Assessing Information Security Risk

Question 1

Asset

Answer 1

Anything of value that could be compromised, stolen, or harmed

Question 2

Threat

Answer 2

Any event or action that could cause damage to an asset or interruption of services

Question 3

Attack

Answer 3

The intentional act of attempting to bypass one or more security controls

Question 4

Vulnerability

Answer 4

A condition that leaves the system or assets open to harm

Question 5

Exploit

Answer 5

A technique that takes advantage of a vulnerability to perform an attack

Question 6

Security Control

Answer 6

A countermeasure put in place to avoid, mitigate, counteract risks due to threats or attacks

Question 7

Risk Equation

Answer 7

Risk = Threats x Vulnerabilities x Consequences

Question 8

Risk Management

Answer 8

The cyclical process of identifying, assessing, analyzing, and responding to risks

Question 9

Risk Exposure

Answer 9

How susceptible an organization is to loss

Question 10

Qualitative Risk Analysis

Answer 10

Use descriptions and words to measure the likelihood and impact of risk

Question 11

Quantitative Risk Analysis

Answer 11

Measures the impact of risk based completely on numeric values

Question 12

Enterprise Security Architecture

Answer 12

A framework used to define the baseline, goals, and methods used to secure a business

Question 13

Single Loss Expectancy (SLE)

Answer 13

Financial loss expected from a specific adverse event: SLE = Asset Value x Exposure Factor

Question 14

Annual Loss Expectancy (ALE)

Answer 14

ALE = SLE x ARO

Question 15

Annual Rate of Occurrence

Answer 15

How often a threat successfully affects the enterprise

Question 16

Classes of Information

Answer 16

Public, Private, Restricted, Confidential

Question 17

Technical Security Controls

Answer 17

Hardware or software to monitor and prevent threats and attacks, aka logical controls. E.g. firewall, IPS, encryption, etc

Question 18

Physical Security Controls

Answer 18

Measures that restrict, detect, and monitor access to physical areas or assets. E.g. door, lock, fence, mantrap, etc

Question 19

Administrative Security Controls

Answer 19

Monitor an org’s adherance to security policies and procedures. E.g. audits, compliance scans, etc

Question 20

Aggregate CIA Score

Answer 20

Info value (1-10) x value of threat score (1-10) for C, I, A, then add total for each attribute to get aggregate score

Question 21

Common Vulnerability Scoring System (CVSS)

Answer 21

Risk management approach where vulnerability data is quantified and then the degrees of risk to different types of systems or information are taken into account

Question 22

Common Vulnerabilities and Exposures (CVE)

Answer 22

Public dictionary of vulnerabilities

Question 23

Risk Avoidance

Answer 23

Risk has been completely eliminated, usually by removing the asset causing the risk

Question 24

Risk Transference

Answer 24

Moves responsibility of managing risk to another entity, such as insurance or outsourcing

Question 25

Risk Mitigation

Answer 25

Process of implementing controls and countermeasures to reduce the likelihood and impact of risk to an org

Question 26

Risk Acceptance

Answer 26

Organization determines after identification and analysis that a risk is within the org’s appetite and no additional action is needed

Question 27

Risk Deterrence

Answer 27

Influence a threat by convincing them an attack is not worth the cost, effort, or legal consequences

Question 28

Inherent Risk

Answer 28

The risk an event will pose if no mitigating controls are put in place

Question 29

Residual Risk

Answer 29

The risk that remains even after controls are put in place

Question 30

Continuous Monitoring and Improvement

Answer 30

Constantly evaluating an environment for changes so new risks may be more quickly detected and business processes improved

Question 31

IT Governance

Answer 31

Stakeholders ensure that those who govern IT resources are fulfilling objectives and strategies and creating value for the business

Question 32

Defense in Depth

Answer 32

Layered security approach using personnel, processes, technologies, and architecture design

Question 33

Policy

Answer 33

High level statement that defines the organization’s intentions

Question 34

Standards

Answer 34

Specific low-level mandatory controls that help enforce and support policies

Question 35

Guidelines

Answer 35

Recommended, non-mandatory controls that support standards or provide a reference for decision-making if no standard exists

Question 36

Procedures

Answer 36

Step-by-step instructions on tasks required to implement policies, standards, and guidelines

Question 37

Separation of Duties

Answer 37

No one person has too much power or responsibility.

Duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuses of power

Question 38

Job Rotation

Answer 38

No one person stays in a vital role too long.

Protects institutional knowledge and reduces risk of collusion and abuse of power/privileges

Question 39

Mandatory Vacation

Answer 39

Prevents fraud by providing opportunity to review employee activity

Question 40

Least Privilege

Answer 40

Users or systems should only have the minimal level of access that is necessary to perform the duties required of them

Question 41

Incident Response

Answer 41

Process in which an org reacts to and reports security breaches within an acceptable time period

Question 42

Compensating Control

Answer 42

A security measure put into place to mitigate a risk when a primary security control fails or cannot completely meet expectations.