Management of Information Security Notes Chapter 9 — Controlling Risk

Once a control strategy has been selected and implemented, controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk.
monitored and measured
The four categories of controlling risk include avoidance, mitigation, transference and _____.
acceptance
The ____________________ assessment, tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures.
hybrid
Risk ____________________ defines the quantity and nature of risk that an organization is willing to accept.
appetite
Mitigation depends on the ability to detect and respond to an attack as quickly as possible .
True
____________________ is a risk management framework developed to help organizations to understand, analyze, and measure information risk.The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.
Factor Analysis of Information Risk
A cost-benefit analysis is conducted by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy
annualized cost of the safeguard
Reducing the impact of a successful attack on an organization’s system falls under the ____ risk control strategy.
mitgation
Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the ____ consequences of the vulnerability.
economic and non-economic
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
Building executive consensus
The ____________________ Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.
OCTAVE
Cost Benefit Analysis is determined by calculating the single loss expectancy before new controls minus the annualized loss expectancy after controls are implemented minus the annualized cost of the safeguard.
False
Economic and non-economic effects of a weakness must be evaluated after a strategy for dealing with a particular vulnerability has been selected.
False
Common sense dictates that an organization should spend more to protect an asset than its value.
False
OCTAVE is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detective controls.
True
Residual risk is a combined function of all but which of the following?
Residual risk less a factor of error
____________________ is a is a combined function of (1) a threat less the effect of threat-reducing safeguards; (2) a vulnerability less the effect of vulnerability-reducing safeguards; and (3) an asset less the effect of asset value-reducing safeguards.
Residual risk
Avoidance of risk is accomplished through the application of procedures, training and education and the implementation of technical security controls and safeguards.
False
One of the most common methods of obtaining user acceptance and support is via user
involvement
Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____________________ organization would do in similar circumstances.
prudent
An alternate set of possible risk control strategies includes all but which of the following?
Obscurity: Hiding critical security assets in order to protect them from attack
Behavioral feasibility refers to user acceptance and support, management acceptance and support, and the system’s compatibility with the requirements of the organization’s stakeholders.
True
Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____ organization would do in similar circumstances.
prudent
According to the Microsoft Risk Management Approach, risk management is not a stand-alone subject and should be part of a general governance program to allow the organization’s management to evaluate the organization’s operations and make better, more informed decisions.
True
A system’s exploitable vulnerabilities are usually determined after the system is designed.
True
Asset valuation must account for value _____.
All of these
Economic feasibility is a standard that is commonly used when evaluating a project that implements information security safeguards.
True
The final choice of a risk control strategy may call for a balanced mixture of controls that provides the greatest value for as many asset-threat pairs as possible.
True
___ feasibility determines acceptable practices based on consensus and relationships among the communities of interest.
Political
The goal of information security is to bring residual risk in line with an organization’s risk appetite.
True
The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge was designed for large organizations with 300 or more users, while OCTAVE-Allegro was designed for smaller organizations of about 100 users.
True
The effectiveness of controls should be ____________________ and measured regularly once a control strategy has been selected.
monitored
A single loss expectancy is calculated by multiplying the asset value by the ____.
exposure factor
A cost benefit analysis (CBA) result is obtained from the difference between the pre-control and the ____________________ annualized loss expectancy (ALE).
post-control
The ____ is the indication of how often you expect a specific type of attack to occur.
ARO
In the Cost-Benefit Analysis Formula presented in the text, ALE is calculated by ____.
SLE * ARO
The Single Loss Expectancy (SLE) is the result of the asset’s value (AV) multiplied by the ____________________ factor.
esposure
The risk control strategy of avoidance means understanding the consequences and avoiding risk by not placing a system in a situation that could result in a loss..
False
The element of remaining risk after vulnerabilities have been controlled is referred to as ____________________ risk.
residual
Avoidance of risk is the choice to forgo the use of security measures and accept loss in the event of an attack.
False
In an economic feasibility study, the ____________________ is the value to the organization of using controls that prevent losses related to a particular vulnerability.
benefit
The Annualized Loss Expectancy in the CBA formula is determined as ____.
SLE * ARO
Some organizations document the outcome of the control strategy for each information asset-threat pair in a(n) _____, which includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual.
action plan
Risk appetite (also known as risk tolerance) is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
True
Mitigation of risk involves applying safeguards that eliminate or reduce the remaining uncontrolled risks.
False
An organization that chooses to outsource its risk management practice to independent consultants is taking the ____ control approach.
transference
The goal of information security is to bring residual risk to zero.
False
At a minimum, each information asset-threat pair should have a(n) ____ that clearly identifies any residual risk that remains after the proposed strategy has been executed.
documented control strategy
Which of the following is not an example of a disaster recovery plan?
Information gathering procedures
____ is the process of assigning financial value or worth to each information component.
Asset valuation