Chapter 1 - Measuring and Weighing Risk

Question 1

Rene

What is the Risk Calculator?

Answer 1

page 5.
SLE x ARO = ALE =>(AV x EF) x ARO = ALE
ALE = Annual Loss Expectancy, measures how much loss you could expect in a year.
ARO = Annualized Rate of Occurance
SLE = Single Loss Expectancy, represents how much you expect to lose at any one time.
AV - Asset Value
EF = Exposure Factor

Question 2

Rene

What are Threat Vectors?

Answer 2

page 8.
Is the way in which an attacker poses a threat.
Can be anything from a fake email that lures you into clicking (phishing) or an unsecure hotstop.

Question 3

Rene

What is the measure of the anticipated incident of failures for a system or component?

Answer 3

page 8

Mean Time Between Failures (MTBF)

Question 4

Rene

What is Risk Assessment?

Answer 4

page 3
Deals with the threats, vulnerabilities and impacts of a loss of information-processing capabilities or a loss of information itself.

Question 5

Rene

What is the best way to explain quantitative and qualitative?

Answer 5

page 7
Quantitative - think of the goal as determining a dollar amount

Qualitative - think of a best guess or opinion of the loss, including reputation, goodwill and irreplaceable information, pictures or data that get you to a subjective loss amount.

Question 6

Rene

What is the average time to failure for a non-repairable system?

Answer 6

page 8

Mean Time to Failure (MTTF)

Question 7

Rene

What involves identifying a Risk and making the decision not to engage any longer the actions associated with that risk?

Answer 7

page 9

Risk Avoidance

Question 8

Rene

What is the maximum amount of time that a process or service is allowed to be down and the consequences still be considered acceptable?

Answer 8

page 9

Recovery Time Objective (RTO)

Question 9

Rene

What does not imply to shift the risk completely to another entity?

Answer 9

page 9
Risk Transference
The burden of the risk is shared with someone else, such as an insurance company.

Question 10

Rene

What is similar to RTO, but it defines the point at which the system needs to be restored?

Answer 10

page 9

Recovery Point Objective (RPO)

Question 11

Rene

How is Risk Mitigation Achieved?

Answer 11

page 9
Anytime you take steps to reduce risk.
* antivirus software
* educating users
* monitoring network traffic
* adding firewall

Question 12

Rene

What is the measure of how long it takes to repair a system or component once a failure occurs?

Answer 12

page 8

Mean Time to Restore (MTTR)

Question 13

Rene

What can posting prosecution policies on your login pages and convincing them that you have steps in place to ID intrusions and act on them?

Answer 13

page 10

Risk Deterrence

Question 14

Rene

When you choose not to implement any prevention of risk due to costs and accept the potential costs or damage and agree to accept it.

Answer 14

page 10

Risk Acceptance

Question 15

Rene

What is cloud computing and examples?

Answer 15

page 17
Hosts services and data on the Internet instead of hosting it locally.

Office 365, Google Docs

Google Drive, Sky Drive, Amazon Web Services

Question 16

Rene

What is IaaS?

Answer 16

page 17
Infrastructure as a Service
* utilizes visualization and clients pay an outsource for resource used
*closely resembles the traditional utility model used by electric, gas and water providers
* Go Grid is a well known example

Question 17

Rene

What is SaaS?

Answer 17

page 17
Software as a Service
* applications are remotely run over the Web, big advantage, no HW required
* Best know model this type is Salesform.com

Question 18

Rene

What is PaaS?

Answer 18

page 17
Platform as a Service
* AKA cloud platform services
* vendors allow apps to be created and run on their infrastructure
* two well known models are Amazon Web Services and Google Code

Question 19

Rene

What defines what controls are required to implement and maintain the sanctity of data privacy in the work environment?

Answer 19

page 24
Private Policies
Think of the private policy as a legal document that outlines how data collected is secured.

Question 20

Rene

What describes how the employees in an organization can use company systems and resources, both SW and HW?

Answer 20

page 24
Acceptable Use Policies, AKA “use policy”
* when portable devices are plugged directly into a PC, they bypass security measures (such as Firewalls) and allow data to be copied in what is known as “pod slurping”
* this can also be done if employees start using free cloud drives instead

Question 21

Rene

What are Security Policies?

Answer 21

page 25

They define what controls are required to implement and maintain the security of systems, users and netwroks.

Question 22

Rene

What policy requires all users to take time away from work to refresh?

Answer 22

page 25

Mandatory Vacation

Question 23

Rene

What is BIA?

Answer 23

page 29
Business Impact Analysis
Process of evaluating all the critical systems in an organization to define impact and recovery plans

Question 24

Rene

What refers to the measures used to keep services operational during an outage?

Answer 24

page 32

High Availability

Question 25

Rene

What refers to systems that either are duplicated or “fail over” to other systems in event of a malfunction?

Answer 25

page 32

Redundancy