Organization Wide Risk Management Flashcards

1
Q

NIST 800-37 vs NIST 800-39

A

NIST 800-37 - applying the RMF

NIST 800-39 - Managing Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Holistic Approach to risk management

A

Look at it as a whole - management of risk at both enterprise level and system level

Areas of focus

  • Goals/mission of organization
  • Relationships between the mission and business processes
  • Information system supporting the business processes/mission
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are security controls?

A

processes and techniques put in place to mitigate risks

Security controls must account for

  • Business impacts
  • Risks
  • AO acceptance
  • Allocating security resources
  • consideration of risk types - different types of risk need different types of protection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Organizational Risks - 1

A

established by the enterprise, information security requirements - considered as important and critical as other functional requirements

balance must be obtained when managing organizational risks from all sources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Organizational Risks - 2

A

operation and use of information systems - must have adequate resources to minimize risk (financial and human)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Benefits of Organizational Risk Management

A
  • prioritize requirements and allocation of resources
  • Develop continuous and cost effective solutions to problems
  • Consolidate and reform solutions to simplify mgmt and enhance interoperability and communication
  • Ensure concerns are integrated into architecture, acquisition process, and SDLC (save time and money)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Managing Risk - objective and goal

A

objective - Risk mgmt program adopts atmosphere where risk from systems are considered within structure of enterprise architecture and all phases of the SDLC

goal - enable organization to conduct its day to day operations and achieve its missions within secure environment alongside with risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Security Risk Management?

A

Process - manage risk to operation resulting from use of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Recognizing Responsibility

A

All hands approach - everyone has a role in managing risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk Management for Organization

A

accomplish exceptional security position given organization’s mission/goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Risk Mgmt for Information Systems

A

Protect information system from cyber attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

FEA

A

Federal Enterprise Architecture - facilitate efforts ensuring federal govt mission and business processes are market based and help improve citizen services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Why have Assessor Independence

A

unbiased of assessment, AO receives most objective info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly