Info RM and Compliance Flashcards
Can you decide on avoiding, transferring, mitigating, and accepting a risk without involving committee members?
No
In a merger, when should a comprehensive risk assessment be conducted?
ASAP
What requirements for information security are cited in GDPR?
Personal data shall be protected against loss, destruction, or damage
What are examples of risk acceptance?
Omitting something from a risk register or getting a system owner’s approval on a risk,
What is an example of risk transfer?
Moving source code from an off-premise repository to an IaaS repository?
What reporting is required for companies that accept payment cards?
Annual self-assessment questionnaire (SAQ) and attestation of compliance (AOC)
How should assets be classified?
Value, criticality, and/or sensitivity to the organization
What are the 4 phases of risk management?
Reporting, assessing, evaluating, and monitoring
What is OCTAVE?
Operational Critical Threat Assessment and Vulnerability Evaluation. Framework with 8 (Octa) steps that helps identify, rank, and prioritize events for assessment.
- Establish criteria for measuring risks
- Create an information asset profile
- Identify information asset container
- Recognize areas for concern
- Identify threat actor and scenarios
- Identify risks
- Analyze risks
- Choose countermeasures and control
What is the Bowtie method?
Diagrams link between cause, control, and consequence
What is the Delphi Method?
Expert judgement through 2 or more rounds of questionnaires
What is a Fault Tree Analysis
Top down diagrammed analysis of single events
What is the ETA method?
Event Tree Analysis. Derived from fault tree analysis, a log-model technique which is forward looking and bottom-up
What is Markov Analysis
Analysis of systems in various states
What is the Open Fair concept?
Statistical inference based on prior distribution data to determine probabilities