Chapter 2 Personnel Security and Risk Management Concepts Flashcards

1
Q

________ is the collection of practices related to supporting, defining, and
directing the security efforts of an organization.

A

Security governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Any potential occurrence that may cause an undesirable or unwanted outcome
for an organization or for a specific asset

Threats
Vulnerability
Exposure
Risk
Attack
Breach
A

Threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The weakness in an asset or the absence or the weakness of a safeguard or
countermeasure

Threats
Vulnerability
Exposure
Risk
Attack
Breach
A

Vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

being susceptible to asset loss

Threats
Vulnerability
Exposure
Risk
Attack
Breach
A

Exposure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

possibility or likelihood that a threat will exploit a vulnerability to cause
harm to an asset

Threats
Vulnerability
Exposure
Risk
Attack
Breach
A

Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

any intentional attempt to exploit a vulnerability of an organization’s security
infrastructure to cause damage, loss, or disclosure of assets.

Threats
Vulnerability
Exposure
Risk
Attack
Breach
A

Attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

the occurrence of a security mechanism being bypassed or thwarted by a threat agent.

Threats
Vulnerability
Exposure
Risk
Attack
Breach
penetration
A

Breach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.

Exposure Factor
Single Loss Expectancy
Annualized Rate of Occurrence
Annualized Loss Expectancy

A

Exposure Factor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

the cost associated with a single realized risk against a specifi c asset. It indicates
the exact amount of loss an organization would experience if an asset were harmed by a
specific threat occurring.

Exposure Factor
Single Loss Expectancy
Annualized Rate of Occurrence
Annualized Loss Expectancy

A

Single Loss Expectancy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

the expected
frequency with which a specifi c threat or risk will occur (that is, become realized) within
a single year.

Exposure Factor
Single Loss Expectancy
Annualized Rate of Occurrence
Annualized Loss Expectancy

A

Annualized Rate of Occurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

the possible yearly
cost of all instances of a specific realized threat against a specific asset.

Exposure Factor
Single Loss Expectancy
Annualized Rate of Occurrence
Annualized Loss Expectancy

A

Annualized Loss Expectancy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security controls, countermeasures, and safeguards can be implemented ______, _______ and __________ .

A

administratively,

logically/technically, or physically

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AV * EF =

ARO
SLE
ALE

A

SLE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SLE * ARO =

ARO
SLE
ALE

A

ALE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

threats * vulnerabilities * asset value =

A

total risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

total risk – controls gap =

A

residual risk

17
Q

In which step of the RMF does information system operation based on a determination of the risk to
organizational operations and assets, individuals, other organizations, and the Nation
resulting from the operation of the information system and the decision that this risk
is acceptable.

18
Q

In which step of the RMF is the security controls and describe how the controls are employed within
the information system and its environment of operation.

19
Q

In which step of the RMF does the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

A

Categorize

20
Q

In which step of the RMF does the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.”

21
Q

In which step of the RMF does information system operation based on a determination of the risk to
organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

22
Q

In which step of the RMF does an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline
as needed based on an organizational assessment of risk and local conditions.

23
Q

The six major elements of quantitative risk analysis

A
  1. Inventory assets, and assign a value (asset value, or AV). (Asset value is detailed further in a later section of this chapter named “Asset Valuation.”)
  2. Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE).
  3. Perform a threat analysis to calculate the likelihood of each threat being realized
    within a single year—that is, the annualized rate of occurrence (ARO).
  4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE).
  5. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure.
  6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat.
24
Q

Calculating Safeguard Cost/Benefit

A

ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard (ACS) = value of the safeguard to the company

25
Which step of the RMF is described below: "information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable." ``` Categorize Select Implement Assess Authorize Monitor ```
Authorize
26
Which step of the RMF is described below: " the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system." ``` Categorize Select Implement Assess Authorize Monitor ```
Assess
27
Which step of the RMF is described below: "the information system and the information processed, stored, and transmitted by that system based on an impact analysis." ``` Categorize Select Implement Assess Authorize Monitor ```
Categorize
28
Which step of the RMF is described below: "the security controls and describe how the controls are employed within the information system and its environment of operation." ``` Categorize Select Implement Assess Authorize Monitor ```
Implement
29
Which step of the RMF is described below: "an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions." ``` Categorize Select Implement Assess Authorize Monitor ```
Select
30
Which step of the RMF is described below: "the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.” ``` Categorize Select Implement Assess Authorize Monitor ```
Monitor
31
_______ is a more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks. Awareness Training Education
Education
32
__________ establishes a common baseline or foundation of security understanding across the entire organization and focuses on key or basic topics and issues related to security that all employees must understand and comprehend. Awareness Training Education
Awareness
33
_______ is teaching employees to perform their work tasks and to comply with the security policy. Awareness Training Education
Training