Please enable JavaScript.
Coggle requires JavaScript to display documents.
CT 201 wk3/ ch5 /Risk MGMT (Review Questions (What is risk management? Why…
CT 201 wk3/ ch5 /Risk MGMT
TLO
Define risk management, risk identification, and risk control
Describe how risk is identified and assessed
Assess risk based on probability of occurrence and likely impact
Explain the fundamental aspects of documenting risk via the process of risk assessment
Describe various options for a risk mitigation strategy
Identify the categories that can be used to classify controls
Discuss conceptual frameworks for evaluationg risk controls and formulate a cost-benefit analysis
CH5 Summary
■ Risk management examines and documents the information technology security being used in an organization. Risk management helps an organization identify vulnerabilities in its information systems and take carefully reasoned steps to assure the confidentiality, integ- rity, and availability of all components in those systems.
■ A key component of a risk management strategy is the identification, classification, and prioritization of the organization’s information assets.
■ The human resources, documentation, and data information assets of an organization are more difficult to identify and document than tangible assets, such as hardware and software.
■ After performing a preliminary classification of information assets, the organization should examine the threats it faces. There are 12 categories of threats to information security.
■ To fully understand each threat and the impact it can have on the organization, each identified threat must be examined through a threat assessment process.
■ The goal of risk assessment is to assign a risk rating or score that represents the rela- tive risk for a specific vulnerability of an information asset.
■ After vulnerabilities are identified and ranked, the organization must choose a strategy to control the risks from them. The five control strategies are defense, transference, mitigation, acceptance, and termination.
■ The economic feasibility study determines the costs associated with protecting an asset. The formal documentation process of feasibility is called a cost-benefit analysis.
■ Benchmarking is an alternative method to economic feasibility analysis that seeks out and studies practices used in other organizations to produce desired results in one’s own organization.
■ The primary goal of information security is to achieve an acceptably reduced level of residual risk—the amount of risk unaccounted for after the application of controls and other risk management strategies in line with the organization’s risk appetite, also known as risk tolerance.
Review Questions
What is risk management? Why is the identification of risks and vulnerabilities to assets so important in risk management?
According to Sun Tzu, what two key understandings must you achieve to be successful in battle?
Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?
In risk management strategies, why must periodic review be part of the process?
Why do networking components need more examination from an information security perspective than from a systems development perspective?
What value does an automated asset inventory system have during risk identification?
What information attribute is often of great value for local networks that use static addressing?
When devising a classification scheme for systems components, is it more important that the asset identification list be comprehensive or mutually exclusive?
What’s the difference between an asset’s ability to generate revenue and its ability to generate profit?
What are vulnerabilities? How do you identify them?
What is competitive disadvantage? Why has it emerged as a factor?
What five strategies for controlling risk are described in this chapter?
Describe the defense strategy for controlling risk. List and describe the three common methods.
Describe the transference strategy for controlling risk. Describe how outsourcing can be used for this purpose.
Describe the mitigation strategy for controlling risk. What three planning approaches are discussed in the text as opportunities to mitigate risk?
How is an incident response plan different from a disaster recovery plan? 17. What is risk appetite? Explain why it varies among organizations. 18. What is a cost-benefit analysis? 19. What is single loss expectancy? What is annualized loss expectancy?
What is residual risk?
Lecture Notes
enumerate all of the usernames
password cracking
cmd injection
buffer overflow
Study model