chapter 16 Question and answers
100% correct 2025/2026
Define IT security management. - correct answer ✔A process used to achieve and maintain appropriate
levels of confidentiality, integrity,
availability, accountability, authenticity and reliability.
List the three fundamental questions IT security tries to address. - correct answer ✔What assets do we
need to protect? How are those assets threatened? What can we do to counter those threats?
List the steps in the process used to address the three fundamental questions. - correct answer ✔First,
determine a clear view of an organization's IT security objective and general risk profile. Next an IT
security risk assessment is needed for each asset in the organization that requires protection. This
assessment provides the information necessary to decide what resources are needed to reduce or
eliminate the risks.
List some of the key national and international standards that provide guidance on IT security
management and risk assessment. - correct answer ✔ISO27000-ISO27005 and ISO13335
List and briefly define the four steps in the iterative security management process. - correct answer
✔Plan: establish a polity, objectives etc. to managing risk
Do: implement and operate the security policy
Check: assess and measure performance
Act: take corrective and preventive actions
, Organizational security objectives identify what IT security outcomes are desired, based in part on the
role and importance of the IT systems in the organization. List some questions that help clarify these
issues. - correct answer ✔What key aspects of the organization require IT support?
What tasks can only be performed with IT support?
What data created, managed, processed and stored by the IT system need protection?
What are the consequences of a security failure?
List and briefly define the four approaches to identifying and migration IT risks. - correct answer
✔Baseline approach: Aims to implement a basic general level of security controls using baseline
documents, codes of practices, and industry best practice. Advantage: does not require the expenditure
of additional resources in risk assessment. Disadvantage: no special consideration is given to variations
in the organization's risk exposure. The baseline approach is only recommended for small organizations.
Informal approach: Involves conducting some form of informal, pragmatic risk analysis, and is based on
the knowledge of internal experts or consultants who are performing the analysis. This approach may
cover more aspects than the baseline approach, but because a formal process is not used, some risks
may not be considered.
Detailed risk analysis: A detailed risk assessment, using a formal structured process, provides greatest
degree of assurance that all risks are identified. Significant costs in time and resources. Combined
approach: combines elements from the other approaches
Which of the four approaches for identifying and migrating IT risks does [ISO13335] suggest in the most
cost effective for most organizations? - correct answer ✔The combined approach.
List the steps in the detailed security risk analysis process. - correct answer ✔System characterization
Threat identification
100% correct 2025/2026
Define IT security management. - correct answer ✔A process used to achieve and maintain appropriate
levels of confidentiality, integrity,
availability, accountability, authenticity and reliability.
List the three fundamental questions IT security tries to address. - correct answer ✔What assets do we
need to protect? How are those assets threatened? What can we do to counter those threats?
List the steps in the process used to address the three fundamental questions. - correct answer ✔First,
determine a clear view of an organization's IT security objective and general risk profile. Next an IT
security risk assessment is needed for each asset in the organization that requires protection. This
assessment provides the information necessary to decide what resources are needed to reduce or
eliminate the risks.
List some of the key national and international standards that provide guidance on IT security
management and risk assessment. - correct answer ✔ISO27000-ISO27005 and ISO13335
List and briefly define the four steps in the iterative security management process. - correct answer
✔Plan: establish a polity, objectives etc. to managing risk
Do: implement and operate the security policy
Check: assess and measure performance
Act: take corrective and preventive actions
, Organizational security objectives identify what IT security outcomes are desired, based in part on the
role and importance of the IT systems in the organization. List some questions that help clarify these
issues. - correct answer ✔What key aspects of the organization require IT support?
What tasks can only be performed with IT support?
What data created, managed, processed and stored by the IT system need protection?
What are the consequences of a security failure?
List and briefly define the four approaches to identifying and migration IT risks. - correct answer
✔Baseline approach: Aims to implement a basic general level of security controls using baseline
documents, codes of practices, and industry best practice. Advantage: does not require the expenditure
of additional resources in risk assessment. Disadvantage: no special consideration is given to variations
in the organization's risk exposure. The baseline approach is only recommended for small organizations.
Informal approach: Involves conducting some form of informal, pragmatic risk analysis, and is based on
the knowledge of internal experts or consultants who are performing the analysis. This approach may
cover more aspects than the baseline approach, but because a formal process is not used, some risks
may not be considered.
Detailed risk analysis: A detailed risk assessment, using a formal structured process, provides greatest
degree of assurance that all risks are identified. Significant costs in time and resources. Combined
approach: combines elements from the other approaches
Which of the four approaches for identifying and migrating IT risks does [ISO13335] suggest in the most
cost effective for most organizations? - correct answer ✔The combined approach.
List the steps in the detailed security risk analysis process. - correct answer ✔System characterization
Threat identification
