Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
30 Cards in this Set
- Front
- Back
|
Risk = ? |
Threat * Vulnerability |
|
|
What does threat assessment do? |
Help reduce the impact of threats |
|
|
What does vulnerability assessment do? |
Help reduce vulnerabilities |
|
|
What does exploit assessment do? |
Help validate actual threats and vulnerabilities |
|
|
What are the components of risk assessment? |
Risk identification, risk analysis, risk prioritization |
|
|
What are the components of risk control? |
Risk management, risk resolution, risk monitoring |
|
|
What is risk avoidance? |
Not engaging in certain activities that can incur risk |
|
|
What is risk acceptance? |
Accepting the risk involved in certain activities and addressing any consequences that result in risk |
|
|
What is risk transfer? |
Sharing the risk with an outside party |
|
|
What is risk mitigation? |
Reducing or eliminating the risk by applying controls |
|
|
What do you call a prioritized lists of assets and threats a company may make after identification process? |
TVA (Threat-Vulnerabilities-Assets) worksheet |
|
|
What is Quantitative assessment? |
-Supports cost-benefit analysis (CBA) |
|
|
What is Qualitative assessment? |
-Supports higher degree of communication with decision makers -Must clearly define values to prevent confusion |
|
|
What is semi-quantitative assessment? |
-Hybrid method -Best and worst of both worlds |
|
|
Compare Quantitative and Qualitative |
Quantitative Qualitative Monetary Value Word Value Historical Data Expert Opinions SLE ARO ALE Probability and impact |
|
|
How do you estimate risk? |
Risk is likelihood multiplied by consequences (impact) minus the percent of risk mitigated by current controls plus degree of uncertainty percent |
|
|
What are the steps of risk assessment? |
Identify hazards Decide who may be harmed Assess the risk and take action Record finding Review assessment |
|
|
Model of Risk Management |
Assess Assets |
|
|
What are some factors that go into planning when creating a security policy within an organization |
Physical environment |
|
|
What are the precursor documents used to support organizational planning for security policies? |
The mission statement, the vision statement, the value statement |
|
|
What is the mission statement? |
declares the business of the organization and its intended areas of operation as well as explains what the organization does and for whom |
|
|
What is the vision statement? |
expresses where the organization wants to go and should be ambitious |
|
|
What is the value statement? |
Allows an organization to make its conduct and performance standards clear to its employees and the public with a statement |
|
|
Describe tactical planning |
Has a short-term focus, usually one to three years, breaks applicable strategic goals into a series of incremental objecsts |
|
|
Describe operational planning |
Used by managers and employees to organize the ongoing day-to-day performance of task, includes clearly identified coordination activities across department boundaries |
|
|
What is EISP? |
Enterprise Information Security Policy, Sets strategic direction, scope, and tone fororganization’s security efforts. Assigns responsibilities for various areas ofinformation security. Guides development, implementation, andmanagement requirements of informationsecurity program |
|
|
What is ISSP? |
Issue-Specific Security Policy, Focuses on development for certain areas that a relevance, concern, and controversy. Provides targeted guidance |
|
|
What is SysSP? |
System-Specific Security Policy, it is an operational level policy. Created by management to guide the implementation of technology. Applies to technology that affects the critical security characteristics of information |
|
|
What are the layers in the bull's eye model starting with outer most layer |
Policies, Networks, Systems, Applications |
|
|
What are basic rules for shaping a policy? |
Should never conflict with law, must be able to stand up in court if challenged, must be properly supported and administered |
