Chapter 2 Personnel Security and Risk Management Concepts Flashcards
________ is the collection of practices related to supporting, defining, and
directing the security efforts of an organization.
Security governance
Any potential occurrence that may cause an undesirable or unwanted outcome
for an organization or for a specific asset
Threats Vulnerability Exposure Risk Attack Breach
Threats
The weakness in an asset or the absence or the weakness of a safeguard or
countermeasure
Threats Vulnerability Exposure Risk Attack Breach
Vulnerability
being susceptible to asset loss
Threats Vulnerability Exposure Risk Attack Breach
Exposure
possibility or likelihood that a threat will exploit a vulnerability to cause
harm to an asset
Threats Vulnerability Exposure Risk Attack Breach
Risk
any intentional attempt to exploit a vulnerability of an organization’s security
infrastructure to cause damage, loss, or disclosure of assets.
Threats Vulnerability Exposure Risk Attack Breach
Attack
the occurrence of a security mechanism being bypassed or thwarted by a threat agent.
Threats Vulnerability Exposure Risk Attack Breach penetration
Breach
the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
Exposure Factor
Single Loss Expectancy
Annualized Rate of Occurrence
Annualized Loss Expectancy
Exposure Factor
the cost associated with a single realized risk against a specifi c asset. It indicates
the exact amount of loss an organization would experience if an asset were harmed by a
specific threat occurring.
Exposure Factor
Single Loss Expectancy
Annualized Rate of Occurrence
Annualized Loss Expectancy
Single Loss Expectancy
the expected
frequency with which a specifi c threat or risk will occur (that is, become realized) within
a single year.
Exposure Factor
Single Loss Expectancy
Annualized Rate of Occurrence
Annualized Loss Expectancy
Annualized Rate of Occurrence
the possible yearly
cost of all instances of a specific realized threat against a specific asset.
Exposure Factor
Single Loss Expectancy
Annualized Rate of Occurrence
Annualized Loss Expectancy
Annualized Loss Expectancy
Security controls, countermeasures, and safeguards can be implemented ______, _______ and __________ .
administratively,
logically/technically, or physically
AV * EF =
ARO
SLE
ALE
SLE
SLE * ARO =
ARO
SLE
ALE
ALE
threats * vulnerabilities * asset value =
total risk
total risk – controls gap =
residual risk
In which step of the RMF does information system operation based on a determination of the risk to
organizational operations and assets, individuals, other organizations, and the Nation
resulting from the operation of the information system and the decision that this risk
is acceptable.
Authorize
In which step of the RMF is the security controls and describe how the controls are employed within
the information system and its environment of operation.
Implement
In which step of the RMF does the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
Categorize
In which step of the RMF does the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.”
Monitor
In which step of the RMF does information system operation based on a determination of the risk to
organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
Authorize
In which step of the RMF does an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline
as needed based on an organizational assessment of risk and local conditions.
Select
The six major elements of quantitative risk analysis
- Inventory assets, and assign a value (asset value, or AV). (Asset value is detailed further in a later section of this chapter named “Asset Valuation.”)
- Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE).
- Perform a threat analysis to calculate the likelihood of each threat being realized
within a single year—that is, the annualized rate of occurrence (ARO). - Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE).
- Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure.
- Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat.
Calculating Safeguard Cost/Benefit
ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard (ACS) = value of the safeguard to the company
Which step of the RMF is described below:
“information system operation based on a determination of the risk
to organizational operations and assets, individuals, other organizations, and
the Nation resulting from the operation of the information system and the
decision that this risk is acceptable.”
Categorize Select Implement Assess Authorize Monitor
Authorize
Which step of the RMF is described below:
” the security controls using appropriate assessment procedures to
determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to
meeting the security requirements for the system.”
Categorize Select Implement Assess Authorize Monitor
Assess
Which step of the RMF is described below:
“the information system and the information processed, stored, and transmitted by that system based on an impact analysis.”
Categorize Select Implement Assess Authorize Monitor
Categorize
Which step of the RMF is described below:
“the security controls and describe how the controls are employed within the information system and its environment of operation.”
Categorize Select Implement Assess Authorize Monitor
Implement
Which step of the RMF is described below:
“an initial set of baseline security controls for the information system based on
the security categorization; tailoring and supplementing the security control baseline
as needed based on an organizational assessment of risk and local conditions.”
Categorize Select Implement Assess Authorize Monitor
Select
Which step of the RMF is described below:
“the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the
system or its environment of operation, conducting security impact analyses
of the associated changes, and reporting the security state of the system to
designated organizational officials.”
Categorize Select Implement Assess Authorize Monitor
Monitor
_______ is a more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks.
Awareness
Training
Education
Education
__________ establishes
a common baseline or foundation of security understanding across the entire organization and focuses on key or basic topics and issues related to security that all employees must understand and comprehend.
Awareness
Training
Education
Awareness
_______ is teaching employees to perform their work tasks and to comply with the security policy.
Awareness
Training
Education
Training
