CH21 Risk Assessment Flashcards
After completing an assessment, you create a chart listing the associated risks based on the vulnerabilities identified with your organization’s privacy policy. The chart contains listings such as high, medium, and low. It also utilizes red, yellow, and green colors based on the likelihood and impact of a given incident. Which of the following types of assessments did you just complete?
a. Quantitative risk assessment
b. Privacy assessment
c. Supply chain assessment
d. Qualitative risk assessment
d. Qualitative Risk Assessment
This describes a qualitative risk assessment since it categorizes things based on the likelihood and impact of a given incident using non-numerical terms, such as high, medium, and low. If the risk assessment provided exact numbers or percentages of risk, then it would be a quantitative risk assessment.
Jamie’s organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of the data is $120,000. Based on her analysis, she believes that a data breach will occur once every four years and have an exposure factor is 30%. What is the ALE for a data breach within Jamie’s organization?
a. $9,000
b. $36,000
c. $90,000
d. $360,000
a. $9,000
The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the exposure factor (EF). The annual loss expectancy (ALE) is the total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).
Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in the event of an incident. Which of the following best describes the company’s risk response?
a. Avoidance
b. Transference
c. Acceptance
d. Mitigation
b. Transference
Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities).
Avoidance means that the company stops doing the activity that is risk-bearing.
Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as by patching a vulnerable system.
Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.
During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft’s regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS?
a. Remove the POS terminals from the network until the vendor releases a patch
b. Replace the Windows POS terminal with standard Windows systems
c. Build a custom OS image that includes the patch
d. Identify, implement, and document compensating controls.
d. Identify, implement, and document compensating controls.
OBJ-5.1: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.
What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system?
a. You should continue to apply additional controls until there is zero risk
b. You should remove the current controls since they are not completely effective
c. You should accept the risk if the residual risk is low enough
d. You should ignore any remaining risk
c. You should accept the risk if the residual risk is low enough
OBJ-5.4: In most cases, you will be unable to remove all risks. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.
Dion Training’s offices utilize an open concept floor plan. They are concerned that a visitor might attempt to steal an external hard drive and carry it out of the building. To mitigate this risk, the security department has recommended installing security cameras clearly visible to both employees and visitors. What type of security control do these cameras represent?
a. Administrative
b. Corrective
c. Deterrent
d. Compensating
c. Deterrent
OBJ-5.1: A deterrent control is designed to discourage the violation of a security policy. Since the cameras are clearly visible, they are acting as a deterrent control. Corrective control is one that is used to fix or eliminate a vulnerability. A compensating control is used to minimize a vulnerability when it is deemed too difficult or impractical to correct the vulnerability fully. Administrative control is used to create a policy or procedure to minimize or eliminate a vulnerability.
