2. Information Risk Management Flashcards
Name common Risk Management Frameworks
ISO 27001 - in requirements 4 through 10
ISO 27005 -
ISO 31010
NIST 800-37
COBIT 5
RIMS Risk Maturity Model
Facilitated Risk Assessment Process
T or F Scope of a Risk Management Process is NOT Iterative
True
Also included geographical or business unit parameters
What are the steps of the iterative risk management process
Risk Identification
Risk Analysis
Risk Treatment
What is the primary business record in most risk management programs
Risk Register or Ledger
Compare NIST 800-30 and 800-37
800-30 - conducting Risk Assessment
800-37 - RMF
Which RMF helps a risk manager understand the factors that contribute to a risk and is considered complementary to NIST 800-30 and ISO 27005
FAIR - Factor Analysis of Information Risk
FAIR uses six types of losses as defined by Productivity, Response, Replacement, Fines and Judgements, Competitive Advantage and Reputation.
Uses “what if” analysis to determine the probability of a threat event
How does a BIA differ from a Risk Assessment?
BIA identifies the most critical business processes.
What is the Risk Analysis approach developed by Carnegie Mellon
Octave
Octave Allegro latest version of 8 steps
What is defined as the capacity of a temporary or recovery process as compared to the normal process
Recovery capacity objective (RapO)
What is defined as the level or quality of service that is required after an event
Service Delivery Objective (SDO)
What is defined as the point of no return after a disaster
Maximum tolerable downtime (MTD) aka Acceptable Interruption Window (AIW)
MTD’s are not for the entire business but typically for critical business functions
What is the metric that measures how long an organization can tolerate in recovery or alternative processing mode
Maximum tolerable outage (MTO) aka Maximum acceptable outage (MAO)
If a steering committee has decided to accept a risk should the security manager simply mark as permanently closed on Risk Register
No. It should be put in a state to be reconsidered after a time period.
What is the scheme that prescribes required methods to protect information at rest, in motion and in transit
Data Classification Policy
Would a code review be included in a risk management process
No. too narrow and tactical in nature