5.0 - Risk Management Flashcards
1
Q
What are the steps in the Incident Response Process?
A
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
2
Q
What happens in the Preparation stage?
A
- this phase occurs before an incident and provides guidance to personnel on how to respond to an incident
- includes establishing and maintaining an incident response plan and incident response procedures
- includes implementing security controls to prevent malware infections
3
Q
What happens in the Identification stage?
A
- all events aren’t incidents so when a potential incident is reported, personnel take the time to verify it’s an actual incident
- if the incident is verified, personnel might try to isolate the system based on established procedures
4
Q
What happens in the Containment stage?
A
- after positively identifying an incident, security personnel attempt to isolate or contain it
- this might include quarantining a device or removing it from the network
- the goal of isolation is to prevent the problem from spreading to other areas or other computers in your network, or to simply stop the attack
5
Q
What happens in the Eradication stage?
A
- after containing the incident, it’s often necessary to remove components from the attack
- it’s important to remove all remnants of malware on all hosts within the organization and to delete or disable all affected accounts
6
Q
What happens in the Recovery stage?
A
- during the recovery process, administrators return all affected systems to normal operations and verify they are operating normally
- could include rebuilding systems from images, restoring data from backups, and installing updates
- if administrators identify vulnerabilities, steps are taken to remove the vulnerabilities
7
Q
What happens in the Lessons Learned stage?
A
- after handling an incident, security personnel perform a lessons learned review
- the organization might modify procedures, or add additional controls to prevent a re-occurrence of the incident
- review might indicate a need to provide additional training to users or indicate a need to update the incident response policy
8
Q
What is the order of volatility?
A
- Data in cache memory, including the processor cache and hard drive cache
- Data in RAM, including system and network processes
- A paging file (sometimes called a swap file) on the system disk drive
- Data stored on local disk drives
- Logs stored on remote systems
- Archive media
9
Q
What is a BPA?
A
- business partners agreement
- a written agreement that details the relationship between business partners, including their obligations toward the partnership
- typically identifies the shares of profits or losses each partner will take, their responsibilities to each other, and what to do if a partner chooses to leave the partnership
- can help settle conflicts when they arise
10
Q
What is an SLA?
A
- service level agreement
- an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels
- organizations use SLAs when contracting services from service providers such as ISPs
- many SLAs include a monetary penalty if the vendor is unable to meet the agreed-upon expectations
11
Q
What is an ISA?
A
- interconnection security agreement
- specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities
- may stipulate certain types of encryption for all data-in-transit
12
Q
What is an MOU/MOA?
A
- memorandum of understanding or memorandum of agreement
- expresses an understanding between two or more parties indicating their intention to work together toward a common goal
- often used to support an ISA by defining the purpose of the ISA and the responsibilities of both parties but doesn’t include any technical details or monetary penalties
13
Q
What is an RTO?
A
- recovery time objective
- identifies the maximum amount of time it should take to restore a system after an outage, typically for mission-essential functions and critical systems
- derived from the maximum allowable outage time identified in the BIA
14
Q
What is a BIA?
A
- business impact analysis
- a process that helps an organization identify critical systems and components that are essential to the organizations success
15
Q
What is an RPO?
A
- recovery point objective
- identifies a point in time where data loss is acceptable
- refers to the amount of data you can afford to lose
- an RPO of one week means administrators would ensure they have at least weekly backups
16
Q
What is an SLE?
A
- single loss expectancy
- the monetary value of any single loss
- it is used to measure risk with ALE and ARO in a quantitative risk assessment
- calculation is SLE = ALE / ARO
17
Q
What is an ALE?
A
- annual loss expectancy
- the expected loss for a year
- it is used to measure risk with ARO and SLE in a quantitative risk assessment
- the calculation is ALE = SLE x ARO
18
Q
What is an ARO?
A
- annual rate of occurrence
- the number of times a loss is expected to occur in a year
- it is used to measure risk with ALE and SLE in a quantitative risk assessment
- the calculation is ARO = ALE / SLE
19
Q
What are the risk response techniques?
A
- Avoid
- Transfer
- Mitigate
- Accept
20
Q
What is risk Avoidance?
A
- an organization could avoid a risk by not providing a service or not participating in a risky activity
- an organization can avoid a risky application by purchasing a difference application that doesn’t require opening any additional firewall ports
21
Q
What is risk Transfer?
A
- an organization transfers the risk to another entity, or at least shares the risk with another entity
- the most common method is by purchasing insurance
- another method is by outsourcing, or contracting a third party
22
Q
What is risk Mitigation?
A
- an organization implements controls to reduce risks
- these controls either reduce the vulnerabilities or reduce the impact of the threat
- up-to-date antivirus software mitigates the risks of malware
- a security guard can reduce the risk of an attacker accessing a secure area
23
Q
What is risk Acceptance?
A
- when the cost of a control outweighs the risk, an organization will accept the risk
- spending $100 to protect a $15 mouse doesn’t make sense so the organization accepts the risk of someone stealing a mouse
24
Q
What is a privacy impact assessment?
A
- attempts to identify potential risks related to the PII be reviewing how the information is handled
- helps identify and reduce risks related to potential loss of the PII
25
Q
What is a privacy threshold assessment?
A
- primary purpose is to help the organization identify PII within a system
- typically completed by the system owner or data owner by answering a simple questionnaire