Exam 14: It Security Management and Risk Assessment

The term ________ refers to a document that details not only the overall security objectives and strategies,but also procedural policies that define acceptable behavior,expected practices,and responsibilities.

The advantages of the _________ risk assessment approach are that it provides the most detailed examination of the security risks of an organization's IT system and produces strong justification for expenditure on the controls proposed.

Maintaining and improving the information security risk management process in response to incidents is part of the _________ step.

IT security needs to be a key part of an organization's overall management plan.

IT security management has evolved considerably over the last few decades due to the rise in risks to networked systems.

It is not critical that an organization's IT security policy have full approval or buy-in by senior management.

The aim of the _________ process is to provide management with the information necessary for them to make reasonable decisions on where available resources will be deployed.

IT security management consists of first determining a clear view of an organization's IT security objectives and general risk profile.

Establishing security policy,objectives,processes and procedures is part of the ______ step.

_________ is a process used to achieve and maintain appropriate levels of confidentiality,integrity,availability,accountability,authenticity,and reliability.

The advantages of the _________ approach are that it doesn't require the expenditure of additional resources in conducting a more formal risk assessment and that the same measures can be replicated over a range of systems.

The level of risk the organization views as acceptable is the organization's __________.

The _________ approach combines elements of the baseline,informal,and detailed risk analysis approaches.

A major disadvantage of the baseline risk assessment approach is the significant cost in time,resources,and expertise needed to perform the analysis.

ISO details a model process for managing information security that comprises the following steps: plan,do,________,and act.

A(n)_________ is anything that has value to the organization.

Legal and regulatory constraints may require specific approaches to risk assessment.

A major advantage of the informal approach is that the individuals performing the analysis require no additional skills.

The __________ approach to risk assessment aims to implement a basic general level of security controls on systems using baseline documents,codes of practice,and industry best practice.

One asset may have multiple threats and a single threat may target multiple assets.