3 - Risk mitigation, strategies, and controls Flashcards

1
Q

What is the FISMA definition for confidentiality?

A

preserving authorized restriction on access and disclosure, including means for protecting personal privacy and proprietary information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the FISMA definition for integrity?

A

guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the FISMA definition for availability?

A

ensuring timely and reliable access to and user of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the first step of establishing the aggregate score of CIA?

A

determine the potential impact of each type of risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Impacts are typically categorized from what list-of-values?

A

High, moderate, and low

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security policies are developed in response to what?

A

a perceived need of guidance due to some driving force, typically form upper management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When senior management provides guidance on a specific topic in the form of a policy, the policy is said to be drafted in what fashion?

A

top-down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A policy is a better candidate for senior executive buy-in when it meet these criteria:

A
  • includes wording presented in a form that makes sense in business terms
  • is clearly aligned with the organization’s overall goals and objectives
  • can be seen to specifically support these goals and objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the primary objective of policies?

A

to communicate the goals and objectives with respect to some particular aspect of the business

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The set of required security controls is dependent upon what?

A

the aggregate score of security requirements defined by the security category

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the primary toolset for security practitioners to apply in an effort to meet security requirements?

A

security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the challenge for security professionals with regard to security controls?

A

to employ the correct set of security controls to provide the level of protection required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

In what ways can a security control reduce the risk associated with a threat to the enterprise?

A
  • avoid the impact
  • transfer the impact to another party
  • mitigate the effect of the threat
  • accept the risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are threat actors?

A

individuals or groups that are responsible for actions - intentional or accidental - that lead to losses for other individuals or organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are threat actors?

A

individuals or groups that are responsible for actions - intentional or accidental - that lead to losses for other individuals or organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the two manners of risk analysis?

A

qualitative or quantitative

in most cases, risk management and analysis activities include elements from both quantitative and quantitative models

17
Q

What manner of risk analysis uses experts judgment and experience to assess the elements of occurrence and impact?

A

qualitative

18
Q

To assess risk qualitatively, you must do what?

A

compare the impact of the threat with the probability of occurrence and then assign an impact level and probability level to the risk

19
Q

What manner of risk assessment uses calculation based on historical data associated with risk?

A

quantitative

20
Q

What manner of risk assessment uses calculation based on historical data associated with risk?

A

quantitative

21
Q

What is the primary purpose behind making a risk determination?

A

to provide management with the information needed to make decisions on which threats to address and with what level of resources

22
Q

With regard to a threat, what is the magnitude of impact?

A

a measure of how much damage a particular threat would cause if it manifested itself

23
Q

The challenge of risk management analysis is:

A

the determination of the magnitude of impact

24
Q

What is the likelihood of a threat?

A

a measure of the chance that a threat will actually impact a system

25
An organization's exposure to natural disasters is affected by the organization's:
- region - proximity to threat source - emergency procedures - awareness training - facility structure - time of the year
26
An organization's exposure to natural disasters is affected by the organization's:
- region - proximity to threat source - emergency procedures - awareness training - facility structure - time of the year
27
What does trend analysis involve?
performing ongoing research on emerging industry trends to determine the potential and impact of threats that organizations may face
28
What does TCO stand for?
total cost of ownership
29
Calculating the TCO of a security product involves what?
factoring in all the expected costs over the life cycle of the product