Computer Security Mana Ch09

Card Set Information

Author:
cbai
ID:
153293
Filename:
Computer Security Mana Ch09
Updated:
2012-05-10 11:35:53
Tags:
Computer Security Mana Ch09
Folders:

Description:
Computer Security Management Ch09, Information Security
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user cbai on FreezingBlue Flashcards. What would you like to do?


  1. An organization must choose one of four basic strategies to control risks
    Avoidance, Transference, Mitigation, Acceptance
  2. Applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability?
    Avoidance
  3. Shifting the risk to other areas or to outside entities
    Transference
  4. Reducing the impact if the vulnerability is exploited
    Mitigation
  5. Understanding the consequences and accepting the risk without control or mitigation
    Acceptance
  6. Types of mitigation plans
    Disaster recovery plan (DRP), Incident response plan (IRP), Business continuity plan (BCP)
  7. Before using the acceptance strategy, the organization must?
    Determine the level of risk to the information asset,Estimate the potential loss from attacks, Perform a thorough cost benefit analysis
  8. Risk appetite (also known as risk tolerance)
    Is the quantity and nature of risk that organizations are willing to accept As they evaluate the trade-offs between perfect security and unlimited accessibility
  9. Economic feasibility analysis
    Determines the benefits that are expected from implementing a security system and compares it with costs to the organization if the system fails
  10. Annualized Rate of Occurrence ( ARO)
    Usually, the probability of a threat occurring is depicted as a table that indicates how frequently an attack from each threat type is likely to occur within a given time frame
  11. Quantitative assessment
    Performs asset valuation with actual values or estimates. May be difficult to assign specific values
  12. Qualitative assessment
    Use scales instead of specific estimates
  13. OCTAVE stands for?
    Operationally Critical Threat, Asset, and Vulnerability Evaluation
  14. Defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation
    OCTAVE
  15. The Factor Analysis of Information Risk
    FAIR
  16. FAIR
    Provides a qualitative method of risk analysis that can complement other techniques or be expanded to provide a complete risk management system

What would you like to do?

Home > Flashcards > Print Preview