IS Governance & Risk Mgmt

Question 1

Annual Rate of Occurrence (ARO)

Answer 1

The number of times per year that an incident is likely to occur.

Question 2

Asset

Answer 2

Any person, facility, material, information, or activity that has a positive value to an owner.

Question 3

Attack

Answer 3

Attempt to gain unauthorized access to an information system’s services, resources, or information, or the attempt to compromise an information system’s integrity, availability, or confidentiality.

Question 4

Business Continuity Plan (BCP)

Answer 4

A documented and tested plan for responding to an emergency.

Question 5

COBIT

Answer 5

Control Objectives for Information and Related Technology.

Question 6

Control

Answer 6

Any protective action, device, procedure, technique, or other measure that reduces exposures.

Question 7

Countermeasures

Answer 7

The deployment of a set of security services to protect against a security threat.

Question 8

Due care

Answer 8

Managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed.

Question 9

Due diligence

Answer 9

The enforcement of due care policy and provisions to ensure that the due care steps taken to protect assets are working effectively.

Question 10

Exposure Factor (EF)

Answer 10

A measure of the magnitude of loss or influence on the value of an asset.

Question 11

Information Security Management Systems (ISMS)

Answer 11

The International Standards Organization (ISO) defines ISMS to be that part of an overall management system based on a business risk approach to establish, implement, operate, monitor, maintain, and improve information security.

Question 12

Likelihood

Answer 12

The qualitative or quantitative likelihood that a potential hazard will occur or a potential threat will be instantiated. Most international standards define six levels of likelihood (lowest to highest): incredible, improbable, remote, occasional, probable, and frequent.

Question 13

Risk

Answer 13

(1) The probability that a particular security threat will exploit a particular vulnerability resulting in loss or harm to an asset or precluding the organization from reaching a goal or objective.
(2) A combination of the probability of an event and its consequences.

Question 14

Risk Management

Answer 14

Coordinated activities to direct and control an organization with regard to risk; The discipline of identifying and measuring security risks associated with an information system, and controlling and reducing those risks to an acceptable level. The goal of risk management is to invest organizational resources to mitigate security risks in a cost-effective manner, while enabling timely and effective mission accomplishment. Risk management is an important aspect of information assurance and defense-in-depth.

Question 15

Safeguard

Answer 15

Protection included to counteract a known or expected condition.

Question 16

Threat

Answer 16

Any entity or event with the potential to adversely impact an information system through unauthorized access, destruction, disclosure, modification of data, or denial of service.

Question 17

Threat-source

Answer 17

Either (a) intent and method targeted at the international exploitation of a vulnerability, or (b) a situation and method that may accidentally trigger a vulnerability. Synonymous with threat agent.

Question 18

Total risk

Answer 18

The potential for the occurence of an adverse event if no mitigating action is taken (ie. the potential for any applicable threat to exploit a system vulnerability). See also acceptable risk, residual risk, minimum level of protection.

Question 19

Vulnerability

Answer 19

A weakness in a system that can be exploited to violate the system’s intended behavior relative to safety, security, reliability, availability, integrity, etc.