Académique Documents
Professionnel Documents
Culture Documents
security perimeter
standards
addresses specific areas of technology, requires frequent updates, and contains a statement on the
organizations
issp
_____ are frequently codified as standards and procedures to be used when configuring or maintaining
systems.
SysSP
_____ is the control approach that attempts to shift risk to other assets, other processes, or other
organizations.
transference
System-specific policies can be organized into two general groups: ____ and _____.
confidentiality
_____ consists of the actions taken to plan for, detect, and correct the impact of an incident on
information assets
Incident Response
The repair, modification, or update of a piece of equipment, usually made at the customer's premises, is
called a(n) _____.
FCO
The _____ community of interest should have the best understanding of threats and attacks and often
takes a leadership role in addressing risks.
( Information Security )
acceptance
A series of outcomes that depict the impact of a successful attack from a threat on each prioritized
functional area are called ____.
addresses user acceptance and support, management acceptance and support, and the overall
requirements of the organizations stakeholders
operational feasibility
The overall rating of the probability that a specific vulnerability will be successfully exploited is its =likelyhood
The process of examining how each threat will affect an organization is called a(n) _____.
threat assessment
When weighing the benefits of the different strategies of risk management, keep in mind that the _____
and the _____ should play a major role in strategy selection.
The amount of risk that remains after all controls are put in place as designed is called
residual risk
_____ is planning for the identification, classification, response, and recovery from an incident
_____ programs are designed to supplement the general education and training programs that many organizations
have in place to educate staff on information security.
A. SETA
direct how issues should be addressed and technologies used = policies
The _____ community of interest must ensure sufficient resources are allocated to the risk management process. (
General Management )
A risk management strategy calls on information security professionals to know their organization's ______ . D.
information assets
Risk identification is performed within a larger process of identifying and justifying risk controls, which is called
( Risk Management )
Risk identification is performed within a larger process of identifying and justifying risk controls, which is called ( Risk
Management )
the calculation of the value associated with the most likely loss from an attack
single loss expectancy (SLE)
n order to ensure effort is spent protecting information that needs protecting, organizations implement
_____. (Data Classification Schemes )
The value that some information assets acquire over time that is beyond the intrinsic value is called _______ .
The repair, modification, or update of a piece of equipment, usually made at the customer's premises, is called a
FCO
is an excellent reference for security managers involved in the routine management of information security
A. SP 800-12, An Introduction to Computer Security: The NIST Handbook
------acceptance
How often a specific type of attack is likely to occur is called the ___
ARO
--residual risk
The calculation of the value associated with the most likely loss from an attack is called the _____.
--ALE
incident response (IR) plan addresses the identification, classification, response, and recovery from an incident
programs are designed to supplement the general education and training programs that many organizations
have in place to educate staff on information security.
seta ?????
A(n) _____ defines the edge between the outer limit of an organizations security and the beginning of the
outside world
security perimeter
Defense in depth
Implementation of security in layers
business continuity (BC) plan ensures that critical business functions continue if a catastrophic incident or
disaster occurs.
The characteristic of information that deals with preventing disclosure is _____. confidentiality
Baselining
Analysis of measures against established standards
Likelihood
The probability that a specific vulnerability will be
the object of a successful attack
weighted factor analysis In a _____, each information asset is assigned a score for each of a set of assigned
critical factor.
risk management
---page6 chap4
nformation security framework documents from the _____ are available for a fee and have not been broadly
reviewed or accepted by U.S. government and industry professionals. Answer: International Organization for
Standardization
Transfer
Control approach that attempts to shift risk to other
assets, processes, or organizations
When individuals are assigned security labels for access to categories of information, they have acquired a(n)
_____. sec clearance
The _____ community of interest should have the best understanding of threats and attacks and often takes a
leadership role in addressing risks. Answer: information security 6. The _____ community of interest must assist
in risk management by configuring and operating information systems in a secure fashion. Answer: information
technology 7. The _____ community of interest must ensure sufficient resources are allocated to the risk
management process. Answer: general management
contingency planning (CP) the entire planning conducted by the organization to prepare for, react to and recover
from events that threaten the security of information and information assets in the organization, and the
subsequent restoration to normal modes of business operations.
The _____ community of interest must assist in risk management by configuring and operating information
systems in a secure fashion. Answer: information technology
The _____ community of interest should have the best understanding of threats and attacks and often takes a
leadership role in addressing risks. Answer: information security
avoidnce
Attempts to prevent exploitation of the vulnerability
field change order (FCO) The repair, modification, or update of a piece of equipment, usually made at the
customer's premises, is called a ___
For information security purposes, _____ are the systems that use, store, and transmit information. Answer:
assets
lattice-based access controls a particular access control in which users are assigned a matrix of authorizations
for particular areas of access
technical feasibility analysis that examines whether or not the organization has or can acquire the technology
necessary to implement and support the proposed control
The process of examining how each threat will affect an organization is called a(n) _____. threaet assessment
_____ is the process of avoiding the financial impact of an incident by implementing a control.-- cost avoidance
In order to ensure effort is spent protecting information that needs protecting, organizations implement _____.
data clasification schems
A value calculated to show the estimated overall loss potential per risk per year is the _____ ALE
_____ is an excellent reference for security managers involved in the routine management of information
security --SP 800-12, An Introduction to Computer Security: The NIST Handboo
Within organizations,________ determines what can and cannot occur based on the consensus and
relationships among the communities of interest. -- political feasbility