According To Your Textbook, Which Of The Following Is Not Pa

01 According To Your Textbook Which Of The Following Is Not Part Of R

According to your textbook which of the following is NOT part of risk analysis: ___ Determine how likely each risk is to occur ___ Identify any risks to assets ___ Implement an acceptable use policy ___ Determine the value of assets

A risk is defined as: ___ A weakness in a system ___ A potential for exploit of a weakness in a system ___ The existence of a weakness in a system and the potential for an exploit ___ An attempted security attack

If a manager obtains insurance for damage to an asset, this is called risk transference: ___ True ___ False

Managers should declare financial statements about asset values: ___ True ___ False

A principle that a single person should not have authority to execute a critical task is called: ___ Access control ___ Separation of duties (or privileges) ___ Discretionary control ___ Confidentiality

Unauthorized alteration of information is a breach of: ___ Confidentiality ___ Integrity ___ Availability ___ Protocol

Of the two types of attackers, which has the potential to do the most damage? ___ Malicious Outsiders ___ Non-Malicious Insiders ___ Non-Malicious Outsiders ___ Malicious Insiders

When controlling information such that only those who get the information are those who require it to do their job is called on a “need to know” basis: ___ True ___ False

Planning to have a “hot site” to restart operations in the case of a fatal incident is part of having a: ___ Risk Assessment Plan ___ Disaster Recovery Plan ___ Vulnerability Assessment Plan ___ Business Continuity Plan

Planning for a “co-location” to continue business as usual in the case of an incident that disrupts operations at one site is part of having a: ___ Risk Assessment Plan ___ Disaster Recovery Plan ___ Vulnerability Assessment Plan ___ Business Continuity Plan

SLE represents: ___ The proportion of assets that would be destroyed by a risk ___ Damage to an asset each time a risk would incur in a year ___ Number of times a risk may occur in a year ___ Damage to an asset incurred cumulatively for each year of the asset’s lifetime

Privilege creep means: ___ An administrator gives him or herself the ability to examine private accounts ___ An attacker uses a rootkit to escalate privileges to execute system functions ___ When someone changes roles, they accrue both old and new privileges even if they are not needed ___ When a user logs in as a normal user, then executes an “su” to become a superuser

The four choices that managers have when managing risks are, (1) risk avoidance, (2) risk prosecution, (3) risk acceptance, (4) risk transference. ___ True ___ False

The encryption algorithm AES avoids security through obscurity: ___ True ___ False

A security policy is a written document only: ___ True ___ False

Even though very simplistic, security “checklists” such as the ISO 27000 / 27001 — also known as the ISO 27000 (or ISO27K) family of standards is useful for security auditing in preparation for or as part of a security certification: ___ True ___ False

Conducting background checks on employees is illegal in the United States: ___ True ___ False

Least privilege means allocating only the minimum set of privileges required to perform a job function: ___ True ___ False

Paper For Above instruction

Risk assessment and risk management are fundamental processes within the realm of information security. While they are interconnected, they serve distinct purposes and involve different approaches. Risk assessment is primarily a systematic process of identifying, analyzing, and evaluating risks to an organization's information assets. It involves pinpointing vulnerabilities, threats, and the potential impact of security breaches, thereby providing a clear picture of the organization's security posture. Risk management, on the other hand, encompasses the formulation and implementation of policies, procedures, and measures to address identified risks and reduce their impact to acceptable levels. This process includes choosing appropriate risk mitigation strategies such as avoiding, transferring, accepting, or controlling risks (ISO/IEC 27005, 2018). An example of a standard guiding risk assessment is ISO 27005, which offers a comprehensive framework for risk management in information security.

Risk assessment provides the empirical groundwork necessary for effective risk management. For example, organizations often use frameworks such as the NIST Risk Management Framework (RMF) to categorize and analyze vulnerabilities systematically (NIST, 2018). These standards provide methodologies for identifying risks based on asset value, vulnerabilities, and threat probabilities. Conversely, risk management involves implementing controls like encryption, access controls, and disaster recovery plans to mitigate the risks highlighted during assessment phases (Krein, 2017). For instance, after performing risk assessment in a banking environment, a bank may deploy encryption algorithms like AES to protect data integrity and confidentiality. Thus, risk assessment generates the insights necessary for designing targeted risk mitigation strategies, whereas risk management ensures that these strategies are effectively executed and continuously monitored (Whitman & Mattord, 2018). The interconnectedness of these processes underscores their importance within a comprehensive security posture.

In the context of responsibilities, managers play a critical role in maintaining organizational security. Their obligations extend beyond mere oversight, requiring them to establish a security-aware culture and adhere to foundational security standards. Despite not being security officers, managers are responsible for enforcing security policies, ensuring secure infrastructure usage, and promoting security awareness among staff. These minimum standards involve safeguarding sensitive information through access controls, adhering to established policies for data handling, and managing risks in daily operational activities (Bishop, 2018). Managers must also coordinate security efforts with IT teams, oversee compliance with regulatory standards such as GDPR or HIPAA, and foster an environment of continuous security improvement (Shah & Smith, 2019). Regardless of their specific role, adhering to these core responsibilities ensures a resilient security infrastructure capable of defending against evolving threats (Lynn, 2020). Ultimately, effective security management by managers helps embed security practices into organizational culture, reducing vulnerabilities and enhancing overall resilience.

References

  • ISO/IEC 27005. (2018). Information security risk management. International Organization for Standardization.
  • NIST. (2018). Risk Management Framework for Information Systems and Organizations. National Institute of Standards and Technology.
  • Krein, S. (2017). The role of risk management in information security. Journal of Information Security, 8(2), 123-137.
  • Whitman, M. E., & Mattord, H. J. (2018). Principles of Information Security (6th ed.). Cengage Learning.
  • Bishop, M. (2018). Computer Security: Art and Science. Addison-Wesley.
  • Shah, R., & Smith, J. (2019). Organizational security policies and management. Journal of Cybersecurity, 5(4), 275-289.
  • Lynn, T. (2020). Building security awareness in organizational culture. Security Journal, 33(1), 101-115.
  • Kerr, D. (2020). Fundamentals of Information Security. Syngress.
  • Raines, C. (2021). Managing security risks in modern organizations. IEEE Security & Privacy, 19(3), 84-90.
  • Gordon, L. A., & Loeb, M. P. (2006). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457.

Related Assignments