Exam 14: IT Security Management and Risk Assessment

The ________ has revised and consolidated a number of national and international standards into a consensus of best practice.

IT security management has evolved considerably over the last fewdecades due to the rise in risks to networked systems.

_________ is sharing responsibility for the risk with a third party.

Maintaining and improving the information security risk management processin response to incidents is part of the _________ step.

The aim of the _________ process is to provide management with the information necessary for them to make reasonable decisions on where available resources will be deployed.

Once the IT management process is in place and working the processnever needs to be repeated.

IT security management consists of first determining a clear view of anorganization's IT security objectives and general risk profile.

The _________ provides the most accurate evaluation of an organization's IT system's security risks.

Organizational security objectives identify what IT security outcomesshould be achieved.

The advantages of the _________ risk assessment approach are that it provides the most detailed examination of the security risks of an organization's IT system and produces strong justification for expenditure on the controls proposed.

IT security management functions include:

A major advantage of the informal approach is that the individualsperforming the analysis require no additional skills.

The level of risk the organization views as acceptable is the organization's __________.

Detecting and reacting to incidents is not a function of IT securitymanagement.

The advantages of the _________ approach are that it doesn't require the expenditure of additional resources in conducting a more formal risk assessment and that the same measures can be replicated over a range of systems.

The use of the _________ approach would generally be recommended for small to medium-sized organizations where the IT systems are not necessarily essential to meeting the organization's business objectives and additional expenditure on risk analysis cannot be justified.

Organizational security policies identify what needs to be done.

A major disadvantage of the baseline risk assessment approach is thesignificant cost in time, resources, and expertise needed to performthe analysis.

One asset may have multiple threats and a single threat may targetmultiple assets.

The results of the risk analysis should be documented in a _________.