Computer Security Mana Ch09

  1. An organization must choose one of four basic strategies to control risks
    Avoidance, Transference, Mitigation, Acceptance
  2. Applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability?
  3. Shifting the risk to other areas or to outside entities
  4. Reducing the impact if the vulnerability is exploited
  5. Understanding the consequences and accepting the risk without control or mitigation
  6. Types of mitigation plans
    Disaster recovery plan (DRP), Incident response plan (IRP), Business continuity plan (BCP)
  7. Before using the acceptance strategy, the organization must?
    Determine the level of risk to the information asset,Estimate the potential loss from attacks, Perform a thorough cost benefit analysis
  8. Risk appetite (also known as risk tolerance)
    Is the quantity and nature of risk that organizations are willing to accept As they evaluate the trade-offs between perfect security and unlimited accessibility
  9. Economic feasibility analysis
    Determines the benefits that are expected from implementing a security system and compares it with costs to the organization if the system fails
  10. Annualized Rate of Occurrence ( ARO)
    Usually, the probability of a threat occurring is depicted as a table that indicates how frequently an attack from each threat type is likely to occur within a given time frame
  11. Quantitative assessment
    Performs asset valuation with actual values or estimates. May be difficult to assign specific values
  12. Qualitative assessment
    Use scales instead of specific estimates
  13. OCTAVE stands for?
    Operationally Critical Threat, Asset, and Vulnerability Evaluation
  14. Defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation
  15. The Factor Analysis of Information Risk
  16. FAIR
    Provides a qualitative method of risk analysis that can complement other techniques or be expanded to provide a complete risk management system
Card Set
Computer Security Mana Ch09
Computer Security Management Ch09, Information Security