5.3 Flashcards

1
Q

Risk management

A

is the continuous process of
handling risks to organizational operations,
including mission-critical services and functions, physical and logical assets, and people

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The results of this risk management might be

A
  • Establishing the context for risk-related activities
  • Conducting an asset and risk assessment
  • Implementing a risk mitigation strategy based on established
    risk treatment
  • Employing techniques and procedures for the continuous
    monitoring of the security state of information systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Inherent (total) risk:

A
  • The vulnerabilities and risks that the organization
    faces before safeguards are implemented
  • The present baseline or system/application state
    before a formal assessment begins
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Residual risk:

A

The vulnerability or risk that remains after the
mitigating controls are introduced

*Residual = inherent risk − safeguards (controls)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

5 key elements of risk analysis are:

A
  1. Assets or an asset class
  2. Incident or scenario
  3. Timeframe (fiscal/calendar year)
  4. Impact (magnitude)
  5. Likelihood (probability)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

qualitative risk analysis

A

most common method used in risk and security

Descriptive approach using subjective opinions, history, and scenarios to determine risk levels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

things to determines risk levels:

A
  • Expert judgement
  • Best practices
  • Experience
  • Intuition
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

examples of qualitative risk analysis

A

s interviews, questionnaires, surveys
(Delphi), and conducting brainstorming sessions and workshops addressing assets, known risks, known
vulnerabilities, common threats, and historical
impacts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Quantitative risk analysis

A

a scientific/mathematical approach to getting
monetary and numeric results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Quantitative risk analysis is based on:

A
  • Asset values (cost and depreciated)
  • Impact (magnitude) or severity of the incident
  • Probability (likelihood) of occurrence
  • Threat frequency
  • Costs and effectiveness of safeguards
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Quantitative risk analysis resulting probabilities are based on:

A

percentages, mathematical formulas, and calibrated
estimation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  • AV (asset value)
A

Value of the asset according to the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

EF (exposure factor):

A

Percentage of asset loss caused by identified
threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  • SLE (single loss expectancy)
A
  • Potential loss if attack occurs
  • (Asset value * exposure factor)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

ARO (annualized rate of occurrence)

A
  • Estimated frequency the threat will occur within a single year
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

quantitative formula

A

ALE (annualized loss expectancy) = (SLE * ARO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

risk appetite (treatment)

A

Any combination of treatments
can be used with risk
management

**Analysts must also consider any
exemptions or exceptions for
certain privileged users, air gapped systems, or special use case applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Risk acceptance:

A
  • Do not implement any additional safeguards
  • Justification in writing is often required
  • This can also be the process of “ignoring” the risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Risk acceptance examples:

A
  • Only having one supplier or vendor for hardware or
    services relying on their uptime reputation
  • Leasing a facility in a 100-year flood zone
  • Deciding not to add a cyber security rider to your existing business insurance policy
  • Continuing with a Wi-Fi Protected Access (WPA2)-
    secured wireless local-area network (WLAN)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk transference (risk sharing)

A

Passing off risk to a third party or shared party

21
Q

Risk transference examples:

A
  • Purchasing an insurance policy or additional cyber
    insurance
  • Leveraging a shared responsibility model (SRM) with a cloud service provider (IaaS)
  • Leasing a warm/cold disaster recovery facility with another similar business that is several miles away
    using a reciprocal agreement
22
Q

Risk avoidance

A

involves deciding not to undertake
actions or engage in activities that introduce or increase risk

**Being too risk-averse can lead to missing out on opportunity or advantages

23
Q

Risk avoidance examples:

A
  • Not processing and storing credit card information of
    customers on-premises
  • Not using a cloud service provider for DevOps or
    managed data services
  • Avoiding the use of any clear-text protocols, such as
    HTTP, Lightweight Directory Access Protocol (LDAP),
    File Transfer Protocol (FTP), Simple Mail Transfer
    Protocol (SMTP), or telnet
  • Not storing sensitive data in a personal cloud service,
    such as Dropbox or Google Drive
24
Q

Risk Mitigation

A

involves the strategic and tactical use of
an array of technical, administrative, and physical controls to reduce risk to an acceptable level

25
Risk Mitigation examples:
* Implementing endpoint protection, such as Palo Alto Cortex XDR * Upgrading the edge firewall appliance * Using a cloud-based security information and event management (SIEM)/security orchestration, automation, and response (SOAR) solution like Azure Sentinel or a managed security service provider (MSSP) solution from Fortinet * Hiring armed security guards
26
three risk handling approaches
Expansionary Conservative Neutral
27
Expansionary
Enterprise intends to increase the number of resources to allocate to treat risk as needed on an ongoing basis
28
Conservative
Enterprise is frugal and extremely careful to spend more money, acquire controls, add personnel They would rather find compensating controls
29
Neutral
Enterprise will take a balanced approach to risk treatment The appetite is neither expansionary or conservative unless necessary
30
Risk assessment documents
will record the processes used to identify probable threats and propose subsequent action plans if the hazard occurs
31
The risk assessment document will declare
assets at risk (people, buildings, information technology, utility systems, machinery, raw materials, and finished goods)
32
Risk owners
are persons or entities responsible for managing threats and vulnerabilities that might be exploited such as a chief information security officer (CISO), data custodian, virtual asset manager, or other technical risk stakeholder
33
Key risk indicators (KRIs)
are meaningful metrics for measuring the likelihood and impact of an incident and if the results exceed established risk appetite
34
risk threshold
a quantifiable level of uncertainty and impact from risk, below which an organization will accept a risk and above which an organization will not accept a risk
35
Risk reports
should have just as much information as necessary but not a "data overload"
36
Reports should be concise and yet comprehensive:
* Written reports and summaries * White papers, special publications * Published to an intranet * Live presentations (in-person or conferencing sessions)
37
Analysts may need to express in simpler terms or have different reports for different target audiences:
Possibly include a glossary of terms
38
Understand the optimal aspects of visual communications:
* Avoid three-dimensional representation * Use a palette of sequential colors * Consider possible "color blindness" and sight-impaired audiences * Avoid pie charts or simple histograms
39
consider using what for risk reports?
* Scatterplots * Bars and bubble charts * Density plots * Boxplots
40
business impact analysis (BIA)
predicts the consequences of a disruption to a business and collects information needed to develop recovery strategies
41
Recovery Time Objective (RTO)
the amount of time needed to recover a resource, service, application, or function It must be less than or equal to the maximum tolerable downtime (MTD)
42
Ways to reduce RTO include
* Adding physical security * Adding redundancy * Purchasing insurance * Investing in better generators * Investing in faster recovery solutions
43
maximum tolerable downtime (MTD) is also called maximum allowable downtime (MAD)
represents the absolute maximum amount of time that a resource, service, or function can be unavailable before the entity starts to experience a catastrophic loss **When the MTD is exceeded, the disaster recovery plans (DRPs) are often triggered
44
Recovery Point Objective (RPO)
often represented as the target amount of time within which a process must be restored after disruption
45
(RPO) The activity point, relative to a disaster, is where the recovery process begins:
* Last Known Good Configurations * Database transaction logs * Snapshots * Recovery volumes * State machine instances
46
(MTTR) This BIA measurement is heavily affected by:
supply chain disruptions, backorders, and vendor (manufacturers, wholesalers, distributors) dislocation
46
mean time to repair or replace (MTTR)
determines how long it will take in minutes, hours, or days to repair or replace a failed system, component, application, or service
46
mean time between failures (MTBF)
the measurement of the reliability of a hardware system (Cisco/Juniper router), component, or hot spare
47
MTTR formula
MTTR = (total down time)/(number of breakdowns)