M8: IT security management and risk assessment Flashcards
What is the main purpose of risk management in information security?
To help the organization’s leadership prioritize resources to manage risks effectively.
What does ISO-27001 define as a risk?
The effect of uncertainty on objectives, which can be positive or negative.
What are the five main activities in the risk management process?
- Context Establishment
- Risk assessment
- Risk treatment
- Risk acceptance
- Risk monitoring.
What is the first step in the risk management process?
Establishing the context of the organization.
What is risk assessment?
Identifying, analyzing, and evaluating risks based on the defined context.
What are the four options for risk treatment?
- Modify
- Accept
- Avoid
- Share
What is a risk treatment plan?
A plan that describes how identified risks will be managed.
Who is responsible for risk management in an organization?
The organization’s top management and the information security committee.
What is the role of the information security committee?
To approve and define the framework for risk management.
What is risk acceptance?
The decision to accept the risk without further action.
What is the purpose of risk monitoring?
To ensure that risk controls are implemented and effective.
What is a risk matrix?
A tool to illustrate the level of risk based on likelihood and impact.
What should be included in a risk treatment plan?
- Purpose
- Responsible person
- Resources
- Risk treatment actions
- Costs
- Timeline.
What is the significance of risk communication?
To create awareness about the risk profile and security efforts within the organization.
What is the importance of involving suppliers in risk management?
Suppliers have knowledge of technical solutions and controls that can affect risk
What is the main purpose of an IT contingency policy?
To set the overall framework for an organization’s IT contingency work and implementation.
What should be the starting point for IT contingency planning?
A risk assessment based on business needs or requirements.
Who is responsible for approving the IT contingency policy?
The organization’s management.
Why is it not recommended to use ‘find and replace’ to create a contingency policy?
Because the policy should be tailored to the organization’s specific needs and language.
What is the role of external suppliers in IT contingency planning?
They should be involved if the organization outsources IT operations.
What is the difference between a policy and a plan in IT contingency?
The policy is more long-term and less maintenance-intensive… while the plan is operational and detailed.
What should be included in the IT contingency plan?
- Purpose
- Responsible person
- Resource effort
- Mitigation actions
- Other costs
- Timeline.
What is the importance of having a clear classification of information?
To determine the sensitivity and required protection levels for
* Confidentiality
* Availability
* Integrity.
What is a ‘risk owner’?
The person responsible for managing a specific risk.
Why is it important to involve the organization’s communication unit in risk assessment planning?
To raise awareness about the organization’s risk profile and security efforts.
What is the purpose of a risk management plan?
To describe how identified risks will be handled, including mitigation actions and timelines.
What should be done if IT operations are outsourced?
Involve the external supplier in the risk assessment and management process.
What is the benefit of integrating information security management with overall risk management?
It provides a more comprehensive and clear risk picture for the organization