Ch.14 Flashcards
a policy that defines the actions users may perform while accessing systems and networking equipment
acceptable use policy (AUP)
the expected monetary loss that can be anticipated for an asset due to a risk over a one-year period
annualized loss expectancy (ALE)
the likelihood of a risk occurring within a year
annualized rate of occurrence (ARO)
a methodology for making modifications to a system and keeping track of those changes
change management
a security policy that addresses the different aspects of how data should be handled within an organization
data policy
a security policy that outlines how long to maintain information in the user’s possession
data retention policy
a security policy that addresses how and when data will ultimately be erased
data wiping and disposing policy
an event that does not appear to be a risk but actually turns out to be one
false negative
an event that in the beginning is considered to be a risk yet turns out to not be one
false positive
the “framework” and functions required to enable incident response and incident handling within an organization
incident management
a type of risk control that is administrative and covers the laws, regulations, policies, practices, and guidelines that govern the overall requirements and controls
management risk control type
the average amount of time expected until the first failure of a piece of equipment
mean time to failure (MTTF)
risk control type that covers the operational procedures to limit risk
operational risk control type
a network that does not have servers, so each device simultaneously functions as both client and a server to all other devices connected to the network
peer-to-peer (P2P) network
a security policy that outlines how the organization uses personal information it collects
privacy policy
an approach to risk calculation that uses an “educated guess” based on observation
qualitative risk calculation
an approach to risk calculation that attempts to create actual numbers of the risk by using historical data
quantitative risk calculation
specialized training that is customized to the specific role that an employee holds in the organization
role-based training
a written document that states how an organization plans to protect the company’s information technology assets
security policy
the expected monetary loss every time a risk occurs
single loss expectancy (SLE)
grouping individuals and organizations into clusters or groups based on a like affiliation
social networking
a risk control type that involves using technology to control risk
technical risk control type
An event that appears to be a risk but turns out not to be one is called a _____.
a. false negative
b. false positive
c. negative-positive
d. risk negative event (RNE)
b
Which of these is NOT a response to risk?
a. transference
b. resistance
c. mitigation
d. avoidance
b