chp 8
An organization knows that a risk exists and has decided that the cost of reducing it is higher than the loss would be. This can include self-insuring or using a deductible. This is categorized as ________. 259
risk acceptance
A company can discontinue or decide not to enter a line of business if the risk level is too high. This is categorized as ________. 259
risk avoidance
What term is used to describe something built in or used in a system to address gaps or weaknesses in the controls that could otherwise lead to an exploit?
safeguard
It is necessary to create and/or maintain a plan that makes sure your company continues to operate in the face of disaster. This is known as a ________. 250
business continuity plan
The ________ is a simple review of a plan by managers and the business continuity team to make sure that contact numbers are current and that the plan reflects the company's priorities and structure. 268
checklist test
Forensics and incident response are examples of ___________ controls. 263
corrective
A measure installed to counter or address a specific threat is the definition of ________. (vocab)
countermeasure
An intrusion detection system (IDS) is an example of ___________ controls. 263
detective
A(n) ________ is a measurable occurrence that has an impact on the business. 251
event
Among common recovery location options, this is one that can take over operations quickly. It has all the equipment and data already staged at the location, though you may need to refresh or update the data. 276
hot site
Notification, response, recovery and follow-up, and documentation are all components of what process? 271
incident handling
What term is used to describe the probability that a potential vulnerability might be exercised within the construct of an associated threat environment? 251
likelihood
You must consider many factors when evaluating countermeasures. Countermeasures might generate more calls to the help desk, slower response times for users, and so on. This is referred to as ________. 262
productivity impact
A countermeasure, without a corresponding __________, is a solution seeking a problem; you can never justify the cost. 250
risk
The ________ identifies staff reaction and response times as well as inefficiencies or previously unidentified vulnerabilities. All members of the staff involved in operations or procedures participate in the test. 268
simulation test
A control that is carried out or managed by a computer system is the definition of ________. 263
technical control
An attacker or event that might exploit a vulnerability is a(n) ____________. 251
threat source (1)
A(n) ________ is an intent and method to exploit a vulnerability. 251
threat source (2)
A _____________ is a flaw or weakness in a system's security procedures, design, implementation, or internal controls.
vulnerability
A threat source can be a situation or method that might accidentally trigger a(n) ____________. 251
vulnerability
A _________ determines the extent of the impact that a particular incident would have on business operations over time. 266
BIA
____________ is exercised by frequently evaluating whether countermeasures are performing as expected. 262
Due diligence
________ represents the percentage of the asset value that will be lost if an incident were to occur. 256
Exposure factor (EF)
_________ refers to the amount of harm a threat can cause by exploiting a vulnerability. 251
Impact
________ attempts to describe risk in financial terms and put a dollar value on all the elements of a risk. 255
Quantitative risk analysis
___________ is the likelihood that a particular threat exposes a vulnerability that could damage your organization. 250
Risk
________ is a risk management phase that includes assessment of various types of controls to mitigate the identified risks, selection of a control strategy, and justification of choice of controls. - 253
Risk assessment
________ allows an organization to transfer risk to another entity. Insurance is a common way to reduce risk. 259
Risk assignment
________ uses various controls to reduce identified risks. These controls might be administrative, technical, or physical. 258
Risk mitigation
A control involved in the process of developing and ensuring compliance with policy and procedures is the definition of ________. (vocab)
administrative control
How your organization responds to risk reflects the value it puts on its ___________. 248
assets