Chapter 1 - Measuring & Weighing Risk

Question 1

What is a vulnerability?

1-3

Answer 1

a weakness that could be exploited by a threat

Question 2

Give the formula for “impact” and explain the terms in the formula.

1-5

Answer 2

SLE x ARO = ALE
(AV x EF) x ARO = ALE

SLE - single loss expectancy, determined by multiplying the asset value by the exposure factor
ARO - annualized rate of occurrence
ALE - annual loss expectancy
EF - exposure factor)

Question 3

True or False

SLE, ALE, and ARO are all quantitative.

1-7

Answer 3

True. All number based.

Question 4

What is a threat vector?

1-8

Answer 4

a tool or path an attacker uses to pose a threat

Question 5

What is MTBF?

1-8

Answer 5

Mean Time Between Failures. Basically it tells you the lifespan of the device.

Question 6

What is MTTF?

1-8

Answer 6

Mean Time To Failure. Tells you average time to failure for a nonrepairable system.

Question 7

What is MTTR?

1-8

Answer 7

Mean Time To Restore. Tells you how long it will take to repair a system.

Question 8

What is RTO?

1-9

Answer 8

Recovery Time Objective. This tells you how much time you’re allotted to use for restoring the system.

Question 9

What is RPO?

1-9

Answer 9

Recovery Point Objective. This is the point in time at which the system was last operational and therefore what you need to restore it to.

Question 10

Contrast Risk Avoidance, Transference, Mitigation, Deterrence, and Acceptance.

1-9,10

Answer 10

Avoidance-stop doing the stuff that causes the risk.
Transference-share the risk
Mitigation-lower the risk
Deterrence-tell the risk creator “if you do this to me, I’ll do this to you.”
Acceptance-live with the risk and don’t do anything about it because its the cheaper alternative.

Question 11

Explain PaaS, Saas, IaaS.

Tell me 2 risks associated with virtualization.

1-17,18,19

Answer 11

platform as a service
software as a service
infrastructure as a service

breaking out of the virtual machine
network and security controls can intermingle

Question 12

What is Hypervisor?

1-19

Answer 12

the software that allows virtual machines to exist

Question 13

What is the Scope Statement?

What is the Accountability Statement?

1-19

Answer 13

outlines what the policy intends to accomplish

who is responsible for ensuring that a problem gets dealt with

Question 14

5 Key Aspects of Standards Documents

1-21,22

Answer 14

Scope and Purpose
Roles and Responsibilities
Reference Documents
Performance Criteria
Maintenance and Administrative Requirements

Question 15

How are guidelines different from standards?

1-22

Answer 15

Guidelines tell you HOW to enforce standards.

Question 16

Tell me the 3 ways guidelines help an organization.

1-22

Answer 16

provide memory refreshment on how processes and routines are carried out
reduce the learning curve
help in a crisis or high-stress situation

Question 17

What is “separation of duties” for?

1-23

Answer 17

to reduce the risk of fraud

Question 18

What is collusion?

What is Pod slurping?

Least Privelage equals what?

1-23,26

Answer 18

agreement established for purposes of deception

using a portable device to bypass security to get a copy of data

minimum permissions

Question 19

What’s one of the best ways to address business continuity?

1-28

Answer 19

do a BIA and implement best practices

Question 20

What is BIA?

1-29

Answer 20

Business Impact Analysis, is the process of evaluating all of the critical systems in the organization to define impact and recovery plans

Question 21

A thorough BIA will accomplish what 3 things?

1-29

Answer 21

the true impact and damage that an outage can cause will be visible

understanding the true loss potential may help you in a fight for budget

process will document which business processes are being used, the impact they have, and how to restore them quickly

Question 22

What’s the best way to remove a Single Point of Failure?

1-30

Answer 22

add redundancy

Question 23

What is High Availability?

What is Redundancy?

What is clustering?

1-32

Answer 23

measures used to keep services and systems operational during an outage

systems that fail over to other systems

multiple systems connected together cooperatively (provides load balancing)

Question 24

Fault Tolerance = ?

1-33

Answer 24

the ability of a system to sustain operations in the event of a component failure

Question 25

What are the 4 types of RAID?

1-34

Answer 25

0 - disk striping
1 - disk mirroring
3 - disk striping with parity disk
5 - disk striping with parity

Question 26

Disaster Recovery = ?

1-36

Answer 26

the ability to recover systems after a disaster

Question 27

What is a backup?

1-36

Answer 27

duplicate copy of key information

Question 28

Give 3 examples of key paper records that should be archived.

1-37

Answer 28

Board Resolutions
Critical Contracts
Tax Records

Question 29

Give 4 examples of critical files that should be backed up.

1-38

Answer 29

Audit files
Database files
Transaction files
User files

Question 30

Tabletop Exercise = ?

1-39

Answer 30

individuals sitting at a table discussing how to deal with situations that could arise

Question 31

A good policy design includes what 4 things?

1-39

Answer 31

scope statements
overview statements
accountability expectations
exceptions