Week 10

avatar
Created by
Daniel Shogun

Cards (50)

  • Risk Management - It is the process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.
  • Risk Appetite - It is the amount of risk an organization is willing to accept.
  • Residual Risk - It is the amount of risk remains to an information asset even after the organization has applied its desired level of controls.
  • Risk Identification - It is the enumeration and documentation of risks to an organization's information assets.
  • Risk Assessment - It is a determination of the extent to which an organization's information assets are exposed to risk.
  • Risk Assessment - It is a process used to identify the organizations information assets and its threats and vulnerabilities, evaluate the relative risk for each vulnerability.
  • Risk Control - It is the application of controls that reduce the risks to an organization's information assets to an acceptable level.
  • Risk Control - It is when an organization's management determines that risks from information security threats are creating a competitive disadvantage, it empowers the information technology and information security communities of interest to control the risks.
  • Planning and Organizing the Process - It begins by organizing a team, which typically consists of representative from all affected groups.
  • Identifying, Inventorying, and Categorizing Assets - This iterative process begins with the identification, and inventory of assets, including all elements of an organization's system, such as people, procedures, data, and information software, hardware, and networking elements.
  • People, Procedure, and Data Asset Identification - Identifying assets for human resources, documentation and data.
  • People - It contains position name, number or ID
  • Procedures - It contains the intended purpose, relationship to software, hardware, and networking elements.
  • Data - It contains the owner, creator, and manager and also the size of data structure.
  • Hardware, Software, and Network Asset Identification - It is the attributes to be tracked in hardware, software and network assets depends on the needs of the organization and its risk management efforts.
  • Asset Inventory - Creating an inventory of information assets is a critical function of understanding what the organization is protecting.
  • Data Classification and Management - Corporate and government organizations use a variety of classification schemes. Many corporations use a data classification scheme to help secure the confidentiality and integrity of information.
  • Data Classification Scheme - It is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.
  • Confidential - It used for the most sensitive corporate information that must be tightly controlled, even within the company; referred to as sensitive or proprietary information.
  • Internal - Used for all internal information that does not meet the criteria for the confidential category; viewed only by corporate, employee, authorized contractors.
  • External - All information that has been approved by the management for public release.
  • Security Clearance - It is a component of data classification scheme that assign a status level to employees to designate the maximum level of classified data they may access.
  • Clean Desk Policy - An organizational policy that specifies employees must inspect their work areas and ensure that all classified information, documents, and materials are secured at the end of every workday.
  • Dumpster Diving - It is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information.
  • Asset Valuation - It is the process of assigning financial value or worth to each information asset.
  • Threat Assessment - It is an evaluation of the threats to information assets, including a determination of their potential to endanger the organization.
  • Specifying Asset Vulnerabilities - It review each information asset for each relevant threat and create a list of vulnerabilities.
  • Vulnerabilities - These are the specific avenues that threat agents can exploit to attack an information asset or a flaw or weakness.
  • Threats-Vulnerabilities-Assets Worksheet - It is a document that shows a comparative ranking of prioritized assets against prioritized threats with an indication of any vulnerabilities in the asset/threat pairing.
  • Planning and Organizing Risk Assessment - The goal at this point is to create a method for evaluating the relative risk of each listed vulnerability
  • Attack Success Probability - It is the number of successful attacks that are expected to occur within a specified time period.
  • Likelihood - It is the probability within an organization will be the target of an attack.
  • Loss Frequency - It is the calculation of the likelihood of an attack coupled within the attack frequency to determine the expected number of losses within a specified time range.
  • Loss Magnitude - It is the combination of an asset's value and the percentage of it that might be lost in an attack.
  • Calculating Risk - If an organization can be determine loss frequency and loss magnitude for an asset, it can then calculate the risk to the asset.
  • Assessing Risk Acceptability - For each threat and its associated that have residual risk, you must create a ranking of their relative risk levels.
  • Selecting Control Strategies - Once the project team for information security development created the ranked vulnerability risk worksheet, the team must choose a strategy for controlling each risk that results from these vulnerabilities.
  • Defense Control Strategy - The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application additional controls and safeguards.
  • Transfer Control Strategy - The risk control strategy that attempts to shift residual risk to other assets, other processes, or other organizations.
  • Mitigation Control Strategy - The risk control strategy that attempts to reduce the impact of a successful attack through planning and preparation.