Chapter 2

Edit Answers
1234567891011121314151617181920212223242526272829303132
Across
  1. 3. A security principle that makes sure that information and systems are not modified maliciously or accidentally.
  2. 5. An instance of being exposed to losses from a threat. A weakness or vul-nerability can cause an organization to be exposed to possible damages.
  3. 9. The reliability and accessibility of data and resources to authorized individuals in a timely manner.
  4. 10. Two or more people working together to carry out a fraudulent activity. More than one person would need to work together to cause some type of destruction or fraud; this drastically reduces its probability.
  5. 13. Detailed step-by-step instructions to achieve a certain task, which are used by users, IT staff, operations staff, security members, and others.
  6. 14. A security principle that splits up a critical task among two or more individuals to ensure that one person cannot complete a risky task by himself.
  7. 17. The act of tricking another person into providing confidential information by posing as an individual who is authorized to receive that information.
  8. 18. High level document that outlines senior managemetn security directives
  9. 19. A group decision method used to ensure that each member of a group gives an honest and anonymous opinion pertaining to the company’s risks.
  10. 20. When a safeguard is not implemented, an organization is faced with the total risk of that particular vulnerability.
  11. 24. Rellying on the secrecy or complexity of an item as its security instead of practicing instead of proacticing solid securyty practices
  12. 28. An assessment that is performed to ensure that the cost of a safeguard does not outweigh the benefit of the safeguard. Spending more to protect an asset than the asset is actually worth does not make good business sense. All possible safeguards must be evaluated to ensure that the most security-effective and cost-effective choice is made.
  13. 29. When a person looks over another person’s shoulder and watches keystrokes or watches data as it appears on the screen in order to uncover information in an unauthorized manner.
  14. 31. A risk analysis method that attempts to use percentages in damage estimations and assigns real numbers to the costs of countermeasures for particular risks and the amount of damage that could result from the risk. Compare to qualitative risk analysis.
  15. 32. An individual who is responsible for the maintenance and protection of the data. This role is usually filled by the IT department (usually the network administrator). The duties include performing regular backups of the data, implementing security mechanisms, periodically validating the integrity of the data, restoring data from backup media, and fulfilling the requirements specified in the company’s security policy, standards, and guidelines that pertain to information security and data protection.
Down
  1. 1. Any potential danger that a vulnerability will be exploited by a threat agent.
  2. 2. An entity that can exploit a vulnerability.
  3. 4. Detective/administrative control used to uncover potential fraudulet activities
  4. 6. Organizational, Issue specific, and system specific are _____ (2 words)
  5. 7. A risk analysis method that uses intuition and experience to judge an organization’s exposure to risks. It uses scenarios and ratings systems. Compare to quantitative risk analysis.
  6. 8. A dollar amount that is assigned to a single event that represents the company’s potential loss amount if a specific threat were to take place.
  7. 9. A dollar amount that estimates the loss potential from a risk in a span of a year.
  8. 11. Rules indicating how hardware and software should be implemented, used, and maintained. Standards provide a means to ensure that specific technologies, asset value × exposure factor = SLE applications, parameters, and procedures are carried out in a uniform way across the organization. They are compulsory.
  9. 12. Safeguard that is put in place to reduce risk. Also called a countermeasure.
  10. 15. Regulatory, Advisory, Informative are ____ (3 words)
  11. 16. analysis Assigning confidence level values to data elements
  12. 21. Individual respponsible for the protection and classification of a specific data set
  13. 22. The remaining risk after the security controls have been applied. The conceptual formulas that explain the difference between total and residual risk are threats × vulnerability × asset value = total risk(threats × vulnerability × asset value) × controls gap = residual risk
  14. 23. The absence or weakness of a safeguard that could be exploited.
  15. 25. The likelihood of a threat agent taking advantage of a vulnerability and the resulting business impact. A risk is the loss potential, or probability, that a threat will exploit a vulnerability.
  16. 26. A security principle that works to ensure that information is not disclosed to unauthorized subjects.
  17. 27. Recommended actions and operational guides for users, IT staff, operations staff, and others when a specific standard does not apply.
  18. 30. accept, transfer, mitigate, avoid are ways to _____ (2 words)