is Risk Management?
Risk Identification is conducted within the larger
process of identifying and justifying risk control known as risk management.
are the communities of interest?
Management and users
are the responsibilities of the communities of interests?
Evaluating the risk controls
Determining which control options are cost
effective for the organization
Acquiring or installing the needed controls.
Overseeing that the controls remain effective.
It is also called as electronic serial number or
All network interface hardware devices have a
The number is used by the network operating system
as a mechanism to identify a specific network device.
Public key infrastructure certificate authority?
It is a
software application that provides cryptographic key management services.
is Clean desk policy?
This requires each employee to secure all
information in its appropriate storage container at the end of each day.
is risk assessment?
It is the
process of assessing the relative risk for each of the vulnerabilities.
Likelihood is the overall rating of the probability
that a specific vulnerability within an organization will be successfully
It is the risk that remains to the information asset even after the existing control has been applied.
10. What are Policies?
Policies are documents that specify an organization’s approach to security.
11.What are the types of security policies?
• General Security Policy
Program Security Policy
12.What are the types of access controls?
Mandatory Access Controls(MACs)
13.What are the Risk Control Strategies?
Avoidance – It is the risk control strategy that attempts to prevent the exploitation of the vulnerability.
Transference – It is the control approach that attempts to shift the risk to other assets,other processes ,or other organizations.
Mitigation – It is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
Acceptance. – It is the choice to do nothingto protect vulnerability and to accept the outcome of an exploited vulnerability.
14. What are the common methods for Risk Avoidance?
Avoidance through Application of Policy
Avoidance through Application of training and education
Avoidance through Application of technology
15. What are the types of plans in Mitigation strategy?
The Disaster Recovery Plan(DRP)
Incident Response Plan(IRP)
Business Continuity Plan(BCP)
is a hot site?
It is also known as business recovery site.
It is a remote location with systems identical or
similar to the home site.
are the ways to categorize the controls?
Information Security Principle.
Preventive Controls Detective Controls
Stop attempts to exploit vulnerability by
implementing a security principle, such as authentication or confidentiality
It warn organizations of violations of
security principles, organizational policies or attempts to exploit
It uses the technical procedure such as
encryption or combination of technical means and enforcement methods.
It use techniques such as audit trials,
intrusion detection and configuration monitoring.
is the goal of documenting results of the risk assessment?
of this process has been to identify the information assets of the organization
that have specific vulnerabilities and create a list of them, ranked for focus
on those most needing protection first
In preparing this list we have collected and preserved factual information about the assets, the threats they face, and the vulnerabilities they experience
We should also have collected some information about the controls that are already in place
20. What are risk control strategies?
When risks from information security threats are creating a competitive disadvantagethe information technology and information security communities of interest take control of the risks
Four basic strategies are used to control the risks that result from vulnerabilities:
Apply safeguards (avoidance)
Transfer the risk (transference)
Reduce the impact (mitigation)
Inform themselves of all of the consequences and accept the risk without control or mitigation (acceptance)
It is the
process of examining and documenting the security posture of an organization’s
information technology and the risk it faces.
ü It is the documentation of the
results of risk identification.
Confidential: Access to information with this
classification is strictly on a need-to-know basis or as required by the terms of a contract.
Internal: Used for all internal
information that does not meet the criteria for the confidential category and is to be viewed only by authorized
contractors, and other third parties.
External: All information
that has been approved by management for public release.
ü Risk = [ ( Likelihood of
vulnerability occurrence ) X (Value of information Asset )] __ ( % of risk mitigated by current controls) + uncertainty of current
knowledge of the Vulnerability
Risk Control Strategies
basic strategies to control each of the risks that result from these
Apply safeguards that eliminate the remaining uncontrolled risks for the
Transfer the risk to other areas (or) to outside entities[transference]
Reduce the impact should the vulnerability be exploited[Mitigation]
Understand the consequences and accept the risk without control or
It is the process of avoiding the financial impact of an incident by
implementing a control.
Cost Benefit Analysis (CBA)
Organizations are urged to begin the cost benefit analysis by evaluating
the worth of the information assets to be protected and the loss in value if
those information assets were compromised by the exploitation of a specific
The formal process to document this decision making process is called a
Cost Benefit analysis or an economic feasibility study.
ü Baselining is the analysis of
measures against established standards,
have controlled any given vulnerability as much as we can, there is often risk
that has not been completely removed or has not been completely shifted or
planned for this remainder is called residual risk.