RM1 Flashcards
(34 cards)
—- can be classified into different types: strategic, compliance, financial, operational, environmental, technical, and managerial.
Risks
A risk is the likelihood that the threat agent will exploit a ___].
vulnerability
There are different strategies for controlling risk. ____ is the process of assigning and revoking privileges to objects; that is, it covers the procedures of managing object authorizations.
Privilege management
One element of privilege management is periodic reviewing of a subject’s privileges over an object, and is known as ____
privilege auditing.
_____refers to a methodology for making changes and keeping track of those changes.
Change management
Without ____ in procedures, a change may negate or diminish a previous change or even unknowingly create a security vulnerability.
proper documentation
Change management seeks to approach changes systematically and provide the necessary ____] of the changes.
documentation
____ is the framework and functions required to enable incident response and incident handling within an organization.
Incident management
The objective of incident management is to ____ the normal operations as quickly as possible with the least possible impact on either the business or the users.
restore
A security policy is a ____
written document that states how an organization plans to protect the company’s information technology assets.
An effective security policy must carefully balance two key elements, _____.
trust and control
A security policy attempts to provide a balance between ____
no trust and too much trust.
The appropriate level of control is determined by the ____
security needs and the culture of the organization.
A ___] is a collection of requirements specific to the system or procedure that must be met by everyone
standard
_____ is a collection of suggestions that should be implemented.
Guideline
A ____ is a document that outlines specific requirements or rules that must be met, and is the correct means to be used for establishing security.
policy
Most organizations follow a three-phase cycle in the development and maintenance of a security policy. The first phase is a _____; the second phase is to use the _____ to ____. The final phase is to ____
risk management study
risk management study/ develop the policy
review the policy for compliance.
An ___ defines the actions users may perform while accessing systems and networking equipment.
acceptable use policy (AUP)
Because privacy is of growing concern, many organizations have a ____that outlines how the organization uses information it collects.
privacy policy
Policies of the organization that address security as it relates to human resources are known as ____.
security-related human resource policies
A ____addresses how passwords are created and managed.
password management and complexity policy
A ____ addresses how to dispose of confidential resources. This policy often covers how long records and data will be retained.
disposal and destruction policy
A _____ produces a standardized framework for classifying information assets.
classification of information policy
An —- is a written code of conduct intended to be a central guide and reference for employees in support of day-to-day decision making.
ethics policy
