21 Questions
What is the formula for calculating Annualized Loss Expectancy (ALE)?
ALE = SLE x ARO
Define Single Loss Expectancy (SLE) in the context of risk assessment.
SLE = asset value x exposure factor (EF)
Explain the concept of Due Care and Due Diligence in security.
Due Care is adopting security levels for a legal defense, while Due Diligence is ensuring that implemented standards provide the required protection.
What is meant by Best Business Practices (BSPs) in the context of security?
BSPs are security efforts that provide a superior level of information protection.
How can Control Benefit Analysis (CBA) be calculated using ALE?
CBA = ALE(prior) - ALE(post) - ACS
What is Benchmarking in information security?
Benchmarking involves reviewing peer institutions to determine how they protect their assets.
According to Microsoft's Ten Immutable Laws of Security, what happens if a bad guy can persuade you to run his program on your computer?
It's not your computer anymore
What is the significance of having weak passwords according to Microsoft's Ten Immutable Laws of Security?
Weak passwords trump strong security
In the context of security, what does Microsoft's law 'A machine is only as secure as the administrator is trustworthy' imply?
Security of a machine relies on the trustworthiness of the administrator
Why is an out-of-date virus scanner only marginally better than having no virus scanner at all?
An out-of-date virus scanner may not detect new threats
What does Microsoft's law 'Encrypted data is only as secure as the decryption key' emphasize?
The security of encrypted data is dependent on the security of the decryption key
What is the biggest problem with benchmarking in information security?
Organizations don't talk to each other
What does baselining in information security involve?
Comparing security activities and events against the organization's future performance
What is the purpose of organizational feasibility in information security?
To examine how proposed security alternatives contribute to the efficiency and operation of an organization
What does operational feasibility in information security address?
User acceptance and support, management acceptance and support, and overall stakeholder requirements
Why is obtaining user buy-in important in systems development?
To ensure user acceptance and support for the project
What does technical feasibility in information security assess?
Whether the organization has or can acquire the technology necessary to implement and support control alternatives
What is political feasibility in information security?
The evaluation of what can and cannot occur based on consensus and relationships within an organization
What does risk appetite define in the context of information security?
The quantity and nature of risk organizations are willing to accept as they evaluate tradeoffs between perfect security and unlimited accessibility
What is residual risk in information security?
Risk that remains after controlling vulnerabilities to the best extent possible
Why is documenting results important in information security?
To identify any residual risk and document control strategies for information asset-vulnerability pairs
Test your knowledge on calculating the Annualized Loss Expectancy (ALE) in the context of security risks. Understand how to determine Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO) for each risk.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free