2. Information Risk Management Flashcards
Name common Risk Management Frameworks
ISO 27001 - in requirements 4 through 10
ISO 27005 -
ISO 31010
NIST 800-37
COBIT 5
RIMS Risk Maturity Model
Facilitated Risk Assessment Process
T or F Scope of a Risk Management Process is NOT Iterative
True
Also included geographical or business unit parameters
What are the steps of the iterative risk management process
Risk Identification
Risk Analysis
Risk Treatment
What is the primary business record in most risk management programs
Risk Register or Ledger
Compare NIST 800-30 and 800-37
800-30 - conducting Risk Assessment
800-37 - RMF
Which RMF helps a risk manager understand the factors that contribute to a risk and is considered complementary to NIST 800-30 and ISO 27005
FAIR - Factor Analysis of Information Risk
FAIR uses six types of losses as defined by Productivity, Response, Replacement, Fines and Judgements, Competitive Advantage and Reputation.
Uses “what if” analysis to determine the probability of a threat event
How does a BIA differ from a Risk Assessment?
BIA identifies the most critical business processes.
What is the Risk Analysis approach developed by Carnegie Mellon
Octave
Octave Allegro latest version of 8 steps
What is defined as the capacity of a temporary or recovery process as compared to the normal process
Recovery capacity objective (RapO)
What is defined as the level or quality of service that is required after an event
Service Delivery Objective (SDO)
What is defined as the point of no return after a disaster
Maximum tolerable downtime (MTD) aka Acceptable Interruption Window (AIW)
MTD’s are not for the entire business but typically for critical business functions
What is the metric that measures how long an organization can tolerate in recovery or alternative processing mode
Maximum tolerable outage (MTO) aka Maximum acceptable outage (MAO)
If a steering committee has decided to accept a risk should the security manager simply mark as permanently closed on Risk Register
No. It should be put in a state to be reconsidered after a time period.
What is the scheme that prescribes required methods to protect information at rest, in motion and in transit
Data Classification Policy
Would a code review be included in a risk management process
No. too narrow and tactical in nature
Per ISO 27005 and other risk management frameworks what steps must be completed prior to the start of a risk assessment
Determine scope, purpose and criteria for the audit
Removing a risk from a final report would be considered Risk Acceptanct?
True but questionable and a risk manager might need to report this as a protest.
is FAIR considered a risk management methodology / Framework
No. It is a risk assessment methodology and more concerned with the outcomes of risk assessment.
Uses what if analysis to determine the probability of a threat event
To establish an asset classification scheme does their need to be a data classification program
No. even in the absence of a data classification program you can base assets on criticality and mapped to a BIA
What are the primary criteria of a data classification program even with regulatory requirements
Monetary value, operational criticality and sensitivity.
If you are developing a system classification plan how would support servers generally be categorized
Support servers should be classified at the same level as the highest level of server they support.
What is the biggest challenge when implementing a data classification program
Training end users on data handling procedures since the willingness for them to comply is challenging
Is repair cost a valid method for assigning asset value
No.
Net present value, replacement cost, book value, redeployment cost, creation cost, reacquisition cost, and consequential financial cost.
What mechanism does GDPR provide for multi-national organizations to make internal transfer of PII
Binding Corporate rules. typically, internal HR information
What are used between organizations to legally obligate them to comply with GDPR
Model Clauses
What do organizations use to register their obligations to comply with GDPR and provides the legal framework for the transfer of information from Europe to US
Privacy Shield which replaces Safe Harbor in 2015
What is the best way to report key finding from penetration testing to Executive Management
Develop a Key Risk Indicator (KRI)
What are the correct sequence of events when onboarding a third-party service provider
Examine Services and determine they are a good fit for
Identify key risks based on due diligence
Perform Risk Treatment
Contract negotiation
What is the factor that is most difficult to determine
Event Probability especially for high-impact events.
T or F do all organizations that process credit card data need to submit an attestation of compliance (AOC)
True
Should a SaaS company accept “Best Practices” in contract language from a prospective client
No - they should use industry standard practices.
What are common ranges of CMMI levels within industry standards
2.5-3.5 out of 5
In a mature third-party risk management program how often are third parties typically assessed.
Always at on-boarding
Annually if high risk
2-3 years if medium risk
never if low risk
What is the best technique to discover most or all of the third-party service providers used in an Organization
Use Cloud Access Security Broker (CASB) to record traffic
T or F the DPO should report to the highest level in an organization
True
Article 38 shall report toe highest management level of the controller or processor
