10.Information Security Risk Monitoring And Review Flashcards

1
Q

Information Security Risk Monitoring And Review

Input

A

All risk information obtained from the risk management activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Action

A

Risks and their factors (i.e. value of assets, impacts, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Implementation guidance

A

Risks are not static. Threats, vulnerabilities, likelihood or consequences can change abruptly without any indication. Therefore, constant monitoring is necessary to detect these changes. This can be supported by external services that provide information regarding new threats or vulnerabilities.

Organizations should ensure that the following are continually monitored:
— new assets that have been included in the risk management scope;
— necessary modification of asset values, e.g. due to changed business requirements;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Output

A

Continual alignment of the management of risks with the organization’s business objectives, and with risk acceptance criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Monitoring and review of risk factors

Input

A

All risk information obtained from the risk management activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Action

A

Risks and their factors (i.e. value of assets, impacts, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Implementation guidance

A

Risks are not static. Threats, vulnerabilities, likelihood or consequences can change abruptly without any indication. Therefore, constant monitoring is necessary to detect these changes. This can be supported by external services that provide information regarding new threats or vulnerabilities.

Organizations should ensure that the following are continually monitored:
— new assets that have been included in the risk management scope;

— necessary modification of asset values, e.g. due to changed business requirements;
— new threats that can be active both outside and inside the organization and that have not been assessed;

New threats, vulnerabilities or changes in likelihood or consequences can increase risks previously assessed as low ones. Review of low and accepted risks should consider each risk separately, and all such risks as an aggregate as well, to assess their potential accumulated impact.

New threats, vulnerabilities or changes in likelihood or consequences can increase risks previously assessed as low ones.

Review of low and accepted risks should consider each risk separately, and all such risks as an aggregate as well, to assess their potential accumulated impact. If risks do not fall into the low or acceptable risk category, they should be treated using one or more of the options considered in risk treament.

The outcome of risk monitoring activities can be input to other risk review activities. The organization should review all risks regularly, and when major changes occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Output

A

Continual alignment of the management of risks with the organization’s business objectives, and with risk acceptance criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk management monitoring, review and improvement

Input

A

All risk information obtained from the risk management activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Action

A

The information security risk management process should be continually monitored, reviewed and improved as necessary and appropriate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Implementation guidance

A

Ongoing monitoring and review is necessary to ensure that the context, the outcome of the risk assessment and risk treatment, as well as management plans, remain relevant and appropriate to the circumstances.
The organization should make sure that the information security risk management process and related activities remain appropriate in the present circumstances and are followed.

Any agreed improvements to the process or actions necessary to improve compliance with the process should be notified to the appropriate managers to have assurance that:
— no risk or risk element is overlooked or underestimated;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Output

A

Continual relevance of the information security risk management process to the organization’s business objectives or updating the process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly