Winters Quiz 4
Quiz yourself by thinking what should be in
each of the black spaces below before clicking
on it to display the answer.
Help!
|
|
||||
|---|---|---|---|---|---|
| competitive advantage | what sets the organization apart from others and provides it with a distinctive edge for meeting customer needs in the marketplace
🗑
|
||||
| competitive disadvantage | the need for an organization to avoid falling behind the competition due to lack of the ability to design and create safe environments in which businesses process and procedures can function
🗑
|
||||
| risk management | identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all components in the organization's information system
🗑
|
||||
| risk identification | examining and documenting the security posture of an organization's information technology and the risks it faces
🗑
|
||||
| risk control | applying controls to reduce the risks to an organization's data and information systems
🗑
|
||||
| field change order (FCO) | an authorization issued by an organization for the repair, modification, or update of a piece of equipment
🗑
|
||||
| data classification scheme | an information scheme used throughout an organization that helps secure confidentiality and integrity of information that is typically used by corporations
🗑
|
||||
| security clearance | a single authorization level assigned to each data user that indicates the level of classification he or she is authorized to view
🗑
|
||||
| need-to-know | a standard that must be met to override a data user's current security clearance
🗑
|
||||
| clean desk policy | a policy that requires that employees secure all information in appropriate storage containers at the end of each day
🗑
|
||||
| dumpster diving | the practice of searching trash and recycling bins to retrieve information that could embarrass a company or compromise information security
🗑
|
||||
| threat assessment | the process of examining an organization's threats to assess its potential to endanger the organization
🗑
|
||||
| risk assessment | evaluating the risk for each vulnerability after identifying an organization's information assets and threats
🗑
|
||||
| likelihood | (in terms of an organization's information assets) `the probability that a specific vulnerability will be the object of a successful attack
🗑
|
||||
| residual risks | the risk that remains to the information asset after the existing control has been applied
🗑
|
||||
| access controls | used to determine if and how to admit a user into a trusted area of the organization
🗑
|
||||
| mandatory access controls (MACs) | a particular access control structured and coordinated with a data classification scheme; it gives users and owners limited control over access to information resources
🗑
|
||||
| lattice-based access controls | a particular access control in which users are assigned a matrix of authorizations for particular areas of access
🗑
|
||||
| access control list (ACL) | the column of attributes associated with a particular object within a lattice-based access control
🗑
|
||||
| capabilities table | (within an access control list) the row of attributes associated with a particular subject
🗑
|
||||
| non-discretionary controls | controls managed by a central authority in an organization
🗑
|
||||
| role-based controls | a type of non-discretionary control that is based on an individual's role
🗑
|
||||
| task-based controls | a type of non-discretionary control that is based on a set of specified tasks assigned to an individual
🗑
|
||||
| discretionary controls | controls implemented at the discretion or option of the data user
🗑
|
||||
| avoidance | preferred risk control strategy approach that attempts to prevent exploitation of the vulnerability by means of countering threats, removing vulnerabilities in assets, limiting access to assets and adding protective safeguards
🗑
|
||||
| transference | control approach that attempts to shift risk to other assets, processes, or other organizations by rethinking how services are offered, outsourcing to other organizations, purchasing insurance or implementing service contracts with providers
🗑
|
||||
| mitigation | control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation
🗑
|
||||
| cost avoidance | process of avoiding the financial impact of an incident by implementing control
🗑
|
||||
| cost benefit analysis/economic feasibility | process of examining the cost to protect an asset and the benefit of the protection based on the asset's worth
🗑
|
||||
| single loss expectancy (SLE) | the calculation of the value associated with the most likely loss from an attack
🗑
|
||||
| exposure factor (EF) | the expected percentage of loss that would occur from a particular attack
🗑
|
||||
| annualized rate of occurrence (ARO) | how often a specific type of attack is expected to occur
🗑
|
||||
| annualized loss expectancy (ALE) | the determination/calculation of the overall lost potential per risk
🗑
|
||||
| quantitative assessment | assessment using actual values or estimates
🗑
|
||||
| qualitative assessment | evaluation process based on characteristics that do not use numerical measures
🗑
|
||||
| benchmarking | process of seeking out and studying the practices used in other organizations that produce results an individual would like to duplicate in their organization
🗑
|
||||
| performance gap | provide insight into the areas that an organization should work on to improve its security postures and defenses
🗑
|
||||
| standard of due care | the proof of maintaining a certain level of security (that an organization adopts) that is acceptable among organizations of the same capacity
🗑
|
||||
| due diligence | demonstration that an organization is diligent in ensuring that the implemented standards of due care continue to proved the required level of protection
🗑
|
||||
| best business practices/best practices/recommended practices | security efforts that seek to provide a superior level of performance in the protection of information
🗑
|
||||
| base-lining | value or profile of a performance metric against which changes in the performance metric can be usefully compared
🗑
|
||||
| organizational feasibility | a feasibility analysis that examines how well the proposed information security alternatives will contribute to the efficiency, effectiveness and overall operation of an organization
🗑
|
||||
| operational feasibility (or behavioral feasibility) | analysis that examines user acceptance an support, management acceptance and support, and the overall requirements of the organization's stakeholders; measure the behavior of users
🗑
|
||||
| technical feasibility | analysis that examines whether or not the organization has or can acquire the technology necessary to implement and support the proposed control
🗑
|
||||
| political feasibility | analysis that determines what can and cannot occur based on the consensus and relationships among the communities of interest
🗑
|
||||
| risk appetite | defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility
🗑
|
||||
| know yourself | identify, examine, and understand the information and systems currently in place
🗑
|
||||
| Know the enemy | identify, examine, and understand threats facing the organization
🗑
|
||||
| 1.Evaluating the risk controls 2.Determining which control options are cost effective for the organization 3.Acquiring or installing the needed controls 4.Ensuring that the controls remain effective | What is the Risk Management Process?
🗑
|
||||
| 1. Defend 2. Transfer 3. Mitigate 4. Accept 5. Terminate | What are the Risk Control Strategies?
🗑
|
||||
| 1. Application of policy 2. Training and education 3. Applying technology | What are the three common methods of risk avoidance?
🗑
|
||||
| 1. When a vulnerability exists 2. When a vulnerability can be exploited 3. When attacker’s cost is less than potential gain 4. When potential loss is substantial | What are the rules of thumb on strategy selection can be applied?
🗑
|
||||
| Defend | attempts to prevent exploitation of the vulnerability (preferred approach)
🗑
|
||||
| Transfer | control approach that attempts to shift risk to other assets, processes, or organizations
🗑
|
||||
| Mitigate | attempts to reduce impact of vulnerability exploitation through planning and preparation
🗑
|
||||
| Accept | doing nothing to protect a vulnerability and accepting the outcome of its exploitation
🗑
|
||||
| Terminate | directs the organization to avoid those business activities that introduce uncontrollable risks
🗑
|
Review the information in the table. When you are ready to quiz yourself you can hide individual columns or the entire table. Then you can click on the empty cells to reveal the answer. Try to recall what will be displayed before clicking the empty cell.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Created by:
mgolf
Popular Computers sets