FedVTE - Comptia Security+ SY0-501 Risk Management Questions & Answers.

FedVTE - Comptia Security+ SY0-501 Risk Management Questions & Answers. Security Policy Awareness Purpose - To enhance security by: - Improving awareness of the need to protect system resources - Developing skills/knowledge so computer uses can perform their jobs more securely End User Training - - Purpose, explanation, importance of adhering to security policy/procedures - Training should be initial, periodic, and ongoing Role Based Training - Specialized training that is customized to the specific role that an employee holds in the organization. Key Stakeholder Awareness - Promote security programs to executive leadership - Presenting all issues in context of business needs/objectives - Communicating risks, cost/benefit analysis, and residual risk - Gaining their support Data Classification - The practice of evaluating the risk level of the organization's information to ensure that the information receives the appropriate level of protection - Assign sensitivity, criticality, security priorities - Identify data value Data Privacy - The relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal/political issues surrounding them - Must classify to apply privacy - PII HIPAA - Health Insurance Portability and Accountability Act Classifications vs Clearances - People have clearances, Data has classifications. Access control is used to enforce which subjects have clearance to which classification of data Data Handling - Policies/procedures should be developed for handling and disposing of different classifications of data. Risk Avoidance - avoiding an act that would create a risk Risk Transference - a process in which the organization transfers the risk by using other means to compensate for a loss, such as by purchasing insurance Risk Mitigation - Reducing the impact of a risk event by reducing the probability of its occurrence Risk Deterrence - A strategy of dealing with risk in which it is decided that the best approach is to discourage potential attackers from engaging in the behavior that leads to the risk. Confidentiality - Ensuring information is only available to those authorized to have access to the information .