2. Information Risk Management

Question 1

Name common Risk Management Frameworks

Answer 1

ISO 27001 - in requirements 4 through 10

ISO 27005 -

ISO 31010

NIST 800-37

COBIT 5

RIMS Risk Maturity Model

Facilitated Risk Assessment Process

Question 2

T or F Scope of a Risk Management Process is NOT Iterative

Answer 2

True

Also included geographical or business unit parameters

Question 3

What are the steps of the iterative risk management process

Answer 3

Risk Identification
Risk Analysis
Risk Treatment

Question 4

What is the primary business record in most risk management programs

Answer 4

Risk Register or Ledger

Question 5

Compare NIST 800-30 and 800-37

Answer 5

800-30 - conducting Risk Assessment

800-37 - RMF

Question 6

Which RMF helps a risk manager understand the factors that contribute to a risk and is considered complementary to NIST 800-30 and ISO 27005

Answer 6

FAIR - Factor Analysis of Information Risk

FAIR uses six types of losses as defined by Productivity, Response, Replacement, Fines and Judgements, Competitive Advantage and Reputation.

Uses “what if” analysis to determine the probability of a threat event

Question 7

How does a BIA differ from a Risk Assessment?

Answer 7

BIA identifies the most critical business processes.

Question 8

What is the Risk Analysis approach developed by Carnegie Mellon

Answer 8

Octave
Octave Allegro latest version of 8 steps

Question 9

What is defined as the capacity of a temporary or recovery process as compared to the normal process

Answer 9

Recovery capacity objective (RapO)

Question 10

What is defined as the level or quality of service that is required after an event

Answer 10

Service Delivery Objective (SDO)

Question 11

What is defined as the point of no return after a disaster

Answer 11

Maximum tolerable downtime (MTD) aka Acceptable Interruption Window (AIW)

MTD’s are not for the entire business but typically for critical business functions

Question 12

What is the metric that measures how long an organization can tolerate in recovery or alternative processing mode

Answer 12

Maximum tolerable outage (MTO) aka Maximum acceptable outage (MAO)

Question 13

If a steering committee has decided to accept a risk should the security manager simply mark as permanently closed on Risk Register

Answer 13

No. It should be put in a state to be reconsidered after a time period.

Question 14

What is the scheme that prescribes required methods to protect information at rest, in motion and in transit

Answer 14

Data Classification Policy

Question 15

Would a code review be included in a risk management process

Answer 15

No. too narrow and tactical in nature

Question 16

Per ISO 27005 and other risk management frameworks what steps must be completed prior to the start of a risk assessment

Answer 16

Determine scope, purpose and criteria for the audit

Question 17

Removing a risk from a final report would be considered Risk Acceptanct?

Answer 17

True but questionable and a risk manager might need to report this as a protest.

Question 18

is FAIR considered a risk management methodology / Framework

Answer 18

No. It is a risk assessment methodology and more concerned with the outcomes of risk assessment.

Uses what if analysis to determine the probability of a threat event

Question 19

To establish an asset classification scheme does their need to be a data classification program

Answer 19

No. even in the absence of a data classification program you can base assets on criticality and mapped to a BIA

Question 20

What are the primary criteria of a data classification program even with regulatory requirements

Answer 20

Monetary value, operational criticality and sensitivity.

Question 21

If you are developing a system classification plan how would support servers generally be categorized

Answer 21

Support servers should be classified at the same level as the highest level of server they support.

Question 22

What is the biggest challenge when implementing a data classification program

Answer 22

Training end users on data handling procedures since the willingness for them to comply is challenging

Question 23

Is repair cost a valid method for assigning asset value

Answer 23

No.
Net present value, replacement cost, book value, redeployment cost, creation cost, reacquisition cost, and consequential financial cost.

Question 24

What mechanism does GDPR provide for multi-national organizations to make internal transfer of PII

Answer 24

Binding Corporate rules. typically, internal HR information

Question 25

What are used between organizations to legally obligate them to comply with GDPR

Answer 25

Model Clauses

Question 26

What do organizations use to register their obligations to comply with GDPR and provides the legal framework for the transfer of information from Europe to US

Answer 26

Privacy Shield which replaces Safe Harbor in 2015

Question 27

What is the best way to report key finding from penetration testing to Executive Management

Answer 27

Develop a Key Risk Indicator (KRI)

Question 28

What are the correct sequence of events when onboarding a third-party service provider

Answer 28

Examine Services and determine they are a good fit for

Identify key risks based on due diligence

Perform Risk Treatment

Contract negotiation

Question 29

What is the factor that is most difficult to determine

Answer 29

Event Probability especially for high-impact events.

Question 30

T or F do all organizations that process credit card data need to submit an attestation of compliance (AOC)

Answer 30

True

Question 31

Should a SaaS company accept “Best Practices” in contract language from a prospective client

Answer 31

No - they should use industry standard practices.

Question 32

What are common ranges of CMMI levels within industry standards

Answer 32

2.5-3.5 out of 5

Question 33

In a mature third-party risk management program how often are third parties typically assessed.

Answer 33

Always at on-boarding

Annually if high risk
2-3 years if medium risk
never if low risk

Question 34

What is the best technique to discover most or all of the third-party service providers used in an Organization

Answer 34

Use Cloud Access Security Broker (CASB) to record traffic

Question 35

T or F the DPO should report to the highest level in an organization

Answer 35

True
Article 38 shall report toe highest management level of the controller or processor