Topic 5 Flashcards
Risk management - identifying and assessing risk
What is risk management?
Risk management is the process of discovering and assessing the risks to an organization’s operations and determining how those risks can be controlled or mitigated.
List the key areas of concern for risk management.
Risk identification, risk assessment, risk appetite, and risk control.
Who is responsible for risk management in an organization?
All stakeholders in the organization are responsible; management is accountable.
Which community of interest usually provides the resources used when undertaking information asset risk management?
The resources used when undertaking information asset risk management are usually provided by all three communities: InfoSec, IT, and general management.
In risk management strategies, why must periodic reviews be a part of the process?
Periodic reviews must be a part of risk management strategies because threats are constantly changing for a company. As a vulnerability of specific concern becomes completely managed by an existing control, it may no longer need to be considered for additional controls, just as new vulnerabilities may require the implementation of new controls.
Why do networking components need more examination from an InfoSec perspective than from a systems development perspective?
Networking components need more examination from an InfoSec perspective than from a systems development perspective because networking subsystems are often the entry point for external threats and the focal point of many attacks against the system.
What value would an automated asset inventory system have for the risk identification process?
An automated asset inventory system would be valuable to the risk identification process because all hardware components are already identified by model, make, and location. Thus, management can review the system for the most critical items and assess their values.
Which is more important to the information asset classification scheme: that it be comprehensive or that it be mutually exclusive?
A comprehensive information asset classification scheme is more desirable because it implies that all assets will be included, even if they appear in more than one location.
Which threat category is most frequently encountered, and why?
Twelve threat categories are commonly encountered. The most frequently encountered category is often “human error or failure” because it is often the hardest to control, as access must be given to trusted insiders as a requirement for them to perform their assigned duties.
What is the TVA worksheet used for?
The TVA worksheet combines a prioritized list of assets and their vulnerabilities and a list that prioritizes threats facing the organization. The resulting grid provides a convenient method of examining the “exposure” of assets, allowing a simple vulnerability assessment.
