CHAPTER SUMMARY

Risks occur when threats exploit vulnerabilities and result in a loss. The loss can compromise assets and core business functions. The impact of losses can be seen in business costs. The steps in risk management are to identify threats and vulnerabilities, which can then be paired to help determine the impact of the risk. By implementing controls, vulnerabilities can be reduced. The amount spent on controls should be proportional to the risk.

By choosing one of four techniques, avoiding, sharing or transferring, mitigating, or accepting, risks can be managed. The primary risk management technique is mitigating risk, which is also known as risk reduction or risk treatment. Deciding to accept a loss becomes easier if a CBA has been completed.

KEY CONCEPTS AND TERMS

accepting

asset

availability

avoiding

audit

business function

Common Vulnerabilities and Exposures (CVE)

confidentiality

control

cost-benefit analysis (CBA)

denial of service (DDoS) attack

detective control

disaster recovery

distributed denial of service (DDoS) attack

exploit

goodwill

guideline

impact of loss

intangible value

integrity

mitigating

policy

preventive control

principle of proportionality

profitability

reasonableness

residual risk

risk

risk assessment

risk management

sharing

social engineering

standard

survivability

tangible value

threat

transferring

vulnerability

CHAPTER 1 ASSESSMENT

  1. Which one of the following properly defines risk?
    1. Threat × Mitigation
    2. Vulnerability × Controls
    3. Controls − Residual risk
    4. Threat × Vulnerability
  2. Which one of the following properly defines total risk?
    1. Threat − Mitigation
    2. Threat × Vulnerability × Asset value
    3. Vulnerability − Controls
    4. Vulnerability × Controls
  3. The best bet is to reduce risk to a level that can be accepted.
    1. True
    2. False
  4. Which of the following are accurate pairings of threat categories? (Select two.)
    1. External and internal
    2. Natural and supernatural
    3. Intentional and accidental
    4. Computer and user
  5. A loss of client confidence or public trust is an example of a loss of _______.
  6. A _______ is used to reduce a vulnerability.
  7. As long as a company is profitable, it does not need to consider survivability.
    1. True
    2. False
  8. What is the primary goal of an information security program?
    1. To eliminate losses related to employee actions
    2. To eliminate losses related to risk
    3. To reduce losses related to residual risk
    4. To reduce losses related to loss of confidentiality, integrity, and availability
  9. The _______ is an industry-recognized standard list of common vulnerabilities.
  10. Which of the following is a goal of risk management?
    1. To identify the correct cost balance between risk and controls
    2. To eliminate risk by implementing controls
    3. To eliminate the loss associated with risk
    4. To calculate value associated with residual risk
  11. If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing a _______.
  12. A company decides to reduce losses of a threat by purchasing insurance, which is known as risk _______.
  13. What can be done to manage risk? (Select three.)
    1. Accept it
    2. Transfer it
    3. Avoid it
    4. Migrate it
  14. After controls to minimize risk in the environment have been applied, what is the remaining risk called?
    1. Remaining risk
    2. Mitigated risk
    3. Managed risk
    4. Residual risk
  15. Who is ultimately responsible for losses resulting from residual risk?
    1. End users
    2. Technical staff
    3. Senior managers
    4. Security personnel
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset