Ch 14 - IT Security Management and Risk Assessment

IT security management consists of first determining a clear view of an organization's IT security objectives and general risk profile.

T

IT security management has evolved considerably over the last few decades due to the rise in risks to networked systems.

T

Detecting and reacting to incidents is not a function of IT security management.

F

IT security needs to be a key part of an organization's overall management plan.

T

Once the IT management process is in place and working the process never needs to be repeated.

F

Organizational security objectives identify what IT security outcomes should be achieved.

T

The assignment of responsibilities relating to the management of IT security and the organizational infrastructure is not addressed in a corporate security policy.

F

Organizational security policies identify what needs to be done.

T

It is not critical that an organization's IT security policy have full approval or buy-in by senior management

F

Because the responsibility for IT security is shared across the organization, there is a risk of inconsistent implementation of security and a loss of central monitoring and control

T

Legal and regulatory constraints may require approaches to risk assessment

T

A major advantage of the informal approach is that the individuals performing the analysis require no additional skills.

T

A major disadvantage of the baseline risk assessment approach is the significant cost in time, resources, and expertise needed to perform the analysis.

F

One asset may have multiple threats and a single threat may target multiple assets

T

A threat may be either natural or human made and may be accidental or deliberate

T

__________ ensures that critical assets are sufficiently protected in a cost-effective
manner

B. IT security management

The ________ has revised and consolidated a number of national and international standards into a consensus of best practice.
A. ISO B. CSI
C. VSB D. DBI

A. ISO

IT security management functions include:
A. determining organizational IT security objectives, strategies, and policies
B. detecting and reacting to incidents
C. specifying appropriate safeguards
D. all of the above

D. all of the above

Implementing the risk treatment plan is part of the ______ step.
A. check B. act
C. do D. plan

C. do

Maintaining and improving the information security risk management process in response to incidents is part of the _________ step.
A. act B. plan
C. check D. do

A. act

Establishing security policy, objectives, processes and procedures is part of the ______ step.
A. plan B. check
C. act D. none of the above

A. plan

The intent of the ________ is to provide a clear overview of how an organization's IT infrastructure supports its overall business objectives
A. risk register B. corporate security policy
C. vulnerability source D. threat assessment

B. corporate security policy

The advantages of the _________ approach are that it doesn't require the expenditure of additional resources in conducting a more formal risk assessment and that the same measures can be replicated over a range of systems.
A. combined B. informal
C. baseline D. detailed

C. baseline

The _________ approach involves conducting a risk analysis for the organization's IT systems that exploits the knowledge and expertise of the individuals performing the analysis without using a formal structured process.
A. baseline B. combined
C. detailed D. informal

D. informal

A ________ is anything that might hinder or present an asset from providing appropriate levels of the key security services.
A. vulnerability B. threat
C. risk D. control

B. threat

_________ include management, operational, and technical processes and procedures that act to reduce the exposure of the organization to some risks by reducing the ability of a threat source to exploit some vulnerabilities.
A. Security controls B. Risk appetite
C. Risk controls D. None of the above

A. Security controls

The results of the risk analysis should be documented in a _________.
A. journal B. consequence
C. risk register D. none of the above

C. risk register

13. ________ specification indicates the impact on the organization should the particular threat in question actually eventuate.
A. Risk B. Consequence
C. Threat D. Likelihood

B. Consequence

The purpose of ________ is to determine the basic parameters within which the risk assessment will be conducted and then to identify the assets to be examined.
A. establishing the context B. control
C. risk avoidance D. combining

A. establishing the context

_________ is choosing to accept a risk level greater than normal for business reasons.
A. Risk avoidance B. Reducing likelihood
C. Risk transfer D. Risk acceptance

D. Risk acceptance

_________ is a formal process used to develop and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability for an organization's assets.

IT security management

ISO details a model process for managing information security that comprises the
following steps: plan, do, ________, and act.

check

The term ________ refers to a document that describes what an organizations
security objectives and strategies are and the process used to achieve them.

organizational security policy

The aim of the _________ process is to provide management with the information
necessary for them to make reasonable decisions on where available resources
will be deployed.

risk assessment

The four approaches to identifying and mitigating risks to an organization's IT
infrastructure are: baseline approach, detailed risk analysis, combined approach,
and __________ approach.

informal

The __________ approach to risk assessment aims to implement a basic general
level of security controls on systems using baseline documents, codes of practice,
and industry best practice.

baseline

The use of the _________ approach would generally be recommended for small to medium-sized organizations where the IT systems are not necessarily essential to meeting the organization's business objectives and additional expenditure on
risk analysis cannot be justified.

informal

The advantages of the _________ risk assessment approach are that it provides the most comprehensive examination of the security risks of an organization's IT system and produces strong justification for expenditure on the controls proposed.

detailed

A(n) _________ is a weakness in an asset or group of assets that can be exploited by one or more threats.

vulnerability

A(n) _________ is anything that has value to the organization.

asset

The level of risk the organization views as acceptable is the organization's __________.

risk appetite

_________ is sharing responsibility for the risk with a third party.

Risk transfer

Not proceeding with the activity or system that creates the risk is _________.

risk avoidance

The _________ approach incorporates elements of the baseline, informal, and detailed risk analysis approaches.

combined

The _________ approach to security risk assessment provides the most accurate evaluation of an organization's IT system's security risks.

detailed risk analysis