Section 3 Fundamental concepts and principles of Information Security Risk Management Flashcards
Fundamental concepts and principles of Information Security Risk Management
What is Information Security?
preservation of confidentialy, integrity, and availability of information
What is Information?
meaingful data
Information Security determines?
Information security determines:
what information needs to be protected?
why it should be protected?
how to protect it?
what to protect it from?
How do you ensure Information Security?
By implementing?
By implemeting policies and controls
What is an Event?
Occurence or change of a particular circumstance
Event can have positive or negative impact
expected but does not happen
not expected but does happen
Event Examples
Natural events, e.g., flooding, cold weather
Accidents, e.g., road accident, chemical spill
Disease or infection
Political unrest, e.g., war, terrorism
Crime, e.g., violence, theft, fraud
Economic events, e.g., recession, trade wars, bankruptcy
Pollution or habitat destruction
What is a Consequence?
- resul of an event or outcome of an event
- can be certain or uncertain
What is Threat?
Potential negative situation
Potential danger or harm
earthquake, a power outage, or a network-based worm such as NotPetya
What are the classification of security controls by types?
- Technical Controls
- Legal Controls
- Administrative Controls
- Managerial Controls
What is Administrative Controls?
Controls related to orgnaizational structure
separation of duties
job rotations
job descriptions
approval of process.
A threat is…
A threat is any potential danger that is associated with the exploitation of a vulnerability. If the threat is that someone will identify a specific vulnerability and use it against the organization or individual, then the entity that takes advantage of a vulnerability is referred to as a threat agent (or threat actor).
Control
Measure that is modifying risk
Security Controls by funtion (3)
Preventinve
Detective
Corrective
Who Manage Risk?
Everyone has their share of responsibility when it comes to risk management.
Risk Owner?
Can be a person or entity with the accountability and authority to manage a risk.
Risk Management Principles
Integrated
Structured and Comprehensive
Customized
Inclusive
Dynamic
Best available Information
Human and culture factors
Continual Improvement
Which type of controls are related to the management
Managerial
Why might real risks not be recognized retrospectively, even if they were effectively avoided?
Real risks may not be recognized if no harmful effects are recorded, potentially leading to complacency in risk management efforts.
What is a common challenge associated with risk management?
Uncertainty surrounding the extent of exposure to risk.
Difficulty in determining the extent of exposure to risk due to incomplete information or changing circumstances.
This uncertainty can arise from various factors such as incomplete information, changing circumstances, or unforeseen events. Without a clear understanding of the level of risk exposure, it becomes difficult to accurately assess and mitigate potential consequences.
