5.3

Question 1

Risk management

Answer 1

is the continuous process of
handling risks to organizational operations,
including mission-critical services and functions, physical and logical assets, and people

Question 2

The results of this risk management might be

Answer 2

• Establishing the context for risk-related activities
• Conducting an asset and risk assessment
• Implementing a risk mitigation strategy based on established
  risk treatment
• Employing techniques and procedures for the continuous
  monitoring of the security state of information systems

Question 3

Inherent (total) risk:

Answer 3

• The vulnerabilities and risks that the organization
  faces before safeguards are implemented
• The present baseline or system/application state
  before a formal assessment begins

Question 4

Residual risk:

Answer 4

The vulnerability or risk that remains after the
mitigating controls are introduced

*Residual = inherent risk − safeguards (controls)

Question 5

5 key elements of risk analysis are:

Answer 5

1. Assets or an asset class
2. Incident or scenario
3. Timeframe (fiscal/calendar year)
4. Impact (magnitude)
5. Likelihood (probability)

Question 6

qualitative risk analysis

Answer 6

most common method used in risk and security

Descriptive approach using subjective opinions, history, and scenarios to determine risk levels

Question 7

things to determines risk levels:

Answer 7

• Expert judgement
• Best practices
• Experience
• Intuition

Question 8

examples of qualitative risk analysis

Answer 8

s interviews, questionnaires, surveys
(Delphi), and conducting brainstorming sessions and workshops addressing assets, known risks, known
vulnerabilities, common threats, and historical
impacts

Question 9

Quantitative risk analysis

Answer 9

a scientific/mathematical approach to getting
monetary and numeric results

Question 10

Quantitative risk analysis is based on:

Answer 10

• Asset values (cost and depreciated)
• Impact (magnitude) or severity of the incident
• Probability (likelihood) of occurrence
• Threat frequency
• Costs and effectiveness of safeguards

Question 11

Quantitative risk analysis resulting probabilities are based on:

Answer 11

percentages, mathematical formulas, and calibrated
estimation

Question 12

• AV (asset value)

Answer 12

Value of the asset according to the organization

Question 13

EF (exposure factor):

Answer 13

Percentage of asset loss caused by identified
threat

Question 14

• SLE (single loss expectancy)

Answer 14

• Potential loss if attack occurs
• (Asset value * exposure factor)

Question 15

ARO (annualized rate of occurrence)

Answer 15

• Estimated frequency the threat will occur within a single year

Question 16

quantitative formula

Answer 16

ALE (annualized loss expectancy) = (SLE * ARO)

Question 17

risk appetite (treatment)

Answer 17

Any combination of treatments
can be used with risk
management

**Analysts must also consider any
exemptions or exceptions for
certain privileged users, air gapped systems, or special use case applications

Question 18

Risk acceptance:

Answer 18

• Do not implement any additional safeguards
• Justification in writing is often required
• This can also be the process of “ignoring” the risk

Question 19

Risk acceptance examples:

Answer 19

• Only having one supplier or vendor for hardware or
  services relying on their uptime reputation
• Leasing a facility in a 100-year flood zone
• Deciding not to add a cyber security rider to your existing business insurance policy
• Continuing with a Wi-Fi Protected Access (WPA2)-
  secured wireless local-area network (WLAN)

Question 20

Risk transference (risk sharing)

Answer 20

Passing off risk to a third party or shared party

Question 21

Risk transference examples:

Answer 21

• Purchasing an insurance policy or additional cyber
  insurance
• Leveraging a shared responsibility model (SRM) with a cloud service provider (IaaS)
• Leasing a warm/cold disaster recovery facility with another similar business that is several miles away
  using a reciprocal agreement

Question 22

Risk avoidance

Answer 22

involves deciding not to undertake
actions or engage in activities that introduce or increase risk

**Being too risk-averse can lead to missing out on opportunity or advantages

Question 23

Risk avoidance examples:

Answer 23

• Not processing and storing credit card information of
  customers on-premises
• Not using a cloud service provider for DevOps or
  managed data services
• Avoiding the use of any clear-text protocols, such as
  HTTP, Lightweight Directory Access Protocol (LDAP),
  File Transfer Protocol (FTP), Simple Mail Transfer
  Protocol (SMTP), or telnet
• Not storing sensitive data in a personal cloud service,
  such as Dropbox or Google Drive

Question 24

Risk Mitigation

Answer 24

involves the strategic and tactical use of
an array of technical, administrative, and physical controls to reduce risk to an acceptable level

Question 25

Risk Mitigation examples:

Answer 25

• Implementing endpoint protection, such as Palo Alto
  Cortex XDR
• Upgrading the edge firewall appliance
• Using a cloud-based security information and event
  management (SIEM)/security orchestration,
  automation, and response (SOAR) solution like Azure
  Sentinel or a managed security service provider
  (MSSP) solution from Fortinet
• Hiring armed security guards

Question 26

three risk handling approaches

Answer 26

Expansionary Conservative
Neutral

Question 27

Expansionary

Answer 27

Enterprise intends to
increase the number of
resources to allocate to
treat risk as needed on
an ongoing basis

Question 28

Conservative

Answer 28

Enterprise is frugal and
extremely careful to
spend more money,
acquire controls, add
personnel
They would rather find
compensating controls

Question 29

Neutral

Answer 29

Enterprise will take a
balanced approach to
risk treatment

The appetite is neither
expansionary or
conservative unless
necessary

Question 30

Risk assessment documents

Answer 30

will record the processes used
to identify probable threats and propose
subsequent action plans if the hazard occurs

Question 31

The risk assessment document will declare

Answer 31

assets at risk (people,
buildings, information technology, utility systems,
machinery, raw materials, and finished goods)

Question 32

Risk owners

Answer 32

are persons or entities responsible for
managing threats and vulnerabilities that might be
exploited such as a chief information security
officer (CISO), data custodian, virtual asset
manager, or other technical risk stakeholder

Question 33

Key risk indicators (KRIs)

Answer 33

are meaningful metrics
for measuring the likelihood and impact of an incident and if the results exceed established risk
appetite

Question 34

risk threshold

Answer 34

a quantifiable level of
uncertainty and impact from risk, below which an organization will accept a risk and above which an organization will not accept a risk

Question 35

Risk reports

Answer 35

should have just as much information as necessary
but not a “data overload”

Question 36

Reports should be concise and yet comprehensive:

Answer 36

• Written reports and summaries
• White papers, special publications
• Published to an intranet
• Live presentations (in-person or conferencing sessions)

Question 37

Analysts may need to express in simpler terms or have different
reports for different target audiences:

Answer 37

Possibly include a glossary of terms

Question 38

Understand the optimal aspects of visual communications:

Answer 38

• Avoid three-dimensional representation
• Use a palette of sequential colors
• Consider possible “color blindness” and sight-impaired audiences
• Avoid pie charts or simple histograms

Question 39

consider using what for risk reports?

Answer 39

• Scatterplots
• Bars and bubble charts
• Density plots
• Boxplots

Question 40

business impact analysis (BIA)

Answer 40

predicts the consequences of a
disruption to a business and collects
information needed to develop recovery
strategies

Question 41

Recovery Time Objective (RTO)

Answer 41

the amount of
time needed to recover a resource, service,
application, or function

It must be less than or equal to the maximum
tolerable downtime (MTD)

Question 42

Ways to reduce RTO include

Answer 42

• Adding physical security
• Adding redundancy
• Purchasing insurance
• Investing in better generators
• Investing in faster recovery solutions

Question 43

maximum tolerable downtime (MTD) is also
called maximum allowable downtime (MAD)

Answer 43

represents the absolute maximum amount of time that a resource, service, or function can be unavailable before the entity starts to experience a catastrophic loss

**When the MTD is exceeded, the disaster recovery
plans (DRPs) are often triggered

Question 44

Recovery Point Objective (RPO)

Answer 44

often represented as the target amount of time within which a process must be restored after disruption

Question 45

(RPO) The activity point, relative to a disaster, is where the
recovery process begins:

Answer 45

• Last Known Good Configurations
• Database transaction logs
• Snapshots
• Recovery volumes
• State machine instances

Question 46

(MTTR) This BIA measurement is heavily affected by:

Answer 46

supply
chain disruptions, backorders, and vendor
(manufacturers, wholesalers, distributors)
dislocation

Question 46

mean time to repair or replace (MTTR)

Answer 46

determines how long it will take in minutes, hours, or days to repair or replace a
failed system, component, application, or service

Question 46

mean time between failures (MTBF)

Answer 46

the measurement of the reliability of a
hardware system (Cisco/Juniper router),
component, or hot spare

Question 47

MTTR formula

Answer 47

MTTR = (total down time)/(number of breakdowns)