Deck 14: IT Security Management and Risk Assessment

Organizational security objectives identify what IT security outcomesshould be achieved.

A major disadvantage of the baseline risk assessment approach is thesignificant cost in time, resources, and expertise needed to performthe analysis.

Because the responsibility for IT security is shared across theorganization, there is a risk of inconsistent implementation of security and a loss of central monitoring and control.

A major advantage of the informal approach is that the individualsperforming the analysis require no additional skills.

Detecting and reacting to incidents is not a function of IT securitymanagement.

The assignment of responsibilities relating to the management of ITsecurity and the organizational infrastructure is not addressed in acorporate security policy.

IT security needs to be a key part of an organization's overallmanagement plan.

Organizational security policies identify what needs to be done.

IT security management consists of first determining a clear view of anorganization's IT security objectives and general risk profile.

Legal and regulatory constraints may require specific approaches torisk assessment.

One asset may have multiple threats and a single threat may targetmultiple assets.

A threat may be either natural or human made and may be accidentalor deliberate.

Once the IT management process is in place and working the processnever needs to be repeated.

IT security management has evolved considerably over the last fewdecades due to the rise in risks to networked systems.

It is not critical that an organization's IT security policy have fullapproval or buy-in by senior management.

The aim of the _________ process is to provide management with the information necessary for them to make reasonable decisions on where available resources will be deployed.

The term ________ refers to a document that details not only the overall security objectives and strategies, but also procedural policies that define acceptable behavior, expected practices, and responsibilities.

ISO details a model process for managing information security that comprises the following steps: plan, do, ________, and act.

The __________ approach to risk assessment aims to implement a basic general level of security controls on systems using baseline documents, codes of practice, and industry best practice.

The use of the _________ approach would generally be recommended for small to medium-sized organizations where the IT systems are not necessarily essential to meeting the organization's business objectives and additional expenditure on risk analysis cannot be justified.

_________ is a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability.

The advantages of the _________ risk assessment approach are that it provides the most detailed examination of the security risks of an organization's IT system and produces strong justification for expenditure on the controls proposed.

The four approaches to identifying and mitigating risks to an organization's IT infrastructure are: baseline approach, detailed risk analysis, combined approach, and __________ approach.

A(n) _________ is anything that has value to the organization.

A(n) _________ is a weakness in an asset or group of assets that can be exploited by one or more threats.

_________ is sharing responsibility for the risk with a third party.

Not proceeding with the activity or system that creates the risk is _________.

The level of risk the organization views as acceptable is the organization's __________.

The _________ approach combines elements of the baseline, informal, and detailed risk analysis approaches.

The _________ provides the most accurate evaluation of an organization's IT system's security risks.