5.4 Summarize risk management processes and concepts.

Question 1

Control Risk

Question 2

Residual Risk

Answer 2

– Inherent risk + control effectiveness
– Risk that exists after controls are considered
– Some models base it on including additional controls

After adding a firewall or ID or IPS what is your risk.

Question 3

Inherent Risk

Answer 3

– Impact + Likelihood
– Risk that exists in the absence of controls
– Some models include the existing set of controls

Without anything being put in place, there would be a certain amount of risk we would undertake. Even including your current set of controls.

Question 4

Acceptance

Answer 4

Its a Business decision, we will accept the risk.

Question 5

Risk Avoidance

Answer 5

Stop participating in high-risk activity

Question 6

Transference

Answer 6

Choosing to purchase cyber security insurance.

Question 7

Mitigation

Answer 7

Decrease risk level by investing in security systems.

Question 8

Risk register

Answer 8

Identify and document the risk associated within eachstep of the project
Every project has a plan, but also has risk
– Identify and document the risk associated
with each step
– Apply possible solutions to the identified risks
– Monitor the results

Question 9

Risk matrix/ Risk heat map

Answer 9

View the results of the risk assessment
– Visually identify risk based on color
– Combines the likelihood of an event with
the potential impact
– Assists with making strategic decisions

Question 10

Risk appetite

Answer 10

– The amount of risk an organization is willing to take

Question 11

Qualitative Risk assessment

Answer 11

Identify significant risk factors
– Ask opinions about the significance
– Display visually with traffic light grid or
similar method

Question 12

Quantitative assessment

Answer 12

Likelihood
– Annualized Rate of Occurrence (ARO)
– How likely is it that a hurricane will hit?
In Montana? In Florida?
* SLE (Single Loss Expectancy)
– What is the monetary loss if a single event occurs?
– Laptop stolen (asset value or AV) = $1,000
* ALE (Annualized Loss Expectancy)
– ARO x SLE
– Seven laptops stolen a year (ARO) x
$1,000 (SLE) = $7,000
* The business impact can be more than monetary
– Quantitative vs. qualitative

Question 13

Disaster Types

Answer 13

Environmental threats
– Tornado, hurricane, earthquake, severe weather
* Person-made threats
– Human intent, negligence, or error
– Arson, crime, civil disorder, fires, riots, etc.
* Internal and external
– Internal threats are from employees
– External threats are from outside the organization

Question 14

RTO

Answer 14

Recovery time objective (RTO)
– Get up and running quickly
– Get back to a particular service level

Does not mean complete recovery, just to a certain time. Usually USD in conjunction with RPO.

Question 15

RPO

Answer 15

Recovery point objective (RPO)
– How much data loss is acceptable?
– Bring the system back online; how far back
does data go?

The point at which we say we have recovered. This objective meats a certain set of requirements to say we have recovered enough.

Question 16

MTTR

Answer 16

Mean time to repair (MTTR)
– Time required to fix the issue

Question 17

MTBF

Answer 17

Mean time between failures (MTBF)
– Predict the time between outages

Question 18

DRP

Answer 18

Disaster recovery plan (DRP)
* Detailed plan for resuming operations after a disaster
– Application, data center, building, campus, region, etc.
* Extensive planning prior to the disaster
– Backups
– Off-site data replication
– Cloud alternatives
– Remote site
* Many third-party options
– Physical locations
– Recovery services