Chapter 1: Managing Risk Flashcards

1
Q

Three types of threats

A

Environmental
Manmade
Internal vs external

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Environmental threat

Describe!

A

Threats caused by environment (ie fire, flood, lightning, etc)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Manmade threats

A

Threats caused by people (ie hackers, viruses)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Internal threat

A

Threat by personnel within the company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

External threat

A

Threat by personnel outside the company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Risk register

A

Scatter plot of possible problem areas

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Vulnerability

A

Weakness that could be exploited by a threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Risk assessment process

A

Risks to the organization
Risks worth addressing
Coordination with business impact analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

ALE

A

Annual loss expectancy: monetary measure of expected loss per year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

BIA

A

Business impact analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SLE

A

Single loss expectancy: monetary measure of expected loss at a single time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AV

A

Asset value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

EF

A

Exposure factor: percentage of item threatened

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Single loss expectancy can be divided into:

A

Asset value and exposure factor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

ARO

A

Annualized rate of occurrence: likelihood of an event occurring within a year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Risk assessment formula

A

SLE x ARO = ALE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

NIST

A

National institute of standards and technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Appendix G of NIST pub 800-30

A

Assessment scale for likelihood of threat event initiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

NIST pub 800-30 assessment scale qualitative, semi-quantitative, and description

A

Very high 10 adversary is almost certain to initiate threat event

High 8 adversary is highly likely to initiate threat event

Moderate 5 adversary is somewhat likely

Low 2 adversary is unlikely

Very low 0 adversary is highly unlikely

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Supply chain assessment

A

Used to look at vendors your organization works with strategically and the potential risks they introduce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Threat vectors

A

The way in which an attacker poses a threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

MTBF

A

Mean time between failures

The measure of the anticipated incidence of failure for a system or component

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

MTTF

A

Mean time to failure

The average amount of time to failure for a non repairable system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

MTTR

A

Mean time to restore

The measurement of how long it takes to repair a system or component once failure occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

RTO

A

Recovery time objective

Maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

RPO

A

Recovery point objective

Defines the point at which the system needs to be restored

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

PIA

A

Privacy impact assessment

Identifies the adverse impacts that can be associated with the destruction, corruption, or loss of accountability data for the organization; used in conjunction with a business impact analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

PTA

A

Privacy threshold assessment

The compliance tool used in conjunction with the privacy impact assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Types of testing that can help identify risks

A

Penetration testing

Vulnerability testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

7 Key measures to prevent unanticipated threats

A
Likelihood
Threat vector
Mean time between failures
Mean time to failure
Mean time to restore
Recovery time objective
Recovery point objective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Four possible responses to a risk once identified

A

Risk avoidance
Risk transference
Risk mitigation
Risk acceptance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Risk avoidance

A

Identifying a risk and making the decision not to engage any longer in the actions associated with that risk

33
Q

Risk transference

A

Share some of the burden of the risk with someone else

34
Q

Risk mitigation

A

Taking steps to reduce the risk

35
Q

Risk acceptance

A

The choice that you make when the cost of implementing any of the other responses exceeds the value of the harm that would occur if the risk came to fruition

36
Q

DLP

A

Data loss prevention

Monitors the contents of systems to make sure that key content is not deleted or removed; also monitors the usage and transmission of data

37
Q

Three ways to implement cloud computing

A

Platform as a service
Software as a service
Infrastructure as a service

38
Q

PaaS

A

Platform as a service or cloud platform services

Vendors allow apps to be created and run on their infrastructure

39
Q

SaaS

A

Software as a service

Applications are remotely run over the web

40
Q

IaaS

A

Infrastructure as a service

Utilizes virtualization and clients pay a cloud service provider for resources used

41
Q

3 Risk related issues associated with cloud computing

A

Regulatory compliance
User privileges
Data integration/segregation

42
Q

2 risks associated with virtualization

A

Breaking out of the virtual machine

Intermingling network and security controls

43
Q

Policies

A

Provide the people in the organization with guidance about their expected behavior

44
Q

5 key areas of a good policy

A
Scope statement
Policy overview statement
Policy statement
Accountability statement
Exception statement
45
Q

Scope statement

A

Outlines what the policy intends to accomplish and which documents, laws, and practices the policy addresses

46
Q

Policy overview statement

A

Provides the goal of the policy why it’s important and why to comply with it

47
Q

Policy statement

A

Substance of the policy

48
Q

Accountability statement

A

Should address who is responsible for ensuring that the policy is enforced

49
Q

Exception statement

A

Provides specific guidance about the procedure or process that must be followed in order to deviate from the policy

50
Q

Standard

A

Deals with the specific issues or aspects of the business

51
Q

Five key aspects of standards documents

A
Scope and purpose
Roles and responsibilities
Reference documents
Performance criteria
Maintenance and administrative requirements
52
Q

Scope and purpose

A

Should explain or describe the intention

53
Q

Roles and responsibilities

A

Outlines who is responsible for implementing, monitoring, and maintaining the standard

54
Q

Reference documents

A

Explains how the standard relates to the organizations different policies, thereby connecting the standard to the underlying policy’s that have been put in place

55
Q

Performance criteria

A

Outlines how to accomplish the task

56
Q

Maintenance and administrative requirements

A

Outlines what is required to manage and administer the systems or networks

57
Q

Audit

A

Evaluation of requirements

58
Q

Guidelines

A

Help an organization implement or maintain standards by providing information on how to accomplish the policies and standards

59
Q

Four minimum contents of a good guideline document

A

Scope and purpose
Roles and responsibilities
Guideline statement
Operational considerations

60
Q

Scope and purpose of the guideline document

A

Provides an overview and statement of the guidelines intent

61
Q

Roles and responsibilities

A

Identifies which individuals or departments are responsible for accomplishing a specific tasks

62
Q

Guidelines statement

A

Provide the step by step instructions procedures on how to accomplish a task in specific manner

63
Q

Operational considerations

A

Specifying and identify what duties are required and at what intervals

64
Q

BPAs

A

Business partner agreement

Outline responsibilities and obligations between business partners

65
Q

MOU and MOA

A

Memorandum of understanding and memorandum of agreement

Defined the terms and conditions for security sharing data and information resources

66
Q

ISA

A

Interconnection security agreement

Documents the technical and security requirements for establishing, operating, and maintaining the interconnection

67
Q

Personnel policies

A
Mandatory vacations
Job rotation
Separation of duties
Clean desk
Background checks
Nondisclosure agreements
Onboarding
Continuing education
Exit interviews
Role based training
Acceptable use policies (AUP)
Adverse actions
General security policies
68
Q

Three control types

A

Management
Operational
Technical

69
Q

Management controls

A

Risk assessment
Planning
System and services acquisition
Certification, accreditation, and security assessment

70
Q

Operational controls

A
Personnel security
Physical and environmental protection
Contingency planning
Configuration management
Maintenance
System and information integrity
Media protection
Incident response
Awareness and training
71
Q

Technical controls

A

Identification and authentication
Access control
Audit and accountability
System and communication protection

72
Q

BIA

A

Business impact analysis

The process of evaluating all of the critical systems in an organization to define impact and recovery plans

73
Q

Four key components of a business impact analysis

A

Identifying critical functions
Prioritizing critical functions
Calculating a timeframe for critical systems loss
Estimating the tangible and intangible impact

74
Q

Possible plans to prepare for emergency

A
Automation/scripting
Frameworks and templates
Master image
Non-persistence
Elasticity
Scalability
Distributive allocation
High availability
Planning for resiliency
Redundancy
Fault tolerance
RAID
75
Q

Non-persistent image

A

Image that can only exist in Random access memory or be changes that are over written on a reboot by a persistent or frozen image

76
Q

Elasticity

A

The ability to scale up resources as needed

77
Q

Distributive allocation

A

Load balancing

78
Q

HA

A

Hi availability

The measures, such as redundancy, failover, and mirroring, used to keep services and systems operational during an outage