Chapter 1: Managing Risk

Question 1

Three types of threats

Answer 1

Environmental
Manmade
Internal vs external

Question 2

Environmental threat

Describe!

Answer 2

Threats caused by environment (ie fire, flood, lightning, etc)

Question 3

Manmade threats

Answer 3

Threats caused by people (ie hackers, viruses)

Question 4

Internal threat

Answer 4

Threat by personnel within the company

Question 5

External threat

Answer 5

Threat by personnel outside the company

Question 6

Risk register

Answer 6

Scatter plot of possible problem areas

Question 7

Vulnerability

Answer 7

Weakness that could be exploited by a threat

Question 8

Risk assessment process

Answer 8

Risks to the organization
Risks worth addressing
Coordination with business impact analysis

Question 9

ALE

Answer 9

Annual loss expectancy: monetary measure of expected loss per year

Question 10

BIA

Answer 10

Business impact analysis

Question 11

SLE

Answer 11

Single loss expectancy: monetary measure of expected loss at a single time

Question 12

AV

Answer 12

Asset value

Question 13

EF

Answer 13

Exposure factor: percentage of item threatened

Question 14

Single loss expectancy can be divided into:

Answer 14

Asset value and exposure factor

Question 15

ARO

Answer 15

Annualized rate of occurrence: likelihood of an event occurring within a year

Question 16

Risk assessment formula

Answer 16

SLE x ARO = ALE

Question 17

NIST

Answer 17

National institute of standards and technology

Question 18

Appendix G of NIST pub 800-30

Answer 18

Assessment scale for likelihood of threat event initiation

Question 19

NIST pub 800-30 assessment scale qualitative, semi-quantitative, and description

Answer 19

Very high 10 adversary is almost certain to initiate threat event

High 8 adversary is highly likely to initiate threat event

Moderate 5 adversary is somewhat likely

Low 2 adversary is unlikely

Very low 0 adversary is highly unlikely

Question 20

Supply chain assessment

Answer 20

Used to look at vendors your organization works with strategically and the potential risks they introduce

Question 21

Threat vectors

Answer 21

The way in which an attacker poses a threat

Question 22

MTBF

Answer 22

Mean time between failures

The measure of the anticipated incidence of failure for a system or component

Question 23

MTTF

Answer 23

Mean time to failure

The average amount of time to failure for a non repairable system

Question 24

MTTR

Answer 24

Mean time to restore

The measurement of how long it takes to repair a system or component once failure occurs

Question 25

RTO

Answer 25

Recovery time objective

Maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable

Question 26

RPO

Answer 26

Recovery point objective

Defines the point at which the system needs to be restored

Question 27

PIA

Answer 27

Privacy impact assessment

Identifies the adverse impacts that can be associated with the destruction, corruption, or loss of accountability data for the organization; used in conjunction with a business impact analysis

Question 28

PTA

Answer 28

Privacy threshold assessment

The compliance tool used in conjunction with the privacy impact assessment

Question 29

Types of testing that can help identify risks

Answer 29

Penetration testing

Vulnerability testing

Question 30

7 Key measures to prevent unanticipated threats

Answer 30

Likelihood
Threat vector
Mean time between failures
Mean time to failure
Mean time to restore
Recovery time objective
Recovery point objective

Question 31

Four possible responses to a risk once identified

Answer 31

Risk avoidance
Risk transference
Risk mitigation
Risk acceptance

Question 32

Risk avoidance

Answer 32

Identifying a risk and making the decision not to engage any longer in the actions associated with that risk

Question 33

Risk transference

Answer 33

Share some of the burden of the risk with someone else

Question 34

Risk mitigation

Answer 34

Taking steps to reduce the risk

Question 35

Risk acceptance

Answer 35

The choice that you make when the cost of implementing any of the other responses exceeds the value of the harm that would occur if the risk came to fruition

Question 36

DLP

Answer 36

Data loss prevention

Monitors the contents of systems to make sure that key content is not deleted or removed; also monitors the usage and transmission of data

Question 37

Three ways to implement cloud computing

Answer 37

Platform as a service
Software as a service
Infrastructure as a service

Question 38

PaaS

Answer 38

Platform as a service or cloud platform services

Vendors allow apps to be created and run on their infrastructure

Question 39

SaaS

Answer 39

Software as a service

Applications are remotely run over the web

Question 40

IaaS

Answer 40

Infrastructure as a service

Utilizes virtualization and clients pay a cloud service provider for resources used

Question 41

3 Risk related issues associated with cloud computing

Answer 41

Regulatory compliance
User privileges
Data integration/segregation

Question 42

2 risks associated with virtualization

Answer 42

Breaking out of the virtual machine

Intermingling network and security controls

Question 43

Policies

Answer 43

Provide the people in the organization with guidance about their expected behavior

Question 44

5 key areas of a good policy

Answer 44

Scope statement
Policy overview statement
Policy statement
Accountability statement
Exception statement

Question 45

Scope statement

Answer 45

Outlines what the policy intends to accomplish and which documents, laws, and practices the policy addresses

Question 46

Policy overview statement

Answer 46

Provides the goal of the policy why it’s important and why to comply with it

Question 47

Policy statement

Answer 47

Substance of the policy

Question 48

Accountability statement

Answer 48

Should address who is responsible for ensuring that the policy is enforced

Question 49

Exception statement

Answer 49

Provides specific guidance about the procedure or process that must be followed in order to deviate from the policy

Question 50

Standard

Answer 50

Deals with the specific issues or aspects of the business

Question 51

Five key aspects of standards documents

Answer 51

Scope and purpose
Roles and responsibilities
Reference documents
Performance criteria
Maintenance and administrative requirements

Question 52

Scope and purpose

Answer 52

Should explain or describe the intention

Question 53

Roles and responsibilities

Answer 53

Outlines who is responsible for implementing, monitoring, and maintaining the standard

Question 54

Reference documents

Answer 54

Explains how the standard relates to the organizations different policies, thereby connecting the standard to the underlying policy’s that have been put in place

Question 55

Performance criteria

Answer 55

Outlines how to accomplish the task

Question 56

Maintenance and administrative requirements

Answer 56

Outlines what is required to manage and administer the systems or networks

Question 57

Audit

Answer 57

Evaluation of requirements

Question 58

Guidelines

Answer 58

Help an organization implement or maintain standards by providing information on how to accomplish the policies and standards

Question 59

Four minimum contents of a good guideline document

Answer 59

Scope and purpose
Roles and responsibilities
Guideline statement
Operational considerations

Question 60

Scope and purpose of the guideline document

Answer 60

Provides an overview and statement of the guidelines intent

Question 61

Roles and responsibilities

Answer 61

Identifies which individuals or departments are responsible for accomplishing a specific tasks

Question 62

Guidelines statement

Answer 62

Provide the step by step instructions procedures on how to accomplish a task in specific manner

Question 63

Operational considerations

Answer 63

Specifying and identify what duties are required and at what intervals

Question 64

BPAs

Answer 64

Business partner agreement

Outline responsibilities and obligations between business partners

Question 65

MOU and MOA

Answer 65

Memorandum of understanding and memorandum of agreement

Defined the terms and conditions for security sharing data and information resources

Question 66

ISA

Answer 66

Interconnection security agreement

Documents the technical and security requirements for establishing, operating, and maintaining the interconnection

Question 67

Personnel policies

Answer 67

Mandatory vacations
Job rotation
Separation of duties
Clean desk
Background checks
Nondisclosure agreements
Onboarding
Continuing education
Exit interviews
Role based training
Acceptable use policies (AUP)
Adverse actions
General security policies

Question 68

Three control types

Answer 68

Management
Operational
Technical

Question 69

Management controls

Answer 69

Risk assessment
Planning
System and services acquisition
Certification, accreditation, and security assessment

Question 70

Operational controls

Answer 70

Personnel security
Physical and environmental protection
Contingency planning
Configuration management
Maintenance
System and information integrity
Media protection
Incident response
Awareness and training

Question 71

Technical controls

Answer 71

Identification and authentication
Access control
Audit and accountability
System and communication protection

Question 72

BIA

Answer 72

Business impact analysis

The process of evaluating all of the critical systems in an organization to define impact and recovery plans

Question 73

Four key components of a business impact analysis

Answer 73

Identifying critical functions
Prioritizing critical functions
Calculating a timeframe for critical systems loss
Estimating the tangible and intangible impact

Question 74

Possible plans to prepare for emergency

Answer 74

Automation/scripting
Frameworks and templates
Master image
Non-persistence
Elasticity
Scalability
Distributive allocation
High availability
Planning for resiliency
Redundancy
Fault tolerance
RAID

Question 75

Non-persistent image

Answer 75

Image that can only exist in Random access memory or be changes that are over written on a reboot by a persistent or frozen image

Question 76

Elasticity

Answer 76

The ability to scale up resources as needed

Question 77

Distributive allocation

Answer 77

Load balancing

Question 78

HA

Answer 78

Hi availability

The measures, such as redundancy, failover, and mirroring, used to keep services and systems operational during an outage