risk management strategies?

Design Phase

In what system life-cycle phase does Risk Analysis begin?

Internal LAN, trust-relationship, physical access, and insider

List four attack avenues

Keystroke Monitoring

Provides protection from intruders, but must be restricted to specifically authorized individuals with probable cause.

Assessment of threats to the organization, prioritization of applications, development of recovery scenarios

Risk Assessment is a balancing act based on:

(1) determining the assessment's scope and methodology, collecting and synthesizing data, and interpreting the risk

Risk assessment, the process of analyzing and interpreting risk, is comprised of three basic activities:

Known, unknown, known unknown (identifiable uncertainty), unknown unknown (existence yet to be encountered)

Risk impact can be determined by what four types of risks?

False

T/F An enterprise that is subject to regulation by multiple governments or organizations doesn't need to establish baseline standards for all locations or add supplemental standards.

True

T/F An objective of a Risk Management program is to maintain residual risk at an acceptable level.

True

T/F Modifying, relocating, connecting, or reconfiguring the hardware of any component with a Trusting Computing Base must be approved by the Configuration Control Review Board or Configuration Management Board to control risks.

True

T/F Risk Assessment methods and processes should be simple, structured, and organizational centric

Qualitative Risk Assessment

The process of assessing the impact and likelihood of identified risks. (Probability, likelihood, consequence)

Communications accessible by the general public- SA's monitoring in normal course of their duties (originator gives consent)

Whar are the exemptions of the Electronics Communications Privacy Act?

Capability Maturity Monitoring

What allows an enterprise to understand its level of maturity in its risk capabilities as an indicator of operational readiness and effectiveness?

Classifying information assets

What allows for identification of controls proportional to risk?

Unauthorized hosts connected to network, vulnerable services, and deviations from allowed services defined in the network security policy.

What are network scanning processes designed to identify?

Acceptance, Avoidance, Assignment, Planning, Acknowledgement, & Transfer

What are the 6 Risk Mitigation options?

Planning, assessment, handling, monitoring and mitigation

What are the five components of the risk management structure?

Preparation, assessment, mitigation, reporting, and follow-up

What are the five steps of Risk-based Auditing?

Containment, eradication, recovery, and reporting

What are the four requirenents of incident response protocol?

Avoidance, transference, mitigation/control, acceptance

What are the four risk response strategies?

Develop assessment policy, prioritize and schedule assessments, select test techniques, determine logistics requirements, develop assessment plan, and assess legal considerations

What are the requirements of Training & Education planning?

Identification, analysis, assessment, response, recovery, and reporting

What are the six components of Incident Evaluation?

Categorization, Selection of controls, Implementation, Assessment, Authorization, Monitoring

What are the six strategic components of Risk Management Framework?

Identification and analysis

What are two specific requirements of a Risk Assessment?

Risk Assessment

What can be the most difficult process to accomplish in the Risk Management continuum?

Firewall

What can help facilitate access control, network protection, Auditing, minimize potential for "incident encroachment" and act as a central point of control for an organization?

Preventative and recovery controls

What does contingency planning provide?

Interception or access to wire communications, oral communications, or electronic communications

What does the Electronics Communications Privacy Act prohibit?

Monitoring techniques

What implementation can help detect organizational, operational, and environmental trends?

Stakeholder requirements

What is an important factor when designing information system controls in a complex environment?


Ensembles d'études connexes

IMC 353 Chapter 8: narrative persuasion

View Set

Ch 16 Postpartum Nursing Management

View Set

Physical Science Final (from exam 3)

View Set

Lesson 3 Perfusion Adaptive Quizzing

View Set

NHA: Medical Assistant(CCMA) Certification Practice Test 2.0 A numba 333

View Set

Vergil & Caesar General Word List

View Set

Unit 4 study guide(Business Essentials)

View Set

Study HESI EAQ Final for Nursing 101

View Set