Chapter 1: IT Risk Identification

Question 1

IT Risk Management Good Practices

Answer 1

1. COBIT 5
2. ISO/IEC 27005: 2011 - IT - Security techniques-Information security risk management
3. ISO31000:2009- Risk Management Principles and Guidelines
4. NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments
5. NIST Special Publication 800-39: Managing Information Security Risk

Question 2

Enumerate the ISO/IEC27005 Process Steps

Answer 2

1. Context Establishment
2. Risk Assessment
3. Risk Identification
4. Risk Analysis
5. Risk Evaluation
6. Risk Treatment
7. Risk Acceptance
8. Risk Communication and Consultation
9. Risk Monitoring and Review

Question 3

The IT Risk Management program should be:

Answer 3

1. Comprehensive
2. Complete
3. Auditable
4. Justifiable
5. Legal
6. Monitored
7. Up to date
8. Managed

Question 4

Ways to identify risk

Answer 4

1. Historical or evidence-based methods
2. Systematic approach (expert opinion)
3. Inductive approach (theoretical analysis)

Question 5

Enumerate the business related IT risk types

Answer 5

1. Investment or expense risk
2. Access or security risk
3. Integrity risk
4. Relevance risk
5. Availability risk
6. Infrastructure risk
7. Project ownership risk

Question 6

Investment or expense risk

Answer 6

Risk that the IT investment fails to provide value for money or is otherwise excessive or wasteful

Question 7

Access or security risk

Answer 7

Risk that confidential or otherwise sensitive information may be divulged or made available to those without appropriate authority

Question 8

Integrity risk

Answer 8

Risk that data cannot be relied on because they are unauthorized, incomplete, or inaccurate

Question 9

Relevance risk

Answer 9

Risk associated with not getting the right information to the right people at the right time to allow the right action to be taken

Question 10

Availability risk

Answer 10

Risk of loss of service or risk that data are not available when needed

Question 11

Infrastructure risk

Answer 11

Risk that the enterprise does not have an IT infrastructure and systems that can effectively support the current and future needs of the business in an efficient,cost - effective, and well-controlled fashion

Question 12

Project ownership risk

Answer 12

Risk of IT projects failing to meet objectives due to lack of accountability and commitment

Question 13

Challenges in conducting interviews:

Answer 13

1. Exaggeration

2. Inaccuracies

Question 14

Important detail to obtain during the interview

Answer 14

the level of impact that previous incidents have had on the organization including how the incident was handled, results of post incident review and root cause analysis and current status of any noted remediation activities from prior activities

Question 15

Risk culture

Answer 15

Reflects the balance between weighing the negative, positive, and regulatory elements of risk

Question 16

Risk culture elements

Answer 16

1. Behavior toward taking risk
2. Behavior toward policy compliance
3. Behavior toward negative outcomes

Question 17

Symptoms of inadequate or problematic risk culture

Answer 17

1. Misalignment between real risk appetite and translation into policies
2. Existence of a blame culture

Question 18

Consequences of poor communication on risk:

Answer 18

1. A false sense of confidence at all levels of the enterprise
2. Lack of direction or strategic planning
3. Unbalanced communication to the external world on risk
4. The perception that the enterprise is trying to cover up known risk from stakeholders

Question 19

IT Risk is…

Answer 19

the IT-enabled business risk that stems from the use of IT

Question 20

Senior management support

Answer 20

An important part of the risk management process

Question 21

Risk management depends on

Answer 21

business goals and objectives

Question 22

What is a critical component of risk management?

Answer 22

History

Question 23

Merger or acquisition results in

Answer 23

emergence of new risks that creates uncertainty and stress. This can further result in poor judgment or inappropriate actions by personnel

Question 24

What influences the effectiveness of the risk management effort?

Answer 24

The positioning of risk management function within the organizational structure.

Question 25

In a large organization, the organization of the risk management group should follow…

Answer 25

the same model and the organization of the business continuity management team

Question 26

RACI

Answer 26

Responsible
Accountable
Consulted
Infromed

Question 27

4 Main Types of Roles involved in the risk management process:

Answer 27

1. Individuals responsible for managing risk
2. Individuals accountable for the risk management effort
3. Individuals who provide support and assistance to the risk management effort (consulted)
4. Individuals who evaluate or monitor the effectiveness of the risk management effort

Question 28

How does the RACI model help?

Answer 28

It can assist in outlining the roles and responsibilities of the various stakeholders. The purpose of the RACI model is to clearly show the relationships between the various stakeholders, the interaction between the stakeholders and the roles that each stakeholder plays in the successful completion of the risk management effort.

Question 29

What is risk culture?

Answer 29

Set of shared values and beliefs that govern attitudes toward risk taking, care and integrity, and determines how openly risk and losses are reported and discussed.

Question 30

Ethics are related to…

Answer 30

An individual’s perception of right and wrong and are not necessarily linked to the law

Question 31

Ethics also applies to…

Answer 31

How people believe they have been treated

Question 32

Failure to comply with regulations may result in…

Answer 32

Financial penalties or loss of a license to operate as well as damage to the reputation of the organization

Question 33

To ensure compliance, an organization must…

Answer 33

Have the ability to monitor and measure controls in use

Question 34

In cases where there is noncompliance,

Answer 34

A justification for the reasons of noncompliance should be provided

Question 35

When risk is considered on a system-by-system or project-by-project basis,

Answer 35

The result is a spotty risk solution that has many individually good efforts but no consistency or interoperability among the risk solutions that are implemented

Question 36

The risk practitioner must be sensitive to the following before recommending a risk management approach or framework

Answer 36

• local departmental cultures
• priorities
• regulations
• restraints
• goals

Question 37

A critical part of establishing the risk management process is

Answer 37

The development and approval of a risk management policy

Question 38

What is information security?

Answer 38

Protecting of information and information systems (including technology) from risk events

Question 39

What is likelihood?

Answer 39

Likelihood = Probability. The measure of frequency of which an event may occur and is used to calculate the level of risk facing an organization based on the number of risk events that may occur within a time period and is often measured on an annual basis

Question 40

What are the factors that can affect likelihood?

Answer 40

• volatility
• velocity
• proximity
• interdependency
• motivation
• skill
• visibility

Question 41

What is the relation of volatility to risk?

Answer 41

Volatility=how much the situation varies. Varies greatly, harder to predict likelihood. Risk will be higher priority because of higher unpredictability (dynamic range)

Question 42

What is risk velocity?

Answer 42

Speed of onset. A measure of how much prior warning and preparation time an organization may have between the event’s occurrence and impact. Can be split into speed of reaction and speed of recovery.

Question 43

What is proximity?

Answer 43

The time from the even occurring and the impact on the organization

Question 44

What is interdependency?

Answer 44

Consideration of risk in various combinations. Materialization of two or more risks and their impact on the organization.

Question 45

What is the relation of motivation to risk?

Answer 45

More motivated attacker = higher risk

Question 46

What is the relation of skill to risk?

Answer 46

More skillful attacker = higher risk

Question 47

What is visibility?

Answer 47

How well known a vulnerability is

Question 48

What is risk impact?

Answer 48

The calculation of the amount of loss or damage that an organization may incur due to a risk event

Question 49

How is loss measured?

Answer 49

• quantitative
• semi quantitative
• qualitative

Question 50

Risk management should be based on

Answer 50

Calculated actions and justified controls, not on emotion and perception

Question 51

One method of calculating risk is evaluating the impact of the event on…

Answer 51

The confidentiality, integrity, and availability (CIA) of information or information systems

Question 52

Risk associated with information system is primarily about

Answer 52

Business risk and the impact that the failure or compromise of a system or information would have on the overall business

Question 53

The factors that affect the impact of an event may be measured in two ways:

Answer 53

1. The impact due a compromise or loss of information

2. The impact due to the loss or compromise of an information system

Question 54

What will evaluate the impact of a breach according to a range of levels?

Answer 54

Qualitative risk assessment approach

Question 55

What is confidentiality?

Answer 55

The requirement to maintain the secrecy and privacy of data

Question 56

What is a breach of confidentiality?

Answer 56

Improper disclosure of information to an unauthorized party

Question 57

What are some factors that could lead to disclosure of data?

Answer 57

• improperly managed access controls
• social engineering
• aggregation of data

Question 58

What does need to know mean?

Answer 58

It means that individuals are given access only to information that is needed in order for them to perform their job functions

Question 59

What is least privilege?

Answer 59

Restriction of data access of an individual or process to only the minimum level of access needed to perform their functions

Question 60

What is integrity?

Answer 60

The guarding against improper information modification, exclusion, or destruction and includes ensuring information nonrepudiation and authenticity

Question 61

Maintaining integrity requires the protection of information from:

Answer 61

improper modification by internal authorized users, unauthorized users, or other processes or activities operating on the system

Question 62

How is the authenticity of information protected?

Answer 62

By identifying the sources of the data and ensuring that it has not been tampered with or destroyed

Question 63

What is authenticity?

Answer 63

Often called nonrepudiation. Ensures that a link can be made between an action and the source of the action

Question 64

What is availability?

Answer 64

Providing timely and reliable access to information

Question 65

How do you measure availability?

Answer 65

Using a gap analysis

Question 66

Where is the required level of availability usually found?

Answer 66

In the BIA (business impact analysis)

Question 67

What is Segregation of Duties?

Answer 67

The principle of ensuring that no one person controls an entire transaction or operation that could result to fraudulent acts or errors

Question 68

How do you circumvent SOD?

Answer 68

Through collusion, when two people agree to bypass the SOD control

Question 69

What is mutual exclusivity?

Answer 69

Means that a person cannot execute both parts of the same transaction

Question 70

What is job rotation?

Answer 70

The process of cross-training and developing personnel with various skills that can step up when needed

Question 71

What is secure state?

Answer 71

The principle that a transaction or process should be in and maintain a secure condition at all times as it goes through its various activities

Question 72

Access control is usually addressed through the following concepts:

Answer 72

• identification
• authentication
• authorization
• accountability

Question 73

How is identification performed?

Answer 73

Through checking of a user ID or other unique element that identifies a person or process

Question 74

What is authentication?

Answer 74

The process of validating an identity and ensures that one person cannot spoof an identity or masquerade as or impersonate another user

Question 75

What are the three methods of performing authentication?

Answer 75

• knowledge
• ownership
• characteristics

Question 76

What is the risk in using knowledge (passwords)?

Answer 76

Passwords are often subject to replay attacks and can be learned by another user

Question 77

What is the problem with using ownership (possession) for authentication?

Answer 77

Cost of installing the system, issuing the cards, and operating and maintaining the system

Question 78

What is authorization?

Answer 78

The privileges or permissions the person will have in the system

Question 79

What is temporal isolation?

Answer 79

A person’s authorization that is only granted for a period of time that the permissions are required

Question 80

What is accountability/auditing?

Answer 80

This action logs or records all activity on a system and indicates the user ID responsible for the activity

Question 81

What is identity management?

Answer 81

The process of managing identities of the entities requiring access to information or information systems

Question 82

What is an asset?

Answer 82

Something of either tangible or intangible value that is worth protecting

Question 83

What is an asset value?

Answer 83

An asset may be valued according to what another person would pay for it, or by its measure of value to the company

Question 84

What is impact?

Answer 84

The magnitude of loss resulting from a threat exploiting a vulnerability

Question 85

What is impact analysis?

Answer 85

A study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events. In an impact analysis, threats to assets are identified and potential business losses determined for different time periods.

Question 86

What is impact assessment?

Answer 86

A review of the possible consequences of a risk

Question 87

What is likelihood?

Answer 87

The probability of something happening

Question 88

What is threat?

Answer 88

Anything that is capable of acting against an asset in a manner that can cause harm

Question 89

What is a threat agent?

Answer 89

Methods and things used to exploit a vulnerability

Question 90

What is a threat analysis?

Answer 90

An evaluation of the type, scope, and nature of events and actions that can result in adverse consequences; identification of threats against an enterprise

Question 91

What is a threat vector?

Answer 91

The path or route used by the adversary to gain access to the target

Question 92

What is a vulnerability?

Answer 92

A weakness in the design, implementation, operation, or internal control of a process that could expose the system to threats from threat events

Question 93

What is a vulnerability analysis?

Answer 93

Process of identifying and classifying vulnerabilities

Question 94

What is a vulnerability scanning?

Answer 94

An automated process to proactively identify security weaknesses in a network or individual system

Question 95

Risk is influenced more by

Answer 95

Lack of training than by lack of equipment

Question 96

The risk environment includes:

Answer 96

• the context, criticality, and sensitivity of the system or process being reviewed
• the dependencies and requirements of the system or process being reviewed
• The operational procedures, configuration, and monitoring of the system or business process
• The training of users and administrators
• the effectiveness of the controls and monitoring of the system or business process
• the manner in which data and system components are decommissioned

Question 97

Risk only occurs if

Answer 97

The adversary has intent (motivation) and capability

Question 98

To implement a justifiable risk strategy, start with

Answer 98

Identifying the organization’s assets and determining the value of those assets

Question 99

When calculating asset value, one technique is to base it on

Answer 99

Impact of a loss of CIA

Question 100

What are contributing factors to calculating asset value?

Answer 100

• financial penalties for legal noncompliance
• impact on business processes
• damage to reputation
• additional costs of repair/replacement
• effect on third parties/ business partners
• injury to staff or other personnel
• violations of privacy
• breach of contracts
• loss of competitive advantage
• legal costs

Question 101

Threats can be…

Answer 101

Intentional or unintentional

External or internal

Question 102

Categories of threats

Answer 102

Physical
Natural events
Loss of essential services
Disturbance due to radiation
Compromise of information
Technical failures
Unauthorized actions
Compromise of functions

Question 103

What are sources of information on threats?

Answer 103

Service providers 
threat monitoring agencies
Security companies
Audits
Management
Business continuity
Finance
Insurance companies
Product vendors
Government publications
Assessments
Users
Human resources
Media

Question 104

The trusted or malicious insider threat to an organization can be…

Answer 104

A current or former employee
Contractor
Business partner
Who has or had authorized access to an organization’s system, network, or data and intentionally infiltrated, interrupted, modified, or fabricated data on an organization’s information system

Question 105

Samples of external threats

Answer 105

Espionage
Theft
Sabotage
Terrorism
Criminal acts
Software errors
Hardware flaws
Mechanical failures
Lost assets
Data corruption
Facility flaws
Supply chain interruption
Industrial accidents
Disease
Seismic activity
Flooding
Power surge / utility failure
Severe storms

Question 106

What are indications of emerging threats?

Answer 106

Unusual activity on a system, repeated alarms, slow system or network performance, new or excessive activity in logs

Question 107

Why are new technologies a new threat source?

Answer 107

Because most technologies are built with an emphasis on function and purpose without due consideration for the security implications associated with the new technology

Question 108

What are network vulnerabilities?

Answer 108

Related to misconfiguration of equipment, poor architecture, or traffic interception

(network equipment should be hardened to disable unneeded services, ports, or protocols)

Question 109

Testing for physical security vulnerabilities include testing

Answer 109

Locks
Security guards
Fire suppression systems
Heating ventilation
Air conditioning controls
Lighting
Cameras
Motion sensors

Question 110

What are common application vulnerabilities?

Answer 110

Buffer overflows
Logic flaws
Injection attacks
Bugs
Incorrect control over user access

Question 111

OWASP

Answer 111

Open Web Application Security Project

Question 112

What are the different cloud deployment models?

Answer 112

Private
Public
Hybrid
Community

Question 113

Characteristics of a private cloud

Answer 113

Operated solely for an enterprise
May be managed by the enterprise or a third party
May exist on or off premise

Question 114

Characteristics of a public cloud

Answer 114

Made available to the general public or a large industry group
Owned by an organization selling cloud services

Question 115

Characteristics of a community cloud

Answer 115

Shared by several enterprises
Supports a specific community that has a shared mission or interest
May be managed by the enterprises or a third party
May reside on or off premise

Question 116

Characteristics of a hybrid cloud

Answer 116

A composition of two or more clouds that remain unique entities but are bound together by a standardized or proprietary technology that enables data and application portability

Question 117

When outsourcing data processing

Answer 117

It does not remove the liability of the outsourcing organization to ensure data are properly protected and the transmission of data is compliant with laws on data transfer

Question 118

What is a vulnerability assessment?

Answer 118

Careful examination of a target environment to discover any potential points of compromise and weakness

Question 119

Samples of vulnerabilities

Answer 119

Network vulnerabilities
Poor physical access controls
Insecure applications
Poorly designed or implemented web facing services
Disruption to utilities
Unreliable supply chain
Untrained personnel
Inefficient processes
Poorly maintained or old equipment

Question 120

What is penetration testing?

Answer 120

A targeted testing against a potential vulnerability or against an attack vector commonly used by an attacker that simulates the activities and approach used by an attacker

Question 121

What is full knowledge testing?

Answer 121

The testing team is familiar with the entire infrastructure being tested

Question 122

What is zero knowledge testing?

Answer 122

The testing team is in the position of the external hacker

Question 123

What is the risk associated with intellectual property?

Answer 123

Failure to protect IP from improper use, disclosure, or duplication that may result in loss of IP for a product

Question 124

What is risk scenario?

Answer 124

A description of a possible event that, when occurring, will have an uncertain impact on the achievement of the enterprise’s objectives. The impact can be positive or negative.

Question 125

The development of risk scenarios is based on…

Answer 125

Describing a potential risk event and documenting the factors and areas that may be affected by the risk event

Question 126

Risk events may include…

Answer 126

System failure
Loss of key personnel
Theft
Network outages
Power failures
Natural disasters

Question 127

The key to developing effective scenarios is…

Answer 127

To focus on real and relevant potential risk events

Question 128

Ways a risk scenario can be developed

Answer 128

Top down

Bottom up

Question 129

Top down approach starts with

Answer 129

Business goals to come up with risk scenarios

Based on understanding business goals and how a risk event could affect the achievement of those goals

Question 130

Bottom up approach starts with

Answer 130

Generic risk scenarios to more specific risk scenarios

Based on describing risk events that are specific to individual enterprise situations

Question 131

What is a risk scenario?

Answer 131

A description of an IT related risk event that can lead to a business impact

Question 132

Components of a risk scenario

Answer 132

Actor: internal or external party that generates the threat
Threat type: nature of the threat event
Event: the security incident
Asset: the entity affected by the risk event
Time: if relevant to the scenario (i.e. Duration, timing, detection, time lag between event and the consequence)

Question 133

A risk awareness program creates…

Answer 133

An understanding of risk, risk factors, and the various types of risk that an organization faces

Question 134

A risk awareness program should not…

Answer 134

Disclose vulnerabilities or ongoing investigations except when the problem has been addressed

Question 135

An awareness program for management should highlight…

Answer 135

The need for management to play a supervisory role in protecting systems and applications from attack

Question 136

Awareness training for senior management should highlight…

Answer 136

The liability, need for compliance, due care and due diligence, and the need to create the tone and culture of the organization through policy and good practice

Question 137

Criteria for risk acceptance

Answer 137

Consideration of the availability of mitigating controls
The needs of regulation
Cost benefit analysis of a control option
The risk versus reward incentive that management is willing to consider

Question 138

What is residual risk?

Answer 138

Risk that remains after the implementation of risk treatment controls

Question 139

What is risk tolerance?

Answer 139

Acceptable variation that management is willing to allow for any particular risk as the enterprise pursues its objectives

Question 140

Ownership of risk is ultimately the responsibility of…

Answer 140

The asset owners, or in most cases, senior management

Question 141

Risk acceptance must not exceed the…

Answer 141

Risk capacity of the organization

Question 142

What is risk capacity?

Answer 142

The objective amount of loss an enterprise can tolerate without risking its continued existence

Question 143

Risk capacity and risk appetite are defined by

Answer 143

The board and executive management at the enterprise level

Question 144

What are risk tolerance levels?

Answer 144

Tolerable deviations from the level set by the risk appetite definitions

Question 145

The risk register shows the…

Answer 145

Severity, source, and potential impact of a risk

Identifying the risk owner and the current status and disposition of risk

Question 146

The purpose of a risk register is…

Answer 146

To consolidate risk data into one place and permit the tracking of risk
Contains all the risk identified in audits, vulnerability assessments, penetration tests, incident reports, process reviews, management inputs, risk scenario creation, and security assessments

Question 147

The owner of the risk also owns the…

Answer 147

Controls and is responsible for monitoring its effectiveness

Question 148

What is a control?

Answer 148

It is a means of managing risk, including policies, procedures, guidelines, practices or organizational structures

Question 149

Developing a manageable and relevant set of risk scenarios requires:

Answer 149

Expertise and experience
A thorough understanding of the environment
The intervention and common views of all parties involved
A brainstorming/ workshop approach

Question 150

What is systemic risk?

Answer 150

Something happens with an important business partner, affecting a large number of enterprises within an area or industry

Question 151

What is contagious risk?

Answer 151

Events that happen at several of the enterprise’s business partners within a very short time frame