Chapter 1: Information Security & Risk Management

Question 1

Understanding an organizations mission, objectives, and goals…

Answer 1

are necessary to protecting their assets.

Question 2

Mission

Answer 2

Statement of ongoing purpose and reason for existence

Question 3

Objectives

Answer 3

Statements of activities or end-states that the org wishes to achieve.
Observable & measurable

Question 4

Goals

Answer 4

Specify specific accomplishments that enable the org to meets its objectives

Question 5

–1– enable org to meet –2– which support the –3– and describe how it will be fulfilled

Answer 5

1-Goals
2-objectives
3-mission

Question 6

Risk Management (RM)

Answer 6

“Process of determining the max acceptable level of overall risk to and from a proposed activity, then, then using risk assessment techniques to determine the initial level of risk and, if it is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”

(Find the level of risk associated with a given asset or activity and do something about it if needed)

Question 7

Risk Assessment (RA)

Answer 7

Activities used to discover, analyze, and describe risks.

Question 8

Qualitative Risk Assessment (QualRA)

Answer 8

Assets (software apps, info systems, business equipment, or buildings, etc.) are reviewed for known vulnerabilities against a database of potential vulnerabilities. The risk is then measured against relative scales to determine the probability of a threat exploiting the vulnerability

Question 9

QLRA typically identifies

Answer 9

Vulnerabilities
Threats
Threat probability
Countermeasures

Question 10

Vulnerabilities

Answer 10

Weakness in design, configuration, documentation, procedure, or implementation

Question 11

Threats

Answer 11

Activities (if they occurred) that would exploit specific vulnerabilities

Question 12

Threat probability

Answer 12

An expression of likelihood that a specific threat will occur
Low-Medium-High
(1-5 or 1-10)

Question 13

Countermeasures

Answer 13

Actual or proposed measures that reduce the risk associated with vulnerabilities or threats

Question 14

Quantitative Risk Assessment (QNRA)

Answer 14

Extension of QLRA that includes additional elements

Question 15

QNRA includes…

Answer 15

Asset value 
Exposure factor
Single loss expectancy
Annualized rate of occurrence 
Annual loss expectancy

Question 16

Asset Value (AV)

Answer 16

$ represents replacement cost of an asset or income derived from using an asset

Question 17

Exposure Factor (EF)

Answer 17

Proportion of an asset’s value (%) that is likely to be lost through a particular threat
(Impact of a specific threat on an asset)

Question 18

Single Loss Expectancy(SLE)

Answer 18

Cost of a single loss through the occurrence of a particular threat

Question 19

SLE =

Answer 19

asset value ($) X exposure factor (%)

AV x EF

Question 20

Annualized Rate of Occurrence (ARO)

Answer 20

Probability (%) that a loss will occur within a years time

Can be greater than 100% if it may occur more than once

Question 21

Annual Loss Expectancy (ALE)

Answer 21

Yearly estimated loss of an asset

Question 22

ALE =

Answer 22

ARO x SLE

Question 23

Quantifying countermeasures can include…

Answer 23

costs of countermeasures, changes in exposure factor, changes in single loss expectancy.

(Geographical considerations can also be used if pertinent)

Question 24

Specific risk assessment methodologies

Answer 24

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
FRAP (Facilitated Risk Analysis Process)
Spanning Tree Analysis
NIST 800-30, Risk Management Guide for Information Technology Systems

Question 25

OCTAVE

Answer 25

Operationally Critical Threat, Asset, and Vulnerability Evaluation: analysts identify assets and their criticality, identity vulnerabilities and threats, evaluate risks, and create a protection strategy to reduce risk

Question 26

FRAP

Answer 26

Facilitated Risk Analysis Process: QLRA used to pre-screen a subject and determine if a full blow QNRA is needed

Question 27

Spanning Tree Analysis

Answer 27

Visual method do identifying categories of risks as well as specific ones

Question 28

NIST 800-30

Answer 28

Risk Management Guide for Information Technology Systems: document that describes a formal approach to RA that includes Threat and vulnerability identification, control analysis, impact analysis, and a matrix depiction of risk determination and control recommendations

Question 29

Risk Treatment

Answer 29

After QLRA and/or QNRA are performed, the four general ways to handle the risks are:
Risk acceptance 
Risk avoidance 
Risk reduction
Risk transfer

Question 30

Risk Avoidance

Answer 30

Most extreme; associated activity is discontinued

Question 31

Risk Reduction

Answer 31

“Risk Mitigation “; uses countermeasures to reduce risk

Question 32

Risk Reduction techniques include:

Answer 32

Firewalls
Intrusion detection systems
DMZ networks

Question 33

Risk Acceptance

Answer 33

In a typical LOW-MEDIUM-HIGH ranking, risks labeled as LOW may be accepted

Question 34

Risk Transfer

Answer 34

Typically uses insurance as a means of mitigating risks; usually involves a cost (insurance premiums) that would need to be included in QNRA

Question 35

Residual Risk

Answer 35

This is the risk that is left after the other four techniques have been implemented