3 - Risk mitigation, strategies, and controls Flashcards
What is the FISMA definition for confidentiality?
preserving authorized restriction on access and disclosure, including means for protecting personal privacy and proprietary information
What is the FISMA definition for integrity?
guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity
What is the FISMA definition for availability?
ensuring timely and reliable access to and user of information
What is the first step of establishing the aggregate score of CIA?
determine the potential impact of each type of risk
Impacts are typically categorized from what list-of-values?
High, moderate, and low
Security policies are developed in response to what?
a perceived need of guidance due to some driving force, typically form upper management
When senior management provides guidance on a specific topic in the form of a policy, the policy is said to be drafted in what fashion?
top-down
A policy is a better candidate for senior executive buy-in when it meet these criteria:
- includes wording presented in a form that makes sense in business terms
- is clearly aligned with the organization’s overall goals and objectives
- can be seen to specifically support these goals and objectives
What is the primary objective of policies?
to communicate the goals and objectives with respect to some particular aspect of the business
The set of required security controls is dependent upon what?
the aggregate score of security requirements defined by the security category
What is the primary toolset for security practitioners to apply in an effort to meet security requirements?
security controls
What is the challenge for security professionals with regard to security controls?
to employ the correct set of security controls to provide the level of protection required
In what ways can a security control reduce the risk associated with a threat to the enterprise?
- avoid the impact
- transfer the impact to another party
- mitigate the effect of the threat
- accept the risk
What are threat actors?
individuals or groups that are responsible for actions - intentional or accidental - that lead to losses for other individuals or organizations.
What are threat actors?
individuals or groups that are responsible for actions - intentional or accidental - that lead to losses for other individuals or organizations.
What are the two manners of risk analysis?
qualitative or quantitative
in most cases, risk management and analysis activities include elements from both quantitative and quantitative models
What manner of risk analysis uses experts judgment and experience to assess the elements of occurrence and impact?
qualitative
To assess risk qualitatively, you must do what?
compare the impact of the threat with the probability of occurrence and then assign an impact level and probability level to the risk
What manner of risk assessment uses calculation based on historical data associated with risk?
quantitative
What manner of risk assessment uses calculation based on historical data associated with risk?
quantitative
What is the primary purpose behind making a risk determination?
to provide management with the information needed to make decisions on which threats to address and with what level of resources
With regard to a threat, what is the magnitude of impact?
a measure of how much damage a particular threat would cause if it manifested itself
The challenge of risk management analysis is:
the determination of the magnitude of impact
What is the likelihood of a threat?
a measure of the chance that a threat will actually impact a system
