Computer Security Ch 14

The flashcards below were created by user mjweston on FreezingBlue Flashcards.

  1. IT security management
    consists of determining a clear view of an organization's IT security objectives and general risk profile, performing risk assessment for each asset in the organization, and how to reduce the risks or accept the resultant risks
  2. baseline approach
    informal approach
    detailed risk analysis
    combined approach
    four approaches to identifying and mitigating risks to an organization's IT infrastructure
  3. baseline approach
    implement a basic general level of security controls on systems using codes of practice, industry best practice, and baseline documents - goal is to provide protection against the most common threats - recommended only for small organizations - cheap
  4. informal approach
    involves conducting some form of informal, pragmatic risk analysis for the organization's IT systems - requires no additional skills (uses current employee's knowledge) - quick and cheap- recommended for small to medium-sized organizations
  5. detailed risk analysis
    most comprehensive approach - includes identifying assets, threats, & vulnerabilities, and the likelihood of the risk occurring & consequences - most detailed examination of the security risks - highest cost in time, resources & expertise
  6. combined approach
    approach that uses elements of the other security risk assessment approaches to provide reasonable levels of protection as quickly as possible and to adjust the protection controlls as needed - easier to sell to mgmt - resources are likely to be applied where most needed - most cost effective & highly recommended for most organizations
  7. risk appetite
    the level of risk the organization views as acceptable
  8. asset
    • anything that has value to the organization
    • can be tangible or intangible
  9. threat
    a potential cause of an unwanted incident, which may result in harm to a system or organization
  10. vulnerability
    a weakness in an asset or group of assets that can be exploited by one or more threats
  11. risk
    combination of the probablility of an event and its consequence, being the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets
  12. IT security policy
    risk analysis
    implementation guidelines/implementation
    four steps in the information systems managament process
  13. 1-establish context - risk appetite (acceptable level of risk)
    2-asset identification
    3-threat identification
    4-vulnerability identification - ID flaws & weaknesses
    5-analyze existing controls - safeguards
    6-determine liklihood
    7-determine consequences
    8-determine resulting level of risk
    8 steps of Detailed Security Risk Analysis
  14. non-human resources - natural disasters
    human resource related - internal (HR employees, IT dept, employees, former employees) or external (virus, worms, phishing, spam, etc.)
    types of threats or threat sources
  15. risk acceptance
    choosing to accept a risk level greater than normal for business reasons
  16. risk avoidance
    not proceeding with the activity or system that creates this risk
  17. risk transfer
    sharing responsibility for the risk with a third party
  18. reduce consequence
    by modifying the structure or use of the assets at risk to reduce the impact on the organization should the risk occur
  19. reduce likelihood
    by implementing suitable controls to lower the chance of the vulnerability being exploited (ex: firewalls, increasing password complexity, or change policies
  20. risk acceptance
    risk avoidance
    risk transfer
    reduce consequence
    reduce liklihood
    what are the risk treatment alternatives
Card Set
Computer Security Ch 14
Computer Security
Show Answers