Ch.14 Flashcards
a policy that defines the actions users may perform while accessing systems and networking equipment
acceptable use policy (AUP)
the expected monetary loss that can be anticipated for an asset due to a risk over a one-year period
annualized loss expectancy (ALE)
the likelihood of a risk occurring within a year
annualized rate of occurrence (ARO)
a methodology for making modifications to a system and keeping track of those changes
change management
a security policy that addresses the different aspects of how data should be handled within an organization
data policy
a security policy that outlines how long to maintain information in the user’s possession
data retention policy
a security policy that addresses how and when data will ultimately be erased
data wiping and disposing policy
an event that does not appear to be a risk but actually turns out to be one
false negative
an event that in the beginning is considered to be a risk yet turns out to not be one
false positive
the “framework” and functions required to enable incident response and incident handling within an organization
incident management
a type of risk control that is administrative and covers the laws, regulations, policies, practices, and guidelines that govern the overall requirements and controls
management risk control type
the average amount of time expected until the first failure of a piece of equipment
mean time to failure (MTTF)
risk control type that covers the operational procedures to limit risk
operational risk control type
a network that does not have servers, so each device simultaneously functions as both client and a server to all other devices connected to the network
peer-to-peer (P2P) network
a security policy that outlines how the organization uses personal information it collects
privacy policy
an approach to risk calculation that uses an “educated guess” based on observation
qualitative risk calculation