Section 3 Fundamental concepts and principles of Information Security Risk Management

Question 1

What is Information Security?

Answer 1

preservation of confidentialy, integrity, and availability of information

Question 2

What is Information?

Answer 2

meaingful data

Question 3

Information Security determines?

Answer 3

Information security determines:

what information needs to be protected?
why it should be protected?
how to protect it?
what to protect it from?

Question 4

How do you ensure Information Security?

By implementing?

Answer 4

By implemeting policies and controls

Question 5

What is an Event?

Answer 5

Occurence or change of a particular circumstance

Event can have positive or negative impact

expected but does not happen
not expected but does happen

Question 6

Event Examples

Answer 6

Natural events, e.g., flooding, cold weather
Accidents, e.g., road accident, chemical spill
Disease or infection
Political unrest, e.g., war, terrorism
Crime, e.g., violence, theft, fraud
Economic events, e.g., recession, trade wars, bankruptcy
Pollution or habitat destruction

Question 7

What is a Consequence?

Answer 7

• resul of an event or outcome of an event
• can be certain or uncertain

Question 8

What is Threat?

Answer 8

Potential negative situation
Potential danger or harm
earthquake, a power outage, or a network-based worm such as NotPetya

Question 9

What are the classification of security controls by types?

Answer 9

1. Technical Controls
2. Legal Controls
3. Administrative Controls
4. Managerial Controls

Question 10

What is Administrative Controls?

Answer 10

Controls related to orgnaizational structure

separation of duties
job rotations
job descriptions
approval of process.

Question 11

A threat is…

Answer 11

A threat is any potential danger that is associated with the exploitation of a vulnerability. If the threat is that someone will identify a specific vulnerability and use it against the organization or individual, then the entity that takes advantage of a vulnerability is referred to as a threat agent (or threat actor).

Question 12

Control

Answer 12

Measure that is modifying risk

Question 13

Security Controls by funtion (3)

Answer 13

Preventinve
Detective
Corrective

Question 14

Who Manage Risk?

Answer 14

Everyone has their share of responsibility when it comes to risk management.

Question 15

Risk Owner?

Answer 15

Can be a person or entity with the accountability and authority to manage a risk.

Question 16

Risk Management Principles

Answer 16

Integrated
Structured and Comprehensive
Customized

Inclusive
Dynamic

Best available Information
Human and culture factors

Continual Improvement

Question 17

Which type of controls are related to the management

Answer 17

Managerial

Question 18

Why might real risks not be recognized retrospectively, even if they were effectively avoided?

Answer 18

Real risks may not be recognized if no harmful effects are recorded, potentially leading to complacency in risk management efforts.

Question 19

What is a common challenge associated with risk management?

Answer 19

Uncertainty surrounding the extent of exposure to risk.

Difficulty in determining the extent of exposure to risk due to incomplete information or changing circumstances.

This uncertainty can arise from various factors such as incomplete information, changing circumstances, or unforeseen events. Without a clear understanding of the level of risk exposure, it becomes difficult to accurately assess and mitigate potential consequences.