Term
Domain 1: Security & Risk Management
Sub-domain 9: Understand and apply risk management concepts
Q1. Define a vulnerability in the context of information security |
|
Definition
As per NIST SP800-30R1:
A vulnerability is "an inherent weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source"
Or, in Adam Gordon speak - simply, a weakness! |
|
|
Term
Domain 1: Security & Risk Management
Sub-domain 9: Understand and apply risk management concepts
Q2. Name the four process steps (in order) of a risk assessment/analysis |
|
Definition
Step 1 - Prepare for Assessment
Step 2 - Conduct Assessment
a. Identify threat sources & events
b. Identify vulnerabilities & predisposing conditions
c. Determine likelihood of occurrence
d. Determine magnitude of impact
e. Determine Risk
Step 3 - Communicate Results
Step 4 - Maintain Assessment |
|
|
Term
Domain 1: Security & Risk Management
Sub-domain 9: Understand and apply risk management concepts
Q3. What are the three main control categories? |
|
Definition
1. Physical - think guards, guns, gates
2. Administrative - usually policies
3. Logical (technical) - usually software components |
|
|
Term
Domain 1: Security & Risk Management
Sub-domain 9: Understand and apply risk management concepts
Q4. What are the four accepted ways to respond to risk? |
|
Definition
- Avoid
- Accept
- Transfer
- Mitigate
|
|
|
Term
| What is the Deming cycle also known as? |
|
Definition
|
|
Term
| Q6. What is the formula for a Quantitative Risk Analysis? |
|
Definition
|
|
