What is risk management? Why is the identification of risks, by listing assets and their vulnerabilities, so important to the risk management process?
– Risk management is the process of identifying vulnerabilities, to an organisation’s information assets and infrastructure, and taking steps to ensure the confidentiality, integrity and availability in all components in the organisation’s information system.
According to Sun Tzu, what two key understandings must you achieve to be successful in battle?
1) If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?
– In an organisation, it is the responsibility of each community of interest to manage the risks that an organisation encounters. Each community of interest has a role to play. – Since the members of the information security community best understand the threats and attacks that introduce risk into the organisation, they often take a leadership role in addressing risk.
In risk management strategies, why must periodic review be a part of the process?
Frequently, organizations implement control mechanisms, but then neglect the necessary pe-
riodic review, revision, and maintenance. The policies, education and training programs,
and technologies that protect information must be carefully maintained and administered to
ensure that they are still effective
Why do networking components need more examination from an information security perspective than from a systems development perspective?
What value does an automated asset inventory system have for the risk identification process?
What information attribute is often of great value for local networks that use static addressing?
Which is more important to the systems components classification scheme: that the asset identification list be comprehensive or mutually exclusive?
What’s the difference between an asset’s ability to generate revenue and its ability to generate profit?
What are vulnerabilities? How do you identify them?
What is competitive disadvantage? Why has it emerged as a factor?
What are the strategies for controlling risk as described in this chapter?
Describe the “defend” strategy. List and describe the three common methods.
Describe the “transfer” strategy. Describe how outsourcing can be used for this purpose.
Describe the “mitigate” strategy. What three planning approaches are discussed in the text as opportunities to mitigate risk?
How is an incident response plan different from a disaster recovery plan?
What is risk appetite? Explain why risk appetite varies from organization to organization.
What is a cost benefit analysis?
What is the definition of single loss expectancy? What is annual loss expectancy?
What is residual risk?
Even when vulnerabilities have been controlled as much as possible, there is often still some
risk that has not been completely removed, shifted, or planned for. This remainder is called
Risk identication is performed within a larger process of
identifying and justifying risk controls, which is called ________
The second major undertaking involved in risk management, after risk identication, is _______.
For information security purposes, ______ are the systems that use, store, and transmit information.
The ______ community of interest should have the best
understanding of threats and attacks and often takes a
leadership role in addressing risks.
The ______ community of interest must assist in risk
management by configuring and operating information
systems in a secure fashion.
The _____ community of interest must ensure sucient
resources are allocated to the risk management process.
A risk management strategy calls on information security
professionals to know their organization’s _______.
True or False: The traditional system component of software can be broken into two components when viewed from an information security perspective: operating systems and security components.
True or False: Hardware networking components can be
broken down into two subgroups when viewed from an
information security perspective: Interanet components and Internet or DMZ (Demilitarized Zone) components.
All network devices are assigned a unique number by the
hardware at the network interface layer called the ______.
(a) IP address
(b) media access control (MAC) address
(c) link address
(d) network address
_______ is the process of assigning scores for critical factors, each of which is weighted in importance by the organization.
Weighted factor analysis
True or False: The purpose of a weighted factor analysis is to list assets in order of their importance to the organization.
In order to ensure effort is spent protecting information that needs protecting, organizations implement ________.
data classification schemes
When individuals are assigned security labels for access to
categories of information, they have acquired a(n) ______.
The process of examining how each threat will affect an
organization is called a(n) _______.
True or False: Specific avenues that threat agents can exploit in attacks on information assets are called exploits or vulnerabilities.
The process an organization uses to assign a risk rating or
score to each information asset is a(n) _______.
The overall rating of the probability that a specific
vulnerability will be successfully exploited is its _______.
The amount of risk that remains after all controls are put in place as designed is called _______.
True or False: The process an organization uses to assign a
risk rating or score to each information asset is a risk
The overall rating of the probability that a specific
vulnerability will be successfully exploited is its ______.
______ is the risk control strategy that attempts to prevent the exploitation of the vulnerability.
_______ is the control approach that attempts to shift risk to other assets, other processes, or other organizations.
The actions an organization can and perhaps should take
while the incident is in progress should be defined in a
document referred to as the _______.
incident response plan (IRP)
The most common of the mitigation procedures is the _______.
disaster recovery plan (DRP)
The _____ risk control strategy is the choice to do nothing to protect a vulnerability.
The calculation of the value associated with the most likely
loss from an attack is called the _______.
single loss expectancy (SLE)
How often a specifc type of attack is likely to occur is called the _______.
annualized rate of occurrence (ARO)
A value calculated to show the estimated overall loss potential per risk per year is the _______.
annualized loss expectancy (ALE)
_______ is the process of seeking out and studying the
practices used in other organizations that produce the results you desire in your organization.
_______ addresses user acceptance and support, management acceptance and support, and the overall requirements of the organization’s stakeholders.
_______ examines whether or not the organization has the technology necessary to implement and support the control alternatives.
______ is the process of avoiding the fnancial impact of an incident by implementing a control
_______ defines the quantity and nature of risk that
organizations are willing to accept as they evaluate the
trade-offs between perfect security and unlimited accessibility
Need essay sample on "CP3302 – Chap4"? We will write a custom essay sample specifically for you for only $ 13.90/page