1. What
is Risk Management?
Risk Identification is conducted within the larger
process of identifying and justifying risk control known as risk management.
2.What
are the communities of interest?
Information Security
Management and users
Information Technology
3.What
are the responsibilities of the communities of interests?
Evaluating the risk controls
Determining which control options are cost
effective for the organization
Acquiring or installing the needed controls.
Overseeing that the controls remain effective.
4.Write
about MAC.
It is also called as electronic serial number or
hardware addresses.
All network interface hardware devices have a
unique number.
The number is used by the network operating system
as a mechanism to identify a specific network device.
5.What is
Public key infrastructure certificate authority?
It is a
software application that provides cryptographic key management services.
6. What
is Clean desk policy?
This requires each employee to secure all
information in its appropriate storage container at the end of each day.
7. What
is risk assessment?
It is the
process of assessing the relative risk for each of the vulnerabilities.
8. What
is Likelihood?
Likelihood is the overall rating of the probability
that a specific vulnerability within an organization will be successfully
attacked.
It is the risk that remains to the information asset even after the existing control has been applied.
10. What are Policies?
Policies are documents that specify an organization’s approach to security.
11.What are the types of security policies?
• General Security Policy
Program Security Policy
Issue-Specific Policies
12.What are the types of access controls?
Mandatory Access Controls(MACs)
Nondiscretionary controls
Discretionary Controls(DAC)
13.What are the Risk Control Strategies?
Avoidance – It is the risk control strategy that attempts to prevent the exploitation of the vulnerability.
Transference – It is the control approach that attempts to shift the risk to other assets,other processes ,or other organizations.
Mitigation – It is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
Acceptance. – It is the choice to do nothingto protect vulnerability and to accept the outcome of an exploited vulnerability.
14. What are the common methods for Risk Avoidance?
Avoidance through Application of Policy
Avoidance through Application of training and education
Avoidance through Application of technology
15. What are the types of plans in Mitigation strategy?
The Disaster Recovery Plan(DRP)
Incident Response Plan(IRP)
Business Continuity Plan(BCP)
16. What
is a hot site?
It is also known as business recovery site.
It is a remote location with systems identical or
similar to the home site.
17. What
are the ways to categorize the controls?
Control function
Architectural Layer
Strategy Layer
Information Security Principle.
Preventive Controls Detective Controls
Stop attempts to exploit vulnerability by
implementing a security principle, such as authentication or confidentiality
It warn organizations of violations of
security principles, organizational policies or attempts to exploit
vulnerability.
It uses the technical procedure such as
encryption or combination of technical means and enforcement methods.
It use techniques such as audit trials,
intrusion detection and configuration monitoring.
19. What
is the goal of documenting results of the risk assessment?
The goal
of this process has been to identify the information assets of the organization
that have specific vulnerabilities and create a list of them, ranked for focus
on those most needing protection first
In preparing this list we have collected and preserved factual information about the assets, the threats they face, and the vulnerabilities they experience
We should also have collected some information about the controls that are already in place
20. What are risk control strategies?
When risks from information security threats are creating a competitive disadvantagethe information technology and information security communities of interest take control of the risks
Four basic strategies are used to control the risks that result from vulnerabilities:
Apply safeguards (avoidance)
Transfer the risk (transference)
Reduce the impact (mitigation)
Inform themselves of all of the consequences and accept the risk without control or mitigation (acceptance)
Risk Identification:
It is the
process of examining and documenting the security posture of an organization’s
information technology and the risk it faces.
Risk Assessment:
ü It is the documentation of the
results of risk identification.
Risk Control:
Data Classification
Confidential
Internal
External
Confidential: Access to information with this
classification is strictly on a need-to-know basis or as required by the terms of a contract.
Internal: Used for all internal
information that does not meet the criteria for the confidential category and is to be viewed only by authorized
contractors, and other third parties.
External: All information
that has been approved by management for public release.
Risk Determination
ü Risk = [ ( Likelihood of
vulnerability occurrence ) X (Value of information Asset )] __ ( % of risk mitigated by current controls) + uncertainty of current
knowledge of the Vulnerability
Risk Control Strategies
Four
basic strategies to control each of the risks that result from these
vulnerabilities.
Apply safeguards that eliminate the remaining uncontrolled risks for the
vulnerability [Avoidance]
Transfer the risk to other areas (or) to outside entities[transference]
Reduce the impact should the vulnerability be exploited[Mitigation]
Understand the consequences and accept the risk without control or
mitigation[Acceptance]
Cost Avoidance
It is the process of avoiding the financial impact of an incident by
implementing a control.
Cost Benefit Analysis (CBA)
Organizations are urged to begin the cost benefit analysis by evaluating
the worth of the information assets to be protected and the loss in value if
those information assets were compromised by the exploitation of a specific
vulnerability.
The formal process to document this decision making process is called a
Cost Benefit analysis or an economic feasibility study.
Baselining
ü Baselining is the analysis of
measures against established standards,
Residual Risk
When we
have controlled any given vulnerability as much as we can, there is often risk
that has not been completely removed or has not been completely shifted or
planned for this remainder is called residual risk.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.