Deck 4: Risk Management

Examples of exceptionally grave damage include armed hostilities against the United States or its allies and disruption of foreign relations vitally affecting the national security.

Comprehensive means that an information asset should fit in only one category.

You cannot use qualitative measures to rank values.

The general management of an organization must structure the IT and information security functions to defend the organization's information assets.

The amount of money spent to protect an asset is based in part on the value of the asset.

A certificate authority should actually be categorized as a software security component.

Eliminating a threat is an impossible proposition.

When determining the relative importance of each asset,refer to the organization's mission statement or statement of objectives to determine which elements are essential,which are supportive,and which are merely adjuncts.

Leaving unattended computers on is one of the top information security mistakes made by individuals.

Risk control is the application of controls to reduce the risks to an organization's data and information systems.

Information security managers and technicians are the creators of information.

"If you realize you do not know the enemy,you will gain an advantage in every battle." (Sun Tzu)

You should adopt naming standards that do not convey information to potential system attackers.

The value of intellectual property influences asset valuation.

Know yourself means identifying,examining,and understanding the threats facing the organization.

If every vulnerability identified in the organization is handled through mitigation,it may reflect an inability to conduct proactive security activities and an apathetic approach to security in general.

To determine if the risk is acceptable or not,you estimate the expected loss the organization will incur if the risk is exploited.

Protocols are activities performed within the organization to improve security.

Identifying human resources,documentation,and data information assets of an organization is less difficult than identifying hardware and software assets.

Some argue that it is virtually impossible to determine the true value of information and information-bearing assets.

Program-specific policies address the specific implementations or applications of which users should be aware._________________________

Every organization should have the collective will and budget to manage every threat by applying controls.

One way to determine which information assets are critical is by evaluating how much of the organization's revenue depends on a particular asset._________________________

Risk control is the examination and documenting of the security posture of an organization's information technology and the risks it faces._________________________

Metrics-based measures are generally less focused on numbers and more strategic than process-based measures.

One problem with benchmarking is that there are many organizations that are identical.

The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation._________________________

Policies are documents that specify an organization's approach to security._________________________

Best business practices are often called recommended practices.

Each of the threats faced by an organization must be examined to assess its potential to endanger the organization and this examination is known as a threat profile._________________________

Internal benchmarking can provide the foundation for baselining.

The most common of the mitigation procedures is the disaster recovery plan._________________________

CBAs cannot be calculated after controls have been functioning for a time.

Risk evaluation assigns a risk rating or score to each information asset._________________________

A best practice proposed for a small home office setting is appropriate to help design control strategies for a multinational company.

Organizations should communicate with system users throughout the development of the security program,letting them know that change are coming.

Mutually exclusive means that all information assets must fit in the list somewhere._________________________

The results from risk assessment activities can be delivered in a number of ways: a report on a systematic approach to risk control,a project-based risk assessment,or a topic-specific risk assessment.

Establishing a competitive business model,method,or technique enabled an organization to provide a product or service that was superior and created a(n)competitive advantage._________________________

ALE determines whether or not a particular control alternative is worth its cost._________________________

Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices._________________________

A(n)exposure factor is the expected percentage of loss that would occur from a particular attack._________________________

Operational feasibility is also known as behavioral feasibility._________________________

Risk measure defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility._________________________

A(n)disaster recovery plan dictates the actions an organization can and perhaps should take while an incident is in progress._________________________

When the organization is pursuing an overall risk management program,it requires a(n)systematic report that enumerates the opportunities for controlling risk._________________________

Likelihood risk is the risk to the information asset that remains even after the application of controls._________________________

Major risk is a combined function of (1)a threat less the effect of threat-reducing safeguards,(2)a vulnerability less the effect of vulnerability reducing safeguards,and (3)an asset less the effect of asset value-reducing safeguards._________________________

Within organizations,technical feasibility defines what can and cannot occur based on the consensus and relationships between the communities of interest._________________________

Qualitative-based measures are comparisons based on numerical standards,such as numbers of successful attacks._________________________

Benefit is the value that an organization realizes by using controls to prevent losses associated with a specific vulnerability._________________________

Within best practices,the optimum standard is a subcategory of practices that are typically viewed as "the best of the best." _________________________

A(n)qualitative assessment is based on characteristics that do not use numerical measures._________________________

In information security,benchmarking is the comparison of security activities and events against the organization's future performance._________________________