Risk Management

Question 1

Refers to the protection of personal or organizational information or information resources from unauthorized access, attacks, theft, or data damage.

Answer 1

Cybersecurity

Question 2

Anything of value that could be compromised, stolen, or harmed, including information, physical resources, and reputation.

Answer 2

Asset

Question 3

Any event or action that could potentially cause damage to an asset or an interruption of services.

Answer 3

Threat

Question 4

The intentional act of attempting to bypass one or more security services or controls of an information system.

Answer 4

Attack

Question 5

A condition that leaves the system and its assets open to harm — including such things as software bugs, insecure passwords, inadequate physical security, and poorly designed networks.

Answer 5

Vulnerability

Question 6

A technique that takes advantage of a vulnerability to perform an attack.

Answer 6

Exploit

Question 7

A countermeasure that you put in place to avoid, mitigate, or counteract security risks due to threats or attacks.

Answer 7

Control

Question 8

Is a measure of your exposure to the chance of damage or loss. Is often associated with the loss of a system, power, or network and other physical losses. Also affects people, practices, and processes.

Answer 8

Risk

Question 9

Is something or someone that can take advantage of vulnerabilities.

Answer 9

Threat

Question 10

Is a weakness or deficiency that enables an attacker to violate the integrity of the system.

Answer 10

Vulnerability

Question 11

Is damage that occurs because the threat took advantage of the vulnerability.

Answer 11

Consequence

Question 12

Is typically defined as the cyclical process of identifying, assessing, analyzing, and responding to risks.

Answer 12

Risk Management

Question 13

The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.

Answer 13

Enterprise Risk Management (ERM)

Question 14

Is the property that dictates how susceptible an organization is to loss.

Answer 14

Risk Exposure

Question 15

Is the security process used for assessing risk damages that can affect an organization.

Answer 15

Risk Analysis

Question 16

Analysis methods use descriptions and words to measure the likelihood and impact of risk. For example, impact ratings can be severe/high, moderate/medium, or low. In a similar manner, likelihood ratings can be likely, unlikely, or rare.

Answer 16

Qualitative

Question 17

Analysis is based completely on numeric values. Data is analyzed using historical records, experiences, industry best practices and records, statistical theories, testing, and experiments. The goal of this analysis is to calculate the probable loss for every risk.

Answer 17

Quantitative

Question 18

Analysis method exists because it’s impossible for a purely quantitative risk assessment to exist given that some issues defy numbers. This analysis attempts to find a middle ground between the previous two risk analysis types to create a hybrid method.

Answer 18

Semi-quantitative

Question 19

Are high-level statements that identifies the organization’s intentions. Are interpreted and made operational through standards, guidelines, and procedures.

Answer 19

Policy/Policies

Question 20

It consist of specific low-level mandatory controls that help enforce and support policies.

Answer 20

Standards

Question 21

Are recommended, non-mandatory controls that support standards or that provide a reference for decision making when no applicable standard exists.

Answer 21

Guidelines

Question 22

Are step-by-step instructions on tasks required to implement various policies, standards, and guidelines.

Answer 22

Procedures

Question 23

Specifies rules for responding to security incidents before, during, and after they occur.

Answer 23

Incident response policy

Question 24

Defines a set of rules and restrictions for how various internal and external stakeholders may behave with respect to the organization’s assets.

Answer 24

Acceptable use policy

Question 25

Outlines the responsibilities that administrators have in keeping various identity data secure and supportive of business objectives. Such policies define expected behavior in how an external or internal user’s identity is created, altered, and deleted with respect to organizational systems.

Answer 25

Account management policy

Question 26

Often a subset of an account management policy that defines rules for how users generate and maintain account credentials.

Answer 26

Password policy

Question 27

Outlines how information in the organization is assigned to “owners” — that is, to personnel ultimately responsible for keeping that information secure and accessible by authorized parties only.

Answer 27

Data ownership policy

Question 28

Outlines how an organization chooses to categorize the different levels of data sensitivity. The organization can triage its security efforts based on what data will bring the most risk if it were leaked or tampered with.

Answer 28

Data classification policy