Exam 14: It Security Management and Risk Assessment

The term ________ refers to a document that details not only the overall security objectives and strategies,but also procedural policies that define acceptable behavior,expected practices,and responsibilities.

__________ ensures that critical assets are sufficiently protected in a cost-effective manner.

The level of risk the organization views as acceptable is the organization's __________.

Organizational security policies identify what needs to be done.

The use of the _________ approach would generally be recommended for small to medium-sized organizations where the IT systems are not necessarily essential to meeting the organization's business objectives and additional expenditure on risk analysis cannot be justified.

Once the IT management process is in place and working the process never needs to be repeated.

A major disadvantage of the baseline risk assessment approach is the significant cost in time,resources,and expertise needed to perform the analysis.

Organizational security objectives identify what IT security outcomes should be achieved.

Because the responsibility for IT security is shared across the organization,there is a risk of inconsistent implementation of security and a loss of central monitoring and control.

A major advantage of the informal approach is that the individuals performing the analysis require no additional skills.

A(n)_________ is anything that has value to the organization.

The advantages of the _________ approach are that it doesn't require the expenditure of additional resources in conducting a more formal risk assessment and that the same measures can be replicated over a range of systems.

The assignment of responsibilities relating to the management of IT security and the organizational infrastructure is not addressed in a corporate security policy.

The aim of the _________ process is to provide management with the information necessary for them to make reasonable decisions on where available resources will be deployed.

A(n)_________ is a weakness in an asset or group of assets that can be exploited by one or more threats.

Detecting and reacting to incidents is not a function of IT security management.

_________ is sharing responsibility for the risk with a third party.

The purpose of ________ is to determine the basic parameters within which the risk assessment will be conducted and then to identify the assets to be examined.

It is not critical that an organization's IT security policy have full approval or buy-in by senior management.

The intent of the ________ is to provide a clear overview of how an organization's IT infrastructure supports its overall business objectives.