Chapter 2 Personnel Security and Risk Management Flashcards
What is risk management?
Detailed process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.
What is risk assessment?
Examination of an environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damage it would cause if it did occur, and assessing the cost of countermeasures for each risk. The goal is to get you to a sorted criticality prioritization.
What is risk response?
Evaluating countermeasures, safeguards, and security controls using a cost/benefit analysis; adjusting findings based on other conditions; and providing a proposal of response options to senior management.
What is the cyclical relationship of risk elements?
Assets –> endangered by threats –> which exploit vulnerabilities –> which results in exposure –> which is risk –> which is mitigated by safeguards –> which protect assets
What is the Delphi technique?
A anonymous feedback and response process used to enable a group to reach an anonymous consensus. Goal is to facilitate the evaluation of ideas and solutions on their merits without discrimination based on who the idea comes from. Users may be gathered into a room, and participants write down their responses.
What is inherent risk?
Level of natural, native, or default risk that exists in an environment prior to any risk management efforts. AKA initial risk.
What is residual risk?
Threats to specific assets against which upper management chooses not to mitigate. Also risk left after mitigation efforts.
What is the controls gap?
Total risk - controls gap = residual risk. It signifies the amount of risk that the organization eliminated through safeguards.
What are the five levels of the Risk Maturity Model?
–Ad hoc: chaotic starting point
–Preliminary: Each department does its own form of risk management
–Defined: Organization has a standard RMF
–Integrated: Risk management operations are integrated into business processes, metrics are used, and risk is considered in business decisions
–Optimized: Risk management focuses on achieving objectives, not just reacting to threats; strategic planning is geared toward achieving business success; and lessons learned are integrated into business decisions
What is the CSF?
Based on identify, Protect, Detect, Respond, Recover. Intended for critical infrastructure and commercial companies. Not a checklist; more of an improvement system than an actual process.
What are the six levels of the RMF?
—prepare to execute the RMF by establishing a context and priorities for managing security and privacy risk (not one of the six phases).
–categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss.
– select an initial set of controls and tailor them as needed to reduce risk.
– implement the controls and describe how they are employed in your environment
–assess the controls to determine if they have been implemented correctly.
– authorize the system or common controls based on a determination that the risk to organizational operations is acceptable.
–Monitor the system and associated controls on an ongoing basis.
What is the difference between awareness, training, and education?
Awareness is intended to bring security to the forefront and make it a recognized entity for users. It establishes a common baseline of understanding.
Training is teaching employees how to do their job and to comply with security policy.
Education teaches students more than they need to do to perform their work tasks. Typically associated with a certification or promotion.
