Home | | Information Security | Important Short Questions and Answers: Security Analysis

Chapter: Information Security : Security Investigation

Important Short Questions and Answers: Security Analysis

Information Security - Security Investigation - Important Short Questions and Answers: Security Analysis

1. What is Risk Management?


Risk Identification is conducted within the larger process of identifying and justifying risk control known as risk management.


2.What are the communities of interest?


Information Security


Management and users


Information Technology


3.What are the responsibilities of the communities of interests?


Evaluating the risk controls


Determining which control options are cost effective for the organization


Acquiring or installing the needed controls.


Overseeing that the controls remain effective.


4.Write about MAC.


It is also called as electronic serial number or hardware addresses.


All network interface hardware devices have a unique number.


The number is used by the network operating system as a mechanism to identify a specific network device.


5.What is Public key infrastructure certificate authority?


It is a software application that provides cryptographic key management services.


6. What is Clean desk policy?


This requires each employee to secure all information in its appropriate storage container at the end of each day.


7. What is risk assessment?


It is the process of assessing the relative risk for each of the vulnerabilities.


8. What is Likelihood?


Likelihood is the overall rating of the probability that a specific vulnerability within an organization will be successfully attacked.

 9. What is Residual Risk?

It is the risk that remains to the information asset even after the existing control has been applied.

10. What are Policies?

Policies are documents that specify an organization’s approach to security.

11.What are the types of security policies?

• General Security Policy

Program Security Policy

Issue-Specific Policies

12.What are the types of access controls?

Mandatory Access Controls(MACs)

Nondiscretionary controls

Discretionary Controls(DAC)

13.What are the Risk Control Strategies?

Avoidance – It is the risk control strategy that attempts to prevent the exploitation of the vulnerability.

Transference – It is the control approach that attempts to shift the risk to other assets,other processes ,or other organizations.

Mitigation – It is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.

Acceptance. – It is the choice to do nothingto protect vulnerability and to accept the outcome of an exploited vulnerability.

14. What are the common methods for Risk Avoidance?

Avoidance through Application of Policy

Avoidance through Application of training and education

Avoidance through Application of technology

15. What are the types of plans in Mitigation strategy?

The Disaster Recovery Plan(DRP)

Incident Response Plan(IRP)

Business Continuity Plan(BCP)

16. What is a hot site?


It is also known as business recovery site.


It is a remote location with systems identical or similar to the home site.


17. What are the ways to categorize the controls?


Control function


Architectural Layer


Strategy Layer


Information Security Principle.

 Differentiate Preventive and Detective controls.


Preventive Controls Detective Controls


Stop attempts to exploit vulnerability by implementing a security principle, such as authentication or confidentiality


It warn organizations of violations of security principles, organizational policies or attempts to exploit vulnerability.


It uses the technical procedure such as encryption or combination of technical means and enforcement methods.


It use techniques such as audit trials, intrusion detection and configuration monitoring.


19. What is the goal of documenting results of the risk assessment?


The goal of this process has been to identify the information assets of the organization that have specific vulnerabilities and create a list of them, ranked for focus on those most needing protection first


In preparing this list we have collected and preserved factual information about the assets, the threats they face, and the vulnerabilities they experience     

We should also have collected some information about the controls that are already in place

20. What are risk control strategies?

When risks from information security threats are creating a competitive disadvantagethe information technology and information security communities of interest take control of the risks

Four basic strategies are used to control the risks that result from vulnerabilities:

Apply safeguards (avoidance)

 Transfer the risk (transference)

Reduce the impact (mitigation)

Inform themselves of all of the consequences and accept the risk without control or mitigation (acceptance)  

Risk Identification:

It is the process of examining and documenting the security posture of an organization’s information technology and the risk it faces.


Risk Assessment:


ü It is the documentation of the results of risk identification.


Risk Control:

 It is the process of applying controls to reduce the risks to an organization’s data and information systems.


Data Classification








Confidential: Access to information with this classification is strictly on a need-to-know basis or as required by the terms of a contract.

Internal: Used for all internal information that does not meet the criteria for the confidential category and is to be viewed only by authorized contractors, and other third parties.

External:  All information that has been approved by management for public release.


Risk Determination


ü Risk = [ ( Likelihood of vulnerability occurrence ) X (Value of information Asset )] __ ( % of risk mitigated by current controls) + uncertainty of current knowledge of the Vulnerability


Risk Control Strategies


Four basic strategies to control each of the risks that result from these vulnerabilities.


Apply safeguards that eliminate the remaining uncontrolled risks for the vulnerability [Avoidance]


Transfer the risk to other areas (or) to outside entities[transference]


Reduce the impact should the vulnerability be exploited[Mitigation]


Understand the consequences and accept the risk without control or mitigation[Acceptance]


Cost Avoidance


It is the process of avoiding the financial impact of an incident by implementing a control.


Cost Benefit Analysis (CBA)


Organizations are urged to begin the cost benefit analysis by evaluating the worth of the information assets to be protected and the loss in value if those information assets were compromised by the exploitation of a specific vulnerability.


The formal process to document this decision making process is called a Cost Benefit analysis or an economic feasibility study.




ü Baselining is the analysis of measures against established standards,


Residual Risk


When we have controlled any given vulnerability as much as we can, there is often risk that has not been completely removed or has not been completely shifted or planned for this remainder is called residual risk.

Study Material, Lecturing Notes, Assignment, Reference, Wiki description explanation, brief detail
Information Security : Security Investigation : Important Short Questions and Answers: Security Analysis |

Privacy Policy, Terms and Conditions, DMCA Policy and Compliant

Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.