2. Information Risk Management Flashcards

1
Q

Name common Risk Management Frameworks

A

ISO 27001 - in requirements 4 through 10

ISO 27005 -

ISO 31010

NIST 800-37

COBIT 5

RIMS Risk Maturity Model

Facilitated Risk Assessment Process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

T or F Scope of a Risk Management Process is NOT Iterative

A

True

Also included geographical or business unit parameters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the steps of the iterative risk management process

A

Risk Identification
Risk Analysis
Risk Treatment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the primary business record in most risk management programs

A

Risk Register or Ledger

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Compare NIST 800-30 and 800-37

A

800-30 - conducting Risk Assessment

800-37 - RMF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which RMF helps a risk manager understand the factors that contribute to a risk and is considered complementary to NIST 800-30 and ISO 27005

A

FAIR - Factor Analysis of Information Risk

FAIR uses six types of losses as defined by Productivity, Response, Replacement, Fines and Judgements, Competitive Advantage and Reputation.

Uses “what if” analysis to determine the probability of a threat event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How does a BIA differ from a Risk Assessment?

A

BIA identifies the most critical business processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the Risk Analysis approach developed by Carnegie Mellon

A

Octave
Octave Allegro latest version of 8 steps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is defined as the capacity of a temporary or recovery process as compared to the normal process

A

Recovery capacity objective (RapO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is defined as the level or quality of service that is required after an event

A

Service Delivery Objective (SDO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is defined as the point of no return after a disaster

A

Maximum tolerable downtime (MTD) aka Acceptable Interruption Window (AIW)

MTD’s are not for the entire business but typically for critical business functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the metric that measures how long an organization can tolerate in recovery or alternative processing mode

A

Maximum tolerable outage (MTO) aka Maximum acceptable outage (MAO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

If a steering committee has decided to accept a risk should the security manager simply mark as permanently closed on Risk Register

A

No. It should be put in a state to be reconsidered after a time period.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the scheme that prescribes required methods to protect information at rest, in motion and in transit

A

Data Classification Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Would a code review be included in a risk management process

A

No. too narrow and tactical in nature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Per ISO 27005 and other risk management frameworks what steps must be completed prior to the start of a risk assessment

A

Determine scope, purpose and criteria for the audit

17
Q

Removing a risk from a final report would be considered Risk Acceptanct?

A

True but questionable and a risk manager might need to report this as a protest.

18
Q

is FAIR considered a risk management methodology / Framework

A

No. It is a risk assessment methodology and more concerned with the outcomes of risk assessment.

Uses what if analysis to determine the probability of a threat event

19
Q

To establish an asset classification scheme does their need to be a data classification program

A

No. even in the absence of a data classification program you can base assets on criticality and mapped to a BIA

20
Q

What are the primary criteria of a data classification program even with regulatory requirements

A

Monetary value, operational criticality and sensitivity.

21
Q

If you are developing a system classification plan how would support servers generally be categorized

A

Support servers should be classified at the same level as the highest level of server they support.

22
Q

What is the biggest challenge when implementing a data classification program

A

Training end users on data handling procedures since the willingness for them to comply is challenging

23
Q

Is repair cost a valid method for assigning asset value

A

No.
Net present value, replacement cost, book value, redeployment cost, creation cost, reacquisition cost, and consequential financial cost.

24
Q

What mechanism does GDPR provide for multi-national organizations to make internal transfer of PII

A

Binding Corporate rules. typically, internal HR information

25
Q

What are used between organizations to legally obligate them to comply with GDPR

A

Model Clauses

26
Q

What do organizations use to register their obligations to comply with GDPR and provides the legal framework for the transfer of information from Europe to US

A

Privacy Shield which replaces Safe Harbor in 2015

27
Q

What is the best way to report key finding from penetration testing to Executive Management

A

Develop a Key Risk Indicator (KRI)

28
Q

What are the correct sequence of events when onboarding a third-party service provider

A

Examine Services and determine they are a good fit for

Identify key risks based on due diligence

Perform Risk Treatment

Contract negotiation

29
Q

What is the factor that is most difficult to determine

A

Event Probability especially for high-impact events.

30
Q

T or F do all organizations that process credit card data need to submit an attestation of compliance (AOC)

A

True

31
Q

Should a SaaS company accept “Best Practices” in contract language from a prospective client

A

No - they should use industry standard practices.

32
Q

What are common ranges of CMMI levels within industry standards

A

2.5-3.5 out of 5

33
Q

In a mature third-party risk management program how often are third parties typically assessed.

A

Always at on-boarding

Annually if high risk
2-3 years if medium risk
never if low risk

34
Q

What is the best technique to discover most or all of the third-party service providers used in an Organization

A

Use Cloud Access Security Broker (CASB) to record traffic

35
Q

T or F the DPO should report to the highest level in an organization

A

True
Article 38 shall report toe highest management level of the controller or processor

36
Q
A