IS3110 CHAP 1 Flashcards
Which of the following properly defines risk?
- Threat x Mitigation
- Vulnerability x Controls
- Controls - Residual Risk
- Threat x Vulnerability
Threat x Vulnerability
Which of the following properly defines total risk?
- Threat - Mitigation
- Threat x Vulnerability x Asset Value
- Vulnerability - Controls
- Vulnerability x Controls
Threat x Vulnerability x Asset Value
You can completely eliminate risk in an IT environment.
TRUE OR FALSE
FALSE
Which of the following are accurate pairings of threat categories? (Select Two)
- External and Internal
- Natural and supernatural
- Intentional and accidental
- Computer and user
External and Internal
AND
Intentional and accidental
A loss of client confidence or public trust is an example of loss of ___.
Intangible value
A ___ is used to reduce a vulnerability.
RISK MANAGEMENT PLAN
As long as a company is profitable, it does not need to consider survivability.
TRUE OR FALSE
FALSE
What is the primary goal of an information security program?
- Eliminate losses related to employee actions
- Eliminate losses related to risk
- Reduce losses related to residual risk
- Reduce losses related to loss of confidentiality, integrity, and availability
Reduce losses related to loss of confidentiality, integrity, and availability
The ___ is an industry-recognized standard list of common vulnerabilities.
CVE
Which of the following is a goal of a risk management?
- Identify the correct cost balance between risk and controls
- Eliminate risk by implementing controls
- Eliminate the loss associated with risk
- Calculate value associated with residual risk
Identify the correct cost balance between risk and controls
If the benefits outweighs the cost, a control is implemented. Costs and benefits are identified by completing a ___.
COST BENEFIT ANALYSIS
A company decides to reduce losses of a threat by purchasing insurance. This is known as risk ___.
Transfer
What can you do to manage risk? (Select three)
- Accept
- Transfer
- Avoid
- Migrate
Accept
Transfer
Avoid
You have applied controls to minimize risk in the environment. What is the remaining risk called?
- Remaining Risk
- Mitigated risk
- Managed Risk
- Residual Risk
Residual Risk
Who is ultimately responsible for losses resulting from residual risk?
- End users
- Technical staff
- Senior Management
- Security personnel
Senior Management
A technique used to manage risk.
When the cost to reduce the risk is greater than the potential loss, the risk is accepted.
A risk is also accepted if management considers the risk necessary and tolerable for business
ACCEPT
Ensuring that data or a service is available when needed. Data and services are protected using fault tolerance and redundancy techniques
AVAILABILITY
A technique used to manage risk.
A risk can be avoided by eliminating the source of the risk or eliminating the exposure of assets to the risk.
A company can either stop the risk activity or move the asset.
AVOID
Database of vulnerabilities maintained by the MITRE Corporation
MITRE works in conjunction with the US Dept of Homeland Security
CVE
Protecting data from unauthorized disclosure. Data is protected using access controls and encryption technologies.
CONFIDENTIALITY
An action or change put in place to reduce a weakness or potential loss. A control is also referred to as a countermeasure
CONTROL
A process used to determine how to manage a risk.
If the benefits of a control outweigh the costs, the control can be implemented to reduce the risk. If the costs are greater than the benefits, the risk can be accepted.
COST-BENEFIT ANALYSIS (CBA)
The amount of the loss resulting from a threat exploiting a vulnerability. The loss can be expressed in monetary terms or a relative value. The impact identifies the severity of the loss. Impact is derived from the opinions of experts.
IMPACT
Value that isn’t directly related to the actual cost of a physical asset. Intangibles can include future lost revenue, client confidence, and customer influence.
INTANGIBLE VALUE
Ensuring data or IT systems are not modified or destroyed. Hashing is often used to ensure integrity
INTEGRITY
One of the techniques used to manage risk. Mitigation is also known as risk reduction. Vulnerabilities are reduced by implementing controls or countermeasures
MITIGATE
The ability of a company to make a profit.
It is calculated as revenues minus costs. Risk management considers both profitability and survivability
PROFITABILITY
A judgement test that a company can apply to determine if the risk should be managed. If a reasonable person would expect the risk to be managed, it should be managed.
REASONABLENESS
The risk that remains after controls have been applied. This is also referred to as acceptable risk.
RESIDUAL RISK
A process used to identify and evaluate risks based on an analysis of threats and vulnerabilities to assets. Risks are quantified based on their importance or impact severity. These risks are then prioritized.
RISK ASSESSMENT
The practice of identifying, assessing, controlling, and mitigating risks. Techniques to manage risk include avoiding, transferring, mitigating, and accepting the risk.
RISK MANAGEMENT
The ability of a company to survive loss due to a risk. Some losses can be so severe they will cause the business to fail if not managed.
SURVIVABILITY
The actual cost of an asset
TANGIBLE VALUE
Any activity that represents a possible danger. This includes any circumstances or events with the potential to adversely impact confidentiality, integrity, or availability of a business’s assets
THREAT
The amount of risk when the affected asset value is known. It is often expressed as:
Threat x Vulnerability x asset value = ___
TOTAL RISK
One of the techniques used to manage risk. The risk is transferred by shifting responsibility to another party. This can be done by purchasing insurance or outsourcing the activity
TRANSFER
A weakness or exposure to a threat.
The weakness can be weakness in an asset or the environment. It can be mitigated with a control
VULNERABILITY