5.4 Risk Management

Question 1

Define risk register

Answer 1

Identification of risks at each step of a project plan

Question 2

Define risk matrix/heat map

Answer 2

Assignment of points to every risk based on severity and a color coded visual representation of the risks

Question 3

Define inherit risk (2)

Answer 3

1. A risk that exists or is evaluated with the absence of security controls
2. Connecting to the Internet without a firewall for example

Question 4

Define residual risk (2)

Answer 4

1. A risk that exists or is evaluated with security controls in place
2. Connecting to the Internet with a firewall in place

Question 5

Define risk appetite

Answer 5

The level of risk an organization is willing to take

Question 6

Define risk-control self-assessment

Answer 6

An organization analyzes itself for gaps between current security controls and those identified during analysis of risks

Question 7

Define security control risk

Answer 7

1. Security controls are put in place to reduce risk. There is a risk of these controls failing.
2. For example, an old firewall

Question 8

Define quantitative risk analysis

Answer 8

Using a scoring system to assign point values to risks

Question 9

Define qualitative risk analysis

Answer 9

When quantitative risk analysis can’t be applied, risk analysis can be based on opinions from other sources, such as experts

Question 10

Define likelihood of occurrence (2)

Answer 10

1. A quantitative analysis of the likelihood of a risk to occur
2. Hurricane - likely in Florida but not Montana, for example

Question 11

Define annual rate of occurrence (ARO)

Answer 11

A quantitative calculation of the likelihood of occurrence over a 1 year period

Question 12

Define single loss expectancy (SLE)

Answer 12

1. The cost of a specific single loss
2. A laptop that is stolen costs $1,000 to replace for example

Question 13

Define annualized loss expectancy (ALE)

Answer 13

1. calculated by ARO x SLE
2. helps an organization decide their strategy to manage a risk, i.e. acceptance, avoidance, mitigation, etc…

Question 14

Define 4 risk management strategies

Answer 14

1. Acceptance
2. Avoidance
3. Transference - outsource to a third-party or purchase cybersecurity insurance
4. Mitigation - implement controls to reduce

Question 15

Define asset value

Answer 15

Quantitative risk analysis factor based on just the physical hard cost to replace an item, does not account for other factors - impact

Question 16

Define impact relative to risk analysis (2)

Answer 16

1. Identifying other results of a loss beyond asset value
2. i.e. if an employee loses a laptop, sales and productivity may be lost, IT department will lose time ordering a configuring a replacement device

Question 17

Define recovery time objective (RTO) relative to business impact analysis (2)

Answer 17

1. The amount of time it would take to recover from an outage
2. Not necessarily full recovery, but to a defined minimum functional point

Question 18

Define recovery point objective (RPO) relative to business impact analysis

Answer 18

1. An acceptable minimum functional point
2. Often used in conjunction with RTO

Question 19

Define mean time to repair (MTTR)

Answer 19

The average amount of time it takes to make a specific repair, useful to help establish RTO

Question 20

Define mean time between failures (MTBF)

Answer 20

Average time between failures of a specific piece of equipment

Question 21

Define functional recovery plan (2)

Answer 21

1. A pre-established defined set of processes and procedures to resolve and fully recover from an outage
2. Includes contact information for all resources necessary

Question 22

Define single point of failure (2)

Answer 22

1. A single entity or device that can cause an outage
2. Useful to evaluate if redundancy should be implemented