Administering Security and Security Evaluation Flashcards
By providing a suitable example, describe the risk management strategy known as risk avoidance.
involves avoiding the risk altogether by taking actions to eliminate or reduce the likelihood of the risk occurring. Here are some of the types of risk avoidance strategies:
Elimination: This involves completely removing the risk by removing the activity or the asset that is associated with the risk. For example, a company may eliminate the risk of data breaches by avoiding the collection and storage of sensitive customer data.
Segregation: This involves separating the risk from the assets or activities that are not associated with the risk. For example, a company may segregate its financial assets from its operational assets to avoid financial risks.
Define risk management.
The process of identifying, assessing, and mitigating risks to achieve organizational objectives.
In risk management, what is risk transfer?
This strategy involves transferring the risk to another party, such as an insurance company or a vendor. Examples include purchasing insurance policies or outsourcing a business process to a third-party vendor.
In risk management, what is risk acceptance?
This strategy involves accepting the risk and its potential consequences. Examples include accepting the risk of economic downturns or natural disasters as a normal part of doing business.
In risk management, what is risk reduction?
This strategy involves taking actions to reduce the impact or likelihood of a risk. Examples include implementing security measures to protect against cyber attacks, creating backups of important data, and diversifying investments.
With reference to the Common Criteria, what are SFRs?
Security Functional Requirements are security requirements that describe the security functions that must be implemented in the evaluated product. for example, authentication, access control, audit, encryption.
With reference to the Common Criteria, what are PPs?
Protection Profiles are a set of security requirements that define the security needs of a particular IT product or system in a specific environment. For example, PP for Smart Card Operating Systems, PP for Network Devices, PP for Biometric Authentication Devices.
With reference to the Common Criteria, what are STs?
Security Target is a document that specifies the security requirements and assurance measures for a specific IT product or system. For example, ST for a Firewall, ST for a Mobile Operating System, ST for an Electronic Health Record System, etc.
With reference to the Common Criteria, what are SARs?
Security Assurance Requirements are security requirements that describe the assurance measures that must be taken to ensure that the security functions of the evaluated product are implemented correctly and are effective. For example, testing, vulnerability assessment, design review, documentation.
With reference to the Common Criteria, what are SARs?
Security Assurance Requirements are security requirements that describe the assurance measures that must be taken to ensure that the security functions of the evaluated product are implemented correctly and are effective. For example, testing, vulnerability assessment, design review, documentation.
