Vous êtes sur la page 1sur 6

A(n) _____ defines the edge between the outer limit of an organizations security and the beginning of

the outside world

security perimeter

are detailed statements of what must be done to comply with policy

standards

addresses specific areas of technology, requires frequent updates, and contains a statement on the
organizations

position on a specific issue.

issp

_____ are frequently codified as standards and procedures to be used when configuring or maintaining
systems.

SysSP

_____ is the control approach that attempts to shift risk to other assets, other processes, or other
organizations.

transference

System-specific policies can be organized into two general groups: ____ and _____.

managerial guidance, technical specifications

The characteristic of information that deals with preventing disclosure is _____.

confidentiality
_____ consists of the actions taken to plan for, detect, and correct the impact of an incident on
information assets

Incident Response

The repair, modification, or update of a piece of equipment, usually made at the customer's premises, is
called a(n) _____.

FCO

The _____ community of interest should have the best understanding of threats and attacks and often
takes a leadership role in addressing risks.

( Information Security )

risk control strategy is the choice to do nothing to protect a vulnerability.

acceptance

A series of outcomes that depict the impact of a successful attack from a threat on each prioritized
functional area are called ____.

attack success scenarios

addresses user acceptance and support, management acceptance and support, and the overall
requirements of the organizations stakeholders

operational feasibility

The overall rating of the probability that a specific vulnerability will be successfully exploited is its =likelyhood

The process of examining how each threat will affect an organization is called a(n) _____.

threat assessment
When weighing the benefits of the different strategies of risk management, keep in mind that the _____
and the _____ should play a major role in strategy selection.

level of threat, value of the asset

The amount of risk that remains after all controls are put in place as designed is called

residual risk

_____ is planning for the identification, classification, response, and recovery from an incident

Incident response planning (IRP)

_____ programs are designed to supplement the general education and training programs that many organizations
have in place to educate staff on information security.
A. SETA
direct how issues should be addressed and technologies used = policies

The _____ community of interest must ensure sufficient resources are allocated to the risk management process. (
General Management )

A risk management strategy calls on information security professionals to know their organization's ______ . D.
information assets

Risk identification is performed within a larger process of identifying and justifying risk controls, which is called

( Risk Management )

Risk identification is performed within a larger process of identifying and justifying risk controls, which is called ( Risk
Management )

weighted factor analysis

the calculation of the value associated with the most likely loss from an attack
single loss expectancy (SLE)

n order to ensure effort is spent protecting information that needs protecting, organizations implement
_____. (Data Classification Schemes )

_____is the analysis of measures against established standards


baselining
A(n) _____ addresses specific areas of technology, requires frequent updates, and contains a statement on the organizations
position on a specific issue.
Issue specific

The value that some information assets acquire over time that is beyond the intrinsic value is called _______ .

The repair, modification, or update of a piece of equipment, usually made at the customer's premises, is called a
FCO

is an excellent reference for security managers involved in the routine management of information security
A. SP 800-12, An Introduction to Computer Security: The NIST Handbook

Standards: more detailed statements of what must


be done to comply with policy

Doing nothing to protect a vulnerability and


accepting the outcome of its exploitation

------acceptance

How often a specific type of attack is likely to occur is called the ___
ARO

Residual risk is risk that remains to information


asset even after existing control has been applied

--residual risk

The calculation of the value associated with the most likely loss from an attack is called the _____.
--ALE

Incident response plan (IRP): define the actions to


take while incident is in progress
--IRP

the set of activities taken to plan for, detect, and correct


the impact of an incident on information assets.
--incident respones

incident response (IR) plan addresses the identification, classification, response, and recovery from an incident

Disaster recovery plan (DRP): most common


mitigation procedure

programs are designed to supplement the general education and training programs that many organizations
have in place to educate staff on information security.
seta ?????

A(n) _____ defines the edge between the outer limit of an organizations security and the beginning of the
outside world
security perimeter

Defense in depth
Implementation of security in layers

ystems-specific policies fall into two groups


Managerial guidance
Technical specifications

Firewall: device that selectively discriminates


against information flowing in or out of organization

business continuity (BC) plan ensures that critical business functions continue if a catastrophic incident or
disaster occurs.

The characteristic of information that deals with preventing disclosure is _____. confidentiality

Baselining
Analysis of measures against established standards

Likelihood
The probability that a specific vulnerability will be
the object of a successful attack

Level of threat and value of asset play major role in


selection of strategy

The Guide for Developing Security Plans


for Federal Information Systems can be used as the foundation for a comprehensive security blueprint and
framework.

weighted factor analysis In a _____, each information asset is assigned a score for each of a set of assigned
critical factor.

risk management
---page6 chap4

nformation security framework documents from the _____ are available for a fee and have not been broadly
reviewed or accepted by U.S. government and industry professionals. Answer: International Organization for
Standardization

Operational: examines user and management


acceptance and support, and the overall
requirements of the organizations stakeholders

Transfer
Control approach that attempts to shift risk to other
assets, processes, or organizations

When individuals are assigned security labels for access to categories of information, they have acquired a(n)
_____. sec clearance

Policies direct how issues should be addressed


and technologies used

The _____ community of interest should have the best understanding of threats and attacks and often takes a
leadership role in addressing risks. Answer: information security 6. The _____ community of interest must assist
in risk management by configuring and operating information systems in a secure fashion. Answer: information
technology 7. The _____ community of interest must ensure sufficient resources are allocated to the risk
management process. Answer: general management
contingency planning (CP) the entire planning conducted by the organization to prepare for, react to and recover
from events that threaten the security of information and information assets in the organization, and the
subsequent restoration to normal modes of business operations.

The _____ community of interest must assist in risk management by configuring and operating information
systems in a secure fashion. Answer: information technology

The _____ community of interest should have the best understanding of threats and attacks and often takes a
leadership role in addressing risks. Answer: information security

avoidnce
Attempts to prevent exploitation of the vulnerability

field change order (FCO) The repair, modification, or update of a piece of equipment, usually made at the
customer's premises, is called a ___

For information security purposes, _____ are the systems that use, store, and transmit information. Answer:
assets

lattice-based access controls a particular access control in which users are assigned a matrix of authorizations
for particular areas of access

technical feasibility analysis that examines whether or not the organization has or can acquire the technology
necessary to implement and support the proposed control

The process of examining how each threat will affect an organization is called a(n) _____. threaet assessment

_____ is the process of avoiding the financial impact of an incident by implementing a control.-- cost avoidance

In order to ensure effort is spent protecting information that needs protecting, organizations implement _____.
data clasification schems

A value calculated to show the estimated overall loss potential per risk per year is the _____ ALE

_____ is an excellent reference for security managers involved in the routine management of information
security --SP 800-12, An Introduction to Computer Security: The NIST Handboo

Within organizations,________ determines what can and cannot occur based on the consensus and
relationships among the communities of interest. -- political feasbility

Vous aimerez peut-être aussi