10: 2 Risk Management

Question 1

Risk Management

Answer 1

Systematically Analyzing potential responses to each risk and implementing strategies to control those risks appropriately

Question 2

Risk Management Strategies (4)

Answer 2

Avoidance, Transference, Mitigation, or Acceptance

Question 3

Risk Avoidance

Answer 3

Change the organization’s business practice so risk can no longer affect business

Question 4

Risk Transference

Answer 4

Shifting impact of risk to another organization (i.e. insurance)

Question 5

Risk Mitigation

Answer 5

Reduces likelihood or impact of risk

Question 6

Risk Acceptance

Answer 6

Accept risk without taking further action

Question 7

Risk Profile

Answer 7

Full set of risks facing an organization

Question 8

Inherent Risk

Answer 8

Risk that exists without any controls in place

Question 9

Residual Risk

Answer 9

Risk that exists after a control has been implemented

Question 10

Control Risk

Answer 10

Risk added by adding a control

Question 11

Security Controls

Answer 11

Procedures and mechanisms that an organization puts in place to manage security risks

Question 12

Defense in Depth

Answer 12

More than 1 control used to protect against one objective

Question 13

Preventitive Control

Answer 13

Goal is to stop an issue from occurring in the first place (firewall)

Question 14

Detective Control

Answer 14

Identify that a potential security issue has taken place (intrusion detection system)

Question 15

Corrective Control

Answer 15

Remediate security issues that have already controlled (restoring from backup)

Question 16

Deterrent Control

Answer 16

Prevent an attacker from seeking to violate security policies

Question 17

Physical Controls

Answer 17

Impact the physical world

Question 18

Compensating Control

Answer 18

Fill a known gap in a security environment

Question 19

Technical Controls

Answer 19

Use of technology to achieve security objectives

Question 20

Operational Controls

Answer 20

Use Human-Driven processes to manage technology in a secure manner

Question 21

Management Controls

Answer 21

Improve the security of the risk management process itself

Question 22

Risk Control Assessment timespan

Answer 22

Single Point in Time

Question 23

Control Assessment

Answer 23

Test control effectiveness

Question 24

Measuring Control effectiveness

Answer 24

Compromised end-user accounts, Vulnerabilities in Public-Facing systems, critical findings in scans, data breaches requiring notification

Question 25

Risk Management Framework

Answer 25

provides proven, time-tested techniques for risk management

Question 26

NIST SP 800-37

Answer 26

Risk Management Framework - widely adopted by organizations

Question 27

6 Steps in Managing Risk

Answer 27

Categorize, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize Information Systems, Monitor Security Controls

Question 28

1) Categorize Information System

Answer 28

Gather information in two categories (technology architecture and organization inputs)

Question 29

Control Frameworks

Answer 29

Guide Security Program Design

Question 30

COBIT

Answer 30

Control Objectives for IT - Business focused control framework

Question 31

ISO 27001

Answer 31

covers cybersecurity control objectives

Question 32

ISO 27002

Answer 32

covers cybersecurity control implementations

Question 33

ISO 27701

Answer 33

Covers Privacy Controls

Question 34

ISO 31000

Answer 34

Cover Risk management program guidance

Question 35

NIST 800-53

Answer 35

Mandatory for Federal Agencies

Question 36

NIST Cybersecurity Framework

Answer 36

Provides a common language for cybersecurity risk, helps identity and prioritize actions, aligns security actions across control types

Question 37

Risk Register

Answer 37

Maintains risk visibility, tracking risk information

Question 38

Risk Register Contents

Answer 38

Description, Category, Probability and Impact, Risk Rating

Question 39

Risk Register Information Sources

Answer 39

Risk Assessment Results, Audit Findings, Team Member Outputs, Threat Intelligence

Question 40

Threat Intelligence

Answer 40

Sharing of threat knowledge across organizations, may be used both strategically and operationally

Question 41

Risk Matrix

Answer 41

Quickly summarizes risks using color scheme.

Question 42

Data Controller

Answer 42

Determines the reasons for processing personal info and direct the methods of processing

Question 43

Data processor

Answer 43

Service providers that process personal information on behalf of a data controller

Question 44

Data owner

Answer 44

Business leaders with overall responsibility for the data - sets policies and guidelines

Question 45

Data steward

Answer 45

Handle the day-to-day governance activities

Question 46

Data Custodian

Answer 46

Store and process information, often IT staff members

Question 47

DPO

Answer 47

Data Protection Officer