01. Emerging Risk and Threat Landscape

Question 1

Emerging Risk and Threat Landscape

What is the fundamental undertaking for any organisation that desires to be reasonablly aware of risks

Answer 1

Risk Management

120

Question 2

Emerging Risk and Threat Landscape

Risks that are not identified or monitored could result in these 3 things being Jeopardised

1. U ____ B ____ L ____
2. L ____ of L ____
3. S ____ of the business

Answer 2

1. Unexpected business losses
2. Loss of life
3. Survival of the business

120

Question 3

The Importance of Risk Management

Risk management represents time proven methods and techniques used in;

1. I ____ risks
2. Understand P____ of occurance
3. Understand potential I____
4. Make D____ about risks based on established criteria
5. M____ key attributes of security and risk
6. Produce long term trend R____ to executive management

Answer 3

1. Identify
2. Proability
3. Impact
4. Decisions
5. Measure
6. Reporting

120

Question 4

The Importance of Risk Management

The effectiveness of a risk management program is largely dependent on two factors

1. S ____ from ____
2. O ____ C ____

Answer 4

1. Support from executive management
2. Organisational culture

121

Question 5

The Importance of Risk Management

Risk management is based on several factors

Answer 5

1. Culture
2. Mission, objectives, and goals
3. Management Structure
4. Management Support
5. Industry sector
6. Market conditions
7. Applicable laws, regulations, and other legal obligations
8. Stated or unstated risk tolerance
9. Financial health
10. Operating locations

121

Question 6

Outcomes of Risk Management

An organisation that implements an effective risk management program will have heightened awareness of

Answer 6

Use of technology, and how it can impact the business

121

Question 7

Outcomes of Risk Management

The greatest benefit an organisation can derived from an effective risk management program in relation to security incidents

Answer 7

Lower probability of security incidents
Those that do occur, a better prepared state, reducing impact

121

Question 8

Risk Objectives

A vital part of risk management strategy development is the determination of desired…

Answer 8

Risk Level

121

Question 9

Risk Objectives

One important input into risk management strategy development

Answer 9

Understanding current level of risk and desired future state

121

Question 10

Risk Management Technologies

See Risk Management Technologies Cards
LINK

Question 11

Risk Management Technologies

Organisations without effective risk management programs often acquire technologies without first..

Answer 11

Identifying specific, relevent risks and do so based on;

1. Salespeople (false claims)
2. Security managers of other organisations
3. Articles in trade publications

122

Question 12

Implementing a Risk Management Program

There are several risk management frameworks to choose from which share the common principles

Answer 12

1. RIsk management being a life cycle process
2. period assement requirements
3. Aim for continuous improvement

123

Question 13

Implementing a Risk Management Program

Applying a risk management framework in an organisation will require an understanding of the organisations…

Answer 13

1. Mission
2. Objectives
3. Strategies
4. Cultures
5. Practices
6. Structure
7. Financial condition
8. Risk Appetite
9. Level of executive management support

123

Question 14

Implementing a Risk Management Program

Enterprise Risk Management (ERM) and Information Risk Management programs share concepts and techniques

Answer 14

They often work together, but deal with different subject matter

123

Question 15

Risk Management Strategy

The objective of a risk management strategy is to…

Answer 15

Identify all credible risks and reduce them to an acceptable level

123

Question 16

Risk Management Strategy

The acceptable level of risk is generally related to…

Answer 16

1. Executive management risk appetite
2. Organisations ability to absorb losses (and ability to build defences)
3. Regulatory and legal requirements

124

Question 17

Risk Management Strategy

The primary means of mitigating risks by ensuring desired outcomes

Answer 17

Controls

124

Question 18

Risk Management Strategy

A key objective of a risk management strategist in organisations with smaller pockets of risk management programs or an Enterprise Risk Management program

Answer 18

Alignment

124

Question 19

Risk Management Strategy

Key internal and external factors will govern the implementation of risk management objectives

Answer 19

1. Culture
2. Organisational Maturity
3. Management structure
4. Management support
5. Market conditions
6. Regulatory and Legal requirements

124

Question 20

Risk Management Strategy

The most important factor that will enable or contrain security managers as they develop a risk management strategy

Answer 20

Development of key relationships throughout the organisation

124

Question 21

Risk Communication

Risk management must be introduced to the organisations key stake holders, and not work in secrecy, to help them understand…

Answer 21

The role of risk management in the organisation and the role they will play to help the program achieve its objectives

124

Question 22

Risk Communication

Communication channels should be open at all times and operate in..

Answer 22

all directions

125

Question 23

Risk Communication

Successful information risk programs operate through transparency. Information about risks should be…

Answer 23

readily available to all board members, executives, stakeholders, and risk owners

125

Question 24

Risk Awareness

A goal of risk awareness is to ensure business leaders and decision makers understand business decisions have a risk component. Formal information risk management programs will include..

Answer 24

Processes and techniques for making risk-aware decisions

125

Question 25

Risk Awareness

There is an overlap in content and audience of security awareness and risk awareness.
1. Security awareness applies to…
2. Risk awareness encompasses…

Answer 25

1. Entire organisations
2. Senior personnel involved in risk management

125

Question 26

Risk Consulting

Security managers are often seen to play the role of security and risk consultant. They are regarded as technology risk experts who..

Answer 26

are available to consult with on a wide variety of issues

125

Question 27

Risk Consulting

Key attributes to make a good information risk consultant

Answer 27

1. Ability to listen to business leaders and understand what was requested
2. Ability to assess information and understand its impact on process or business
3. Have a holistic understanding of the business

125

Question 28

Risk Management Frameworks

When building an information risk management program, the security manager needs to develop…

Answer 28

1. Processes and procedures
2. Roles and responsibilities
3. Templates for business records

125

Question 29

Risk Management Frameworks

High quality industry risk management frameworks

Answer 29

1. ISO/IEC 27001
2. ISO/IEC 27005
3. ISO/IEC 31010
4. NIST SP 800-37
5. NIST SP 800-39
6. COBIT 2019
7. Risk IT Framework
8. RIMS Risk Maturity Model

126

Question 30

Risk Management Frameworks

Risk managers can take 2 main approaches when considering existing frameworks

Answer 30

1. Use a single framework that best aligns to the business
2. Use elements from one or more frameworks to build an organisation risk management program

126

Question 31

Risk Framework Components

Risk management frameworks have a common core set of components

Answer 31

1. Program scope
2. Information risk objectives
3. Information risk policy
4. Risk appetite/tolerance
5. Roles and responsibilities
6. Risk management life-cycle process
7. Risk management documentation
8. Management review

126

Question 32

Integration into the environment

To be effective, the risk management program needs to..

Answer 32

Fit into and align with the organisations existing policies, processes, and systems and to minimise the impact to the organisation

126

Question 33

Risk Management Context

The security manager and executive management must define…

Answer 33

the boundaries within which the risk management program will operate

• Business units, lines of business, locations and regions
• Participants and stakeholders
• Roles and responsibilities
• Risk appetite and tolerance

127

Question 34

Three levels of risk management

Risk management is best divided into three tiers

Multitier Risk Management

Answer 34

1. Enterprise-level risks
2. Process-level risks
3. Asse-level risks

1. Generall risks associated with organisation culture and management. Risks typically conceptual in nature. ERM - Enterprise Risk Management
2. Usually associated with effectiveness of business processes, typically those that affect cybersecurity posture.
3. Risks associated with individual systems or small groups of systems.

128

Question 35

Three levels of risk management

Risks at one tier sometimes inform adjacent risks. A surge in asset level risks may indicate defects in process level risks.

Question 36

Gap Analysis

When a security manager is developing actual plans for implementing components of the information risk management program, they must understand the current state of the program. They should conduct a gap analysis to..

Answer 36

determine which elements of the current state remain, can be disgarded, or should be replaced

129

Question 37

External Support

External sources of information and expertise that a security manager can lean on when developing the risk management program

Answer 37

1. Consultants
2. Security round tables
3. Organisation chapters
4. Published information risk management practices
5. Security industry news sources
6. Research organisation reports
7. Advisory services
8. Training
9. Books
10. Conferences
11. Intelligence services

130/131

Question 38

Risk Management Lifecycle

Risk management is a cyclical process and formally defined in policy and process documents that define…

Risk Management Lifecycle

Answer 38

1. Scope
2. Roles and responsibilities
3. Workflow
4. Business rules
5. Business records

132

Question 39

Risk Management Lifecycle

Information risk management reslies upon risk assessments that consider..

Answer 39

Valid threats against the organisations assets, considering any present vulnerabilities

132

Question 40

Risk Management Lifecycle

Risk treatment decisions about risks are made after weighing various risk treatment options. These decisions are typically made by..

Answer 40

a business owner associated with the affected business activity

132

Question 41

The Risk Management Process

The risk management process consists of a set of structued activities that enable an organisation to manage risks systematically

Answer 41

1. Scope definition
2. Asset identification and valuation
3. Risk appetite
4. Risk identification
5. Risk analysis
6. Risk treatment
7. Risk communication

132/133

Question 42

The Risk Management Process

Risk Identification:
The organisation identifies a risk that comes from one of several sources including…

Answer 42

1. Risk assessment
2. Vulnerability assessment
3. Threat advisory
4. Risk analysis

1. An overall or focused risk assessment
2. Security scans, pentest, source code scan
3. Advisory from product vendor, threat intelligence feed, or news story
4. Analysis of a risk may uncover other associated risks

132

Question 43

The Risk Management Process

Risk analysis:
Risk analysis determines several characteristics..

Answer 43

1. Proability of event occurrance
2. Impact of event occurance
3. Mitigation
4. Recommendation

1. Calculating the likelihood that an event associated with a risk will occur
2. Determine the impact of each given risk. Can be evaluated qualitatively (high, medium, low) or quantitiatively (dolar value)
3. Determines different methods and techniques (and possibly each associated cost) of risk mitigation
4. Developed recommended course of action

133

Question 44

The Risk Management Process

Risk treatment:
An individual decision maker or committee will make a decision about specific risk

Answer 44

1. Accept
2. Mitigate
3. Transfer
4. Avoid

1. No action is taken
2. Implement or take some form of action that serves to reduce the probability or impact of the risk occurrance
3. Typically involves taking out an insurance policy
4. Discontinuing the activity or technology associated with the risk

133

Question 45

The Risk Management Process

A risk register is the primary business record used by most risk management programs. It will typically contain

Answer 45

1. Description of the risk
2. Level and type of risk
3. Information relating to risk treatment options

133