Chapter 2 Flashcards
Organisation-Wide Risk Management
Involve everyone in the organisation, from top leaders to regular employees.
Multi-Level Risk Management Model
This model manages risks at three levels: organisation, mission/business process, and information system, ensuring that risks are addressed comprehensively.
Level 1 and 2 Activities
These activities prepare the organisation for risk management by identifying roles, assets, threats, and risk assessments.
Level 3 in Risk Management
Level 3 focuses on system-specific risks, guided by decisions at higher levels, and designates controls based on security/privacy requirements.
Traceability of Controls
It ensures that security and privacy controls are linked to specific requirements throughout the system’s lifecycle.
Consequences of Inadequate Organisational Preparation
Inadequate preparation can lead to costly and ineffective security measures, impacting the organisations efficiency and security.
Risk Management Framework Steps (RMF)
RMF has seven steps, including preparation, categorisation, selection, implementation, assessment, authorisation, and monitoring.
- Prepare
Step 1 establishes priorities for security and privacy risk management.
- Categorise
In step 2, the impact of potential loss and system categorisation is analysed.
- Select
Step 3 involves selecting and tailoring controls based on a risk assessment.
- Implement
Step 4 is about putting selected controls into practice.
- Assess
Step 5 evaluates control implementation to ensure they meet requirements.
- Authorise
Step 6 grants system authorisation based on acceptable risk levels.
- Monitor
Step 7 involves continuous assessment of control effectiveness and reporting.
Adaption of RMF Steps
RMF steps can be adjusted as needed, especially in agile development, where steps may need revisiting.