Busy. Please wait.

show password
Forgot Password?

Don't have an account?  Sign up 

Username is available taken
show password


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account.
We do not share your email address with others. It is only used to allow you to reset your password. For details read our Privacy Policy and Terms of Service.

Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.

Remove ads
Don't know
remaining cards
To flip the current card, click it or press the Spacebar key.  To move the current card to one of the three colored boxes, click on the box.  You may also press the UP ARROW key to move the card to the "Know" box, the DOWN ARROW key to move the card to the "Don't know" box, or the RIGHT ARROW key to move the card to the Remaining box.  You may also click on the card displayed in any of the three boxes to bring that card back to the center.

Pass complete!

"Know" box contains:
Time elapsed:
restart all cards

Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how

Winters Quiz 4

competitive advantage what sets the organization apart from others and provides it with a distinctive edge for meeting customer needs in the marketplace
competitive disadvantage the need for an organization to avoid falling behind the competition due to lack of the ability to design and create safe environments in which businesses process and procedures can function
risk management identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all components in the organization's information system
risk identification examining and documenting the security posture of an organization's information technology and the risks it faces
risk control applying controls to reduce the risks to an organization's data and information systems
field change order (FCO) an authorization issued by an organization for the repair, modification, or update of a piece of equipment
data classification scheme an information scheme used throughout an organization that helps secure confidentiality and integrity of information that is typically used by corporations
security clearance a single authorization level assigned to each data user that indicates the level of classification he or she is authorized to view
need-to-know a standard that must be met to override a data user's current security clearance
clean desk policy a policy that requires that employees secure all information in appropriate storage containers at the end of each day
dumpster diving the practice of searching trash and recycling bins to retrieve information that could embarrass a company or compromise information security
threat assessment the process of examining an organization's threats to assess its potential to endanger the organization
risk assessment evaluating the risk for each vulnerability after identifying an organization's information assets and threats
likelihood (in terms of an organization's information assets) `the probability that a specific vulnerability will be the object of a successful attack
residual risks the risk that remains to the information asset after the existing control has been applied
access controls used to determine if and how to admit a user into a trusted area of the organization
mandatory access controls (MACs) a particular access control structured and coordinated with a data classification scheme; it gives users and owners limited control over access to information resources
lattice-based access controls a particular access control in which users are assigned a matrix of authorizations for particular areas of access
access control list (ACL) the column of attributes associated with a particular object within a lattice-based access control
capabilities table (within an access control list) the row of attributes associated with a particular subject
non-discretionary controls controls managed by a central authority in an organization
role-based controls a type of non-discretionary control that is based on an individual's role
task-based controls a type of non-discretionary control that is based on a set of specified tasks assigned to an individual
discretionary controls controls implemented at the discretion or option of the data user
avoidance preferred risk control strategy approach that attempts to prevent exploitation of the vulnerability by means of countering threats, removing vulnerabilities in assets, limiting access to assets and adding protective safeguards
transference control approach that attempts to shift risk to other assets, processes, or other organizations by rethinking how services are offered, outsourcing to other organizations, purchasing insurance or implementing service contracts with providers
mitigation control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation
cost avoidance process of avoiding the financial impact of an incident by implementing control
cost benefit analysis/economic feasibility process of examining the cost to protect an asset and the benefit of the protection based on the asset's worth
single loss expectancy (SLE) the calculation of the value associated with the most likely loss from an attack
exposure factor (EF) the expected percentage of loss that would occur from a particular attack
annualized rate of occurrence (ARO) how often a specific type of attack is expected to occur
annualized loss expectancy (ALE) the determination/calculation of the overall lost potential per risk
quantitative assessment assessment using actual values or estimates
qualitative assessment evaluation process based on characteristics that do not use numerical measures
benchmarking process of seeking out and studying the practices used in other organizations that produce results an individual would like to duplicate in their organization
performance gap provide insight into the areas that an organization should work on to improve its security postures and defenses
standard of due care the proof of maintaining a certain level of security (that an organization adopts) that is acceptable among organizations of the same capacity
due diligence demonstration that an organization is diligent in ensuring that the implemented standards of due care continue to proved the required level of protection
best business practices/best practices/recommended practices security efforts that seek to provide a superior level of performance in the protection of information
base-lining value or profile of a performance metric against which changes in the performance metric can be usefully compared
organizational feasibility a feasibility analysis that examines how well the proposed information security alternatives will contribute to the efficiency, effectiveness and overall operation of an organization
operational feasibility (or behavioral feasibility) analysis that examines user acceptance an support, management acceptance and support, and the overall requirements of the organization's stakeholders; measure the behavior of users
technical feasibility analysis that examines whether or not the organization has or can acquire the technology necessary to implement and support the proposed control
political feasibility analysis that determines what can and cannot occur based on the consensus and relationships among the communities of interest
risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility
know yourself identify, examine, and understand the information and systems currently in place
Know the enemy identify, examine, and understand threats facing the organization
1.Evaluating the risk controls 2.Determining which control options are cost effective for the organization 3.Acquiring or installing the needed controls 4.Ensuring that the controls remain effective What is the Risk Management Process?
1. Defend 2. Transfer 3. Mitigate 4. Accept 5. Terminate What are the Risk Control Strategies?
1. Application of policy 2. Training and education 3. Applying technology What are the three common methods of risk avoidance?
1. When a vulnerability exists 2. When a vulnerability can be exploited 3. When attacker’s cost is less than potential gain 4. When potential loss is substantial What are the rules of thumb on strategy selection can be applied?
Defend attempts to prevent exploitation of the vulnerability (preferred approach)
Transfer control approach that attempts to shift risk to other assets, processes, or organizations
Mitigate attempts to reduce impact of vulnerability exploitation through planning and preparation
Accept doing nothing to protect a vulnerability and accepting the outcome of its exploitation
Terminate directs the organization to avoid those business activities that introduce uncontrollable risks
Created by: mgolf