Exam 7: Risk Management: Controlling Risk

A risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.

Due care and due diligence occur when an organization adopts a certain minimum level of security-that is,what any prudent organization would do in similar circumstances.

An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources,which include hardware,software,networking,and personnel is known as operational feasibility.

What does the result of a CBA determine?  What is the formula for the CBA?

Describe the use of hybrid assessment to create a quantitative assessment of asset value.

A risk control strategy that attempts to reduce the impact of the loss caused by a realized incident,disaster,or attack through effective contingency planning and preparation.

What are the four phases of the Microsoft risk management strategy?

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? 

In which technique does a group rate or rank a set of information,compile the results and repeat until everyone is satisfied with the result? 

Unlike other risk management frameworks,FAIR relies on the qualitative assessment of many risk components using scales with value ranges.

A risk control strategy that indicates the organization is willing to accept the current level of risk and that the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.

Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.

What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed? 

The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident,disaster,or attack through effective contingency planning and preparation is known as the mitigation risk control strategy.

​The risk control strategy that indicates the organization is willing to accept the current level of risk.As a result,the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.

The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident.

​Also known as an economic feasibility study,the formal assessment and presentation of the economic expenditures needed for a particular security control,contrasted with its projected value to the organization is known as cost-benefit analysis (CBA).

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? 

A benchmark is derived by comparing measured actual performance against established standards for the measured category.

The goal of InfoSec is not to bring residual risk to zero; rather,it is to bring residual risk in line with an organization's risk ___________.