הכנה למבחן בניהול אבטחת מידע

No single employee has control of a transaction from beginning to end; two or more people should be responsible for performing it.

The processes of identifying, analyzing, and assessing, mitigating, or transferring risk is generally characterized as risk management.

This factor represents a measure of the magnitude of loss or impact on the value of an asset. It is expressed as a percent, ranging from 0% to 100%, of asset value loss arising from a threat event. This factor is used in the calculation of single loss expectancy (SLE).

This term characterizes the absence or weakness of a risk-reducing safeguard.

Fundamental applications of risk assessment to be addressed include (1) determining the current status of information security in the target environment(s) and ensuring that associated risk is managed (accepted, mitigated, or transferred) according to policy, and (2) assessing risk strategically.

The best automated tools currently available include a wellresearched threat population and associated statistics. Using one of these tools virtually assures that no relevant threat is overlooked.

Data classification is intended to lower the cost of overprotecting all data.

The business units, not IT (information technology), own the data. Decisions regarding who has what access, what classification the data should be assigned, etc., are decisions that rest solely with the business data owner and based on organization policy.

Policy is written at a very high level and is intended to describe the “whats” of information security. Procedures, standards, baselines, and guidelines are the “hows” for implementation of the policy.

Ensure record retention requirements are met based on the information owner’s analysis.