10. Cloud Vendor Management Flashcards
Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done?
A. Removed the threat
B. Reduced the threat
C. Removed the vulnerability
D. Reduced the vulnerability
Answer: C. Removed the vulnerability
By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server.
You notice a high number of SQL injection attacks against a web application run by your organization, so you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk?
A. Reduced the magnitude
B. Eliminated the vulnerability
C. Reduced the probability
D. Eliminated the threat
Answer: C. Reduced the probability
Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application, and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a web application firewall.
Questions 3–7 refer to the following scenario:
Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers.
Aziz is assessing the risk of a denial-of-service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.
What is the asset value (AV)?
A. $5,000
B. $100,000
C. $500,000
D. $600,000
Answer: C. $500,000
Asset Value:
- Database reconstruction: $500,000
Exposure Factor:
100%
ARO:
- %5 Successfuly chance annually = 0.05
The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value (AV) is $500,000.
What is the exposure factor (EF)?
A. 5 percent
B. 20 percent
C. 50 percent
D. 100 percent
Answer: D. 100 percent
The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100 percent.
What is the single loss expectancy (SLE)?
A. $5,000
B. $100,000
C. $500,000
D. $600,000
Answer: C. $500,000
We compute the single loss expectancy (SLE) by multiplying the asset value (AV) ($500,000) and the exposure factor (EF) (100%) to get an SLE of $500,000.
SLE = Asset Value * EF
$500,000 * 100%
What is the annualized rate of occurrence (ARO)?
A. 0.05
B. 0.20
C. 2.00
D. 5.00
Answer: A. 0.05
Aziz’s threat intelligence research determined that the threat has a 5 percent likelihood of occurrence each year. This is an ARO of 0.05.
What is the annualized loss expectancy (ALE)?
A. $5,000
B. $25,000
C. $100,000
D. $500,000
Answer: B. $25,000
We compute the annualized loss expectancy (ALE) by multiplying the SLE ($500,000) and the ARO (0.05) to get an ALE of $25,000.
ALE = $500,000 * 0.05 = $25,000
Questions 8–11 refer to the following scenario:
Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.
Grace’s first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Answer: C. Risk mitigation
Installing new controls or upgrading existing controls is an effort to reduce the probability or magnitude of a risk. This is an example of a risk mitigation activity.
Grace is considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would Grace’s approach use?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Answer: B. Risk avoidance
Changing business processes or activities to eliminate a risk is an example of risk avoidance.
Grace’s company decided to install the web application firewall and continue doing business. They are still worried about other risks to the information that were not addressed by the firewall and are considering purchasing an insurance policy to cover those risks. What strategy does this use?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Answer: D. Risk transference
Insurance policies use a risk transference strategy by shifting some or all of the financial risk from the organization to an insurance company.
In the end, Grace found that the insurance policy was too expensive and opted not to purchase it. She is taking no additional action. What risk management strategy is Grace using in this situation?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Answer: A. Risk acceptance
When an organization decides to take no further action to address remaining risk, they are choosing a strategy of risk acceptance.
Brian recently conducted a risk mitigation exercise and has determined the level of risk that remains after implementing a series of controls. What term best describes this risk?
A. Inherent risk
B. Control risk
C. Risk appetite
D. Residual risk
Answer: D. Residual risk
The residual risk is the risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk.
Joe is authoring a document that explains to system administrators one way in which they might comply with the organization’s requirement to encrypt all laptops. What type of document is Joe writing?
A. Policy
B. Guideline
C. Procedure
D. Standard
Answer: B. Guideline
The key term in this scenario is one way. This indicates that compliance with the document is not mandatory, so Joe must be authoring a guideline. Policies, standards, and procedures are all mandatory.
Greg would like to create an umbrella agreement that provides the security terms and conditions for all future work that his organization does with a vendor. What type of agreement should Greg use?
A. BPA
B. MOU
C. MSA
D. SLA
Answer: C. MSA
Master service agreements (MSAs) provide an umbrella contract for the work that a vendor does with an organization over an extended period of time. The MSA typically includes detailed security and privacy requirements. Each time the organization enters into a
new project with the vendor, they may then create a statement of work (SOW) that contains project- specific details and references the MSA.
Which one of the following documents must normally be approved by the CEO or a similarly high-level executive?
A. Standard
B. Procedure
C. Guideline
D. Policy
Answer: D. Policy
Policies require approval from the highest level of management, usually the CEO. Other documents may often be approved by other managers, such as the CISO.
Which one of the following would not normally be found in an organization’s information security policy?
A. Statement of the importance of cybersecurity
B. Requirement to use AES- 256 encryption
C. Delegation of authority
D. Designation of the responsible executive
Answer: B. Requirement to use AES- 256 encryption
Security policies do not normally contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm. This type of detail would normally be
found in a security standard.
Gwen is developing a new security policy for her organization. Which one of the following statements does not reflect best practices for policy development?
A. All stakeholders should agree with the proposed policy.
B. The policy should follow normal corporate policy approval processes.
C. Policies should match the “tone at the top” from senior business leaders.
D. Cybersecurity managers are typically responsible for communicating and implementing approved security policies.
Answer: A. All stakeholders should agree with the proposed policy.
Policies should be developed in a manner that obtains input from all relevant stakeholders, but it is not necessary to obtain agreement or approval from all stakeholders. Policies should follow normal corporate policy approval processes and should be written in a manner that fits within the organizational culture and “tone at the top.” Once an information security policy is approved, it commonly falls to the information security manager to communicate and implement the policy.
Which one of the following items is not normally included in a request for an exception to the security policy?
A. Description of a compensating control
B. Description of the risks associated with the exception
C. Proposed revision to the security policy
D. Business justification for the exception
Answer: C. Proposed revision to the security policy
Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.
A U.S. federal government agency is negotiating with a cloud service provider for the use of IaaS services. What program should the vendor be certified under before entering into this agreement?
A. FIPS 140- 2
B. Common Criteria
C. FedRAMP
D. ISO 27001
Answer: C. FedRAMP
All of these programs may play a role in the relationship, but the most important is the Federal Risk and Authorization Management Program (FedRAMP). This program applies specifically to cloud services and applies across the U.S. government.
FIPS 140- 2 certification is only required for cryptographic modules, and there is no mention of these services in the question. The Common Criteria are generally only used for hardware and software, not services. ISO 27001 is a voluntary standard that is not required by the U.S. federal government.
The accounting department in your organization is considering using a new cloud service provider. As you investigate the provider, you discover that one of their major investors withdrew their support and will not be providing future funding. What major concern should you raise?
A. Vendor lock-in
B. Vendor suitability
C. Vendor security
D. Vendor viability
Answer: D. Vendor viability
While all of these concerns exist in any vendor relationship, the key issue in this case is that the vendor may not have sufficient financial support to continue operations. If there’s a chance the vendor will shut down services before the end of the contract period, this is a vendor viability concern.
