1.10 Understand and Apply Risk Management Concepts

Question 1

What questions does Risk Management aim to answer?

Answer 1

What controls should be used and which controls are most effective? | How can assets be adequately protected without enough resources present?

Question 2

What is a common challenge every organization ponders when implementing Risk Management?

Answer 2

How can be best protect numerous assets with limited resources?

Question 3

What is risk management?

Answer 3

Risk management is the identification, assessment, and prioritization of risks and the cost-efficient application of resources to minimize the probabiltiy and/or impact of these risks.

Question 4

What must be understood in order to identify and implement the most cost-effective security control of an asset?

Answer 4

The value of the protected asset.

Question 5

What is the primary issue regarding controls that are inefficient and not cost-effective?

Answer 5

The value of the organizations is being eroded. Basically, each asset adds value to an organization. | Example: A $100,000 security control to protect an asset that is calculated to cost the company $1,000 per year is not cost-effective at all.

Question 6

What is the 3 steps when conducting risk management?

Answer 6

1. Quantitative and Qualitative Asset Value Analysis | 2. Asset Risk Analysis | 3. Risk Treatment (Avoid, Transfer, Mitigate, Accept)

Question 7

Why is it important to perform Quantitative/Qualitative Value Analysis on all Assets before performing Risk Analysis?

Answer 7

To determine which assets are most valuable to an organization. This helps identify areas that should rank higher in importance when considering possible treatment measures. | Example: If a single server worth $15,000 is owned by the organzation, it is valuable, but not compared to the 50 employee PC’s estimated at $1,000 a piece.

Question 8

What four components are used when performing quantitiative or qualitative risk analysis for an asset?

Two Identification Measures | Two Consideration Measures

Answer 8

Threat Analysis: Determining potential Dangers to an Asset. | Vulnerability Analysis: Identifying Weaknesses that could be exploited by an attacker

Impact Consideration: The extent to which an asset would be negatively affected.

Probability/Liklihood Consideration: The chance a risk might materialize due to a given threat or vulnerability.

Question 9

What are the Four ways a risk can be dealt with?

Answer 9

Avoidance: Negating the risk entirely by avoiding it (Moving hardware to the cloud) | Transference: Purchasing Insurance Policies | Mitigation: Implementing Controls to Reduce Risk | Acceptance: The owner of an asset accepts the level of risk.

Question 10

Is Risk Management for Previously Assessed Assets Necessary? Why or Why Not?

Answer 10

Yes. Risk Management is an ongoing process as the organization’s technology, threat landscape, vulnerabilities, and impact of risks occuring are constantly changing.

Question 11

Give examples of assets that can be valued by an organization?

Answer 11

Anything/everything. Building, Equiptment, Critical Business Processes, Company Reputation, and mode.

Question 12

What two forms of analysis can be used to assess an assets value?

Answer 12

Quantitative and Qualitative analysis.

Question 13

How should an organize determine which assets are most valuable when performing analysis?

Answer 13

By implementing a ranking system based on the assets determined value.

Question 14

What are three traits of qualitative analysis?

Answer 14

Does not attempt to assign monetary value | Relative ranking system based on professional judgement and uses words like “Low”, “Medium”, “High”, “1-5”, “Probability” or “Liklihood”. | Relatively simple and efficient.

Question 15

What are three traits of Quantitative Analysis?

Answer 15

Assigns objective monetrary value to assets | Fully quantitative process when all elements are quantified | Purely quantitative is difficult to achieve and time consuming

Question 16

Why is risk analysis not effective without support from senior management and asset owners?

Answer 16

Owners best understand the value of an asset to the organization, thereofre owners must be deeply involved in the risk analysis process.

Question 17

What are the three main components to a risk being present?

Answer 17

The asset potentially at risk | Threats: Any potential dnagers that can cause damage to an assets like natural disasters, hackers, digruntled employees, social engineering, etc. | Vulnerability: Weaknesses that exist, anything that allows a threat gain an advantage and damage an organization. Includes open ports with vulnerable services, lack of network segregation, lack of patching and OS updating.

Question 18

Name 5 risks and their associated threats and potential vulnerabilites.

Answer 18

1. Natural/Environmental - Flood: Building located on a flood plain.
2. Human - Hacker: Employee hasn’t been sufficiently trained for social engineering attacks.
3. Operational/Process - Process susceptible to Fraud (Issuing checks): No segregation of duties implemented to prevent fraud
4. Technical - Malware: Unpatched software.
5. Physical - Power Outage: No backup Power System

Question 19

What equation can be used to calculate risk? (Bonus: Name the factor that can be used to calculate the degree of exposure?)

Answer 19

Risk = Threat * Vulnerability * Impact

Question 20

What is a Threat Agent in Risk Management?

Answer 20

An entity with the potential to cause damage to an asset (external attackers, disgruntled employees, etc.)

Question 21

What is a Threat in Risk Management?

Answer 21

Any potential danger.

Question 22

What is an Attack in Risk Management?

Answer 22

Any harmful action that exploits a vulnerability.

Question 23

What is a Vulnerability in Risk Managememt?

Answer 23

A weakness in an asset that can be exploited.

Question 24

What is a Risk in Risk Management?

Answer 24

A significant exposure to a threat or vulnerability. (A weakness that exists in the architecture, process, function, technology, or asset)

Question 25

What is an Asset in Risk Management?

Answer 25

Anything that is valued by the organzation.

Question 26

What is Exposure/Impact in Risk Management?

Answer 26

Negative consequences to an asset if the risk is realized (loss of life, reputational damage, downtime, etc.)

Question 27

What is Countermeasures and Safeguards in Risk Management?

Answer 27

Controls implemented to reduce threat agents, threats, vulnerablities, and reduce the negative impact of a risk realized.

Question 28

What is a Residual Risk in Risk Management?

Answer 28

The risk that remains after countermeasures and safeguards (controls) are implemented.

Question 29

Fill in the Risk Management blanks:
______ gives rise to | ______ which exploits | ______ which leads to | ______ which can damage | ______ which causes | ______/______ which can be countered with | ______ and ______ ______ to reduce ______, ______, and ______ which result in | ______ ______.

Includes Residual Risk, Risk, Threat, Threat Agent, vuln, exposure, etc.

Answer 29

Threat Agent gives rise to | Threat which exploits | Vulnerabilities which leads to | Risk which can damage | Assets which causes | exposure/impact which can be countered with | safeguards and counter measures to reduce Threat Agents, Threats, and Vulnerabilties which result in | Mitigated risks

Question 30

What three Risk Managment terms do Countermeasures and Safeguards reduce?

Answer 30

Threat Agents, Threats, and Vulnerabilities.

Question 31

How do you calculate Annual Loss Expectency (ALE)?

Answer 31

ALE = SLE (AV * EF) * ARO

Question 32

What is “Asset Value”?

Answer 32

The cost of the asset in a monetrary value. (i.e., a CCTV that costs $2,000)

Question 33

What is “Exposure Factor (EF)”? How is this determiend?

Answer 33

Measured as a percentage, expresses how much of the asset’s value stands to be lost in case of a risk materializing. (For instance, if voltage spikes cause a loss of several CCTV cameras a year costing them a total of $200, then the EF is 10%)

CCTV System as a whole is $2,000.

EF is ALWAYS a percentage from 0-100%.

Question 34

What is Single Loss Expectancy (SLE)? How do you calculate this?

Answer 34

Denotes how much it will cost if the risk occurs once. Calculated by multiplying the Asset Value by the Exposure Value. [SLE = AV * EF]

Question 35

What is Annualized Rate of Occurrence (ARO)? How do you calculate this?

Answer 35

Denotes how many times each year a risk is likely to occur. For example, if a voltage spike occurs three times a year, the ARO is 3.

Question 36

What is Annualized Loss Expectancy (ALE)? How do you calculate this?

Answer 36

Expresses as annual cost of the risk materializing. [ALE = SLE * ARO]

Question 37

Which Component is useful in understanding how much money is a risk is expected to cost an organization each year?

Answer 37

Annual Loss Expectancy (ALE)

Question 38

When should a company accept a risk rather than implement controls to mitigate the risk?

Answer 38

When the cost of mitigation exceeds the value of the asset.

Question 39

How do you calculate the Annual Loss Expectancy (ALE) when you know the Annual Rate of Occurrence (ARO), Asset Value, and Exposure Factor?

i.e. ARO = 5, Asset Value = $2,000, Exposure Factor = 50%.

Answer 39

You first fidn the Single Loss Expectancy (SLE) by multiplying the Asset Value * Exposure Factor. [$2,000 * 25% = $500]. Then calculate: ALE = SLE ($500) * ARO (5). The total here would be: ALE = $2,500.

Question 40

What are the 4 Methods an Organization can use to manage Risk?

Answer 40

Avoid | Mitigate | Transfer | Accept

Question 41

What does it mean to Avoid Risk? What are some drawbacks?

Answer 41

To entirely remove the organization from the risk. For example, only building in-land to avoid hurricanes. | This can cause a loss in opportunity cost since organizations on the coast may not do business. | Organizational expasion requires risk to grow, so no all risk should be avoided.

Question 42

What does it mean to Transfer Risk? What are some drawbacks?

Answer 42

Transference means to share the risk with another party, such as insurance companies. For a premium, the insurance company will cover a bulk of the impact if a risk actualizes. | Responsibilty is transferred, though accountability cannot be transferred.

Question 43

What does it mean to Mitigate Risk? Is this a preferred method? Why/Why not?

Answer 43

Mitigation involves implementing controls to reduce the risk to an acceptable level. | Yes. Risk cannot be reduced to zero, though it can be reduced to a point where acceptance or transference is safe to occur.

Question 44

What does it mean to Accept Risk? When does this occur? Who should make this decision?

Answer 44

Simply put, to take no action of further action where risk to an asset is concerned. | Happens when cost to control risk exceeds the value of an asset. Another example is accepting residual risk after mitigation controls have been put in place. | The asset owner or senior management should be the only ones to make this call since they are accountable for the asset.

Question 45

What is Risk Ignorance? How does this relate to Due Care and Due Diligence?

Answer 45

Ignoring a risk entirely. This does not adhere to due care or due diligence and can lead to financial fines and reputational damages.

Question 46

What are the Seven Types of Major Risk Controls?

Answer 46

Compensating, Corrective, Detective, Deterrent, Directive, Preventive, and Recovery.

Question 47

What is a Directive Control? Provide an example.

Answer 47

Direct, Confine, or control the actions of subjects to force or encourage compliance with Security Policies. | A Fire Exit Sign.

Question 48

What is a Detterent Control? Provide an example.

Answer 48

A control that discourage violation of security policies | A ‘Tresspassers will be shot’ sign. Anything that deters, but cannot stop, someone.

Question 49

What is a Preventive Control? Provide an example.

Answer 49

Anything that prevent undesired actions or events. | A fence that prevents someone from walking on the propery or not having flammable materials around.

Question 50

What is a Detective Control? Provide an example.

Answer 50

Anything used to identify if a risk has occurred | A smoke alarm

Question 51

What is a Corrective Control? Provide an example.

Answer 51

Anything used to minimize the negative impact of a risk occurring/minimize the damage | A fire suppression system.

Question 52

What is a Recovery Control? Provide an example.

Answer 52

Designed to revocer a system or process and return to normal operation following an incident | A data backup policy allowing restoration of data on an affected server after an incident takes place.

Question 53

What is a Compensating Control? Provide an example.

Answer 53

Typically deployed with other controls to aid in reinforcement and supplement their effectiveness. | Example is a Host-Intrusion Detection System (HIDS) being deployed on a critical server, even though a Network Intrusion Protection System (NIPS) exists on the subnet. The HIDS compensates the NIPS by allowing additional detection of risk if a malicious actor bypasses NIPS and gets access to the critical server.

Question 54

What is Defense-in-Depth?

Answer 54

Defense in Depth is layered security which uses multiple controls at each layer to ensure security.

Question 55

How can a company obtain “Complete” control of a risk?

Answer 55

By using a combination of Preventive, Detective, and Corrective controls against a risk.

Question 56

What controls are enforced AFTER an incident occurs?

Answer 56

Recovery, Corrective, and Detective.

Question 57

What controls are enforced BEFORE an incident occurs?

Answer 57

Deterrent, Directive, Compensating, Preventive.

Question 58

Are Safeguards Proactive or Reactive? Why?

Answer 58

Safeguards are proactive because they are put in place before a risk has occured to deter or prevent it from manifesting.

Question 59

Are Countermeasures Proactive or Reactive? Why?

Answer 59

Countermeasures are reactive because they are put in place after a risk has actualized, which allow us to detect and respond accrodingly.

Question 60

What Controls are considered Countermeasures?

Answer 60

Recovery, Corrective, and Detective.

Question 61

What Controls are considered Safeguards?

Answer 61

Preventive, Directive, Deterrent, and Compensating.

Question 62

What Three Categories can Controls be classifed into?

Answer 62

Administrative, Logical/Technical, and Physical.

Question 63

What is an Administrative Control? Give an example.

Answer 63

Policies, Procedures, Baselines, and guidelines are all classified as administrative controls. This also includes background checks, acceptable use, network policy, onboarding/offboarding policies, and similar things that are documents and processes.

Question 64

What is a Logical/Technical Control? Give some examples.

Answer 64

Firewalls, Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS), Anti-Virus (AV), antimalware, proxies, and similar tools.

Question 65

What is a Physical Control? Give some examples.

Answer 65

Doors, fences, gates, mantraps, guards, CCTV, etc.

Question 66

What is the discerning difference between Logical and Technical Controls?

Answer 66

Logical Controls are the software components, Technical Controls are the hardware components.

Question 67

What are examples of some Control Types when paired with a classification?

Answer 67

See Page 52 of CISSP Training Guide. (Table 1-22)

Question 68

What two Aspect Types be considered when implementing a Control?

Answer 68

Functional Aspects and Assurance Aspects.

Question 69

What is a Functional Aspect of a control? Give an example.

Answer 69

A funcitonal aspect ensure the control does the function it was designed to addressed/does what it is meant to do. | A firewall filtering traffic between subnets.

Question 70

What is a Assurance Aspect of a control? Give an example.

Answer 70

Control can be proven to be functioning properly on an ongoing basis | Proven trough testing, assessments, logging, and monitoring.

Question 71

Why is implementing any security control always have a negative impact on an organization?

Answer 71

Security controls make systems more difficult to use, slower, more complicated, and so on.

Question 72

Is ‘security for the sake of security’ okay?

Answer 72

No. Security controls should always be balanced between maximum security for a minimal cost.

Question 73

What criteria should be considered when evaluating what controls to implement?

Answer 73

Alignment with the organization’s goals | Cost-effectiveness | Complete Control (Preventive, Detective, and Corrective at a Minimum) | Functional and Assurance effectiveness.

Question 74

What is the best way to determine if an implemented security control is effective?

Answer 74

Metrics! :)

Question 75

“Metrics that Matter” is found when you overlap what two ideas?

Answer 75

Risk Metrics and Audience.

Question 76

The Demin Cycle, as known as the Plan Do Check Act (PDCA) cycle, is used to demonstrat what process?

Answer 76

The ongoing Risk Management Cycle.

Question 77

Describe each step of the Plan Do Check Act (PDCA) cycle.

Answer 77

Plan: Determine what controls to implement based on identified risk | Do: Implement Controls | Check: Monitor and Assurance, are controls operating effectively? | Act: Based upon findings, take actions if necessary and go back to the “Plan” stage if so.

Question 78

How often should a Risk Analysis be conducted? What determines this?

Answer 78

As often as necessary. | Frequency will depend on the nature of the business and assocaited risks, and should be triggered by a change in the value of an asset.

Question 79

What are some items involved in assuring Risk Management with third-party providers and services?

Answer 79

Governance Review | Site Security Review | Formal Security Audit | Penetration Testing | Adherence to Security Baselines | Evaluation of Hardware and Software | Adherence to Security Policies | Development of an Assessment Plan | Identification of Assessment Requirements for each Involved Party | Preparation of Assessment and Reporting Templates

Question 80

Who is ultimately accountable if there is an exploited risk in the supply chain that involved customer data?

Answer 80

Ultimately, the data owner. | The data owner is responsible for ensuring the third party service has appropriate risk management processes in place to protect the provided data.

Question 81

How can Risk Management Frameworks help a newly hired Risk Manager?

Answer 81

They provide a sort of template with best practices for identifying assets, risks, threats, and vulnerabilities.

Question 82

What are four popular Risk Management Frameworks?

Answer 82

NIST SP 800-37 Risk Management Framework (RMF) | ISO 31000 | CPSP | anmd ISACA Risk IT Framework

Question 83

What is the NIST SP 800-37 RMF?

Answer 83

A guide describing the guidelines for applying the NIST SP 800-37 RMF to Information systems and organizations.

More specifically, used to identify cyber-risks.

Question 84

What is the ISO 31000?

Answer 84

A family of standards relating to risk management. The scope is to provide best practice structure and guidance to all organizations concerned with risk management.

Question 85

What is the COSO?

Answer 85

Provides a definiotn to essential enterprise risk management components, reviews Enterprise Risk Management (ERM) principles and concepts, and provides direction and guidance for enterprise risk management.

Question 86

What is ISACA Risk IT Framework?

Answer 86

Containg guidelines and practices for risk optimization, security, and business value. The latest version places greates emphasis on cybersecurity and aligns with the latest version of COBIT.

Question 87

What steps are involved in the NIST SP 800-37 Risk Management Framework (RMF)?

Answer 87

Prepare to execute the RMF | Categorize Information Systems | Select Security Controls | Implement Security Controls | Assess Security Controls | Authorize Information Systems |and Monitor Security Controls

Question 88

According to the NIST SP 800-37 Risk Management Framework (RMF) what occurs during the “Categorize Information Systems” steps?

Answer 88

Information Systems are identified and categorized. Purpose is to determine any potential adverse impacts to the CIA (triad) of organizational operations and assets, thereby informing the organizational risk management process.

Question 89

According to the NIST SP 800-37 Risk Management Framework (RMF) what occurs during the “Select Security Controls” steps?

Answer 89

Following risk assessment, controls such as management, operational, and technical safeguards or countermeasures are embedded into information systems. They are selected to protect the CIA of those systems and the information they contain.

Question 90

According to the NIST SP 800-37 Risk Management Framework (RMF) what occurs during the “Implement Security Controls” steps?

Answer 90

Contains two key tasks: 1) Implement selected security controls in the security and privacy plans and 2) Document the specific, baseline details of the control implementation. | The latter task is critical to ensure everyone understand what controls exist and to understand the controls in the context of the larger operational framework of the organization.

Question 91

According to the NIST SP 800-37 Risk Management Framework (RMF) what occurs during the “Assess Security Controls” steps?

Answer 91

Helps to determine if security controls are implemented correctly, operating as intended, and meeting the security and privacy requirements for the organization. | This step inolves formulation of a comprehensive plan that must be reviewed and approved.

Question 92

According to the NIST SP 800-37 Risk Management Framework (RMF) what occurs during the “Authorize Information Systems” steps?

Answer 92

Requires Senior Management to decide whether it’s acceptbale to operate the system in question, given the potential risk, controls, and residual risk. As well, senior management should review the plan of action related to residual risk. Finally, authorization or approval is given for a set period of time that is tied to milestones in the Plan of Actions Milestons (POA&M), which facilitates tracking and status of failed controls.

Question 93

According to the NIST Monitor Security Controls” steps?

Answer 93

Also referred to as the “Continous Improvement” step. During this, questions such as “Are our security controls effective”? and “Have new vulnerabilites developed?” are examined. Automated tools have made this step executable in real-time. This helps with configuration drift and other potential security incidents associated with unexpected change on different core components and their configurations.