Chapter 1 Risk Management Flashcards
An item of value to an institution, such as data, hardware, software, or physical property. An asset is an item or collection of items that has a quantitative (numeric) or qualitative (subjective) value to a company.
Asset
The probability or likelihood of the occurrence or realization of a threat.
Risk
A weakness in hardware, software, or components that may be exploited in order for a threat to destroy, damage, or compromise an asset.
Vulnerability
Any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset.
Threat
Probability of occurrence or the odds that the event will actually occur.
Likelihood of Threat
Driving force behind the activity.
Motivation
What are some common motivations of risk activities such as hacking?
prestige, money, fame, and challenge
What are some examples of Internal Risk?
- disgruntled employee
- failed hard drive
What are some examples of External Risk?
- Natural disasters such as floods
- Person-made events such as strikes and protests
Internal or external cause of risk
Risk Source
Events over which we have no control, such as bad weather (hurricanes, snowstorms, tornadoes), fires, floods, earthquakes, and tsunamis, but could also include global events like pandemics.
Natural Disaster
All forms of damaging programs, such as viruses, worms, Trojans, keyloggers, and so forth. This software is distinguishable in that it is developed to damage, alter, expose, or destroy a system or data. For example, viruses are executable programs that can replicate and attach to and infect other executable objects. Some viruses also perform destructive or discreet activities (payload) after replication and infection are accomplished.
Malicious Code
Instigated by a trusted insider or an untrusted outsider. Intruders, vandals, and thieves remove sensitive information, destroy data, or physically damage or remove hardware such as hard drives and mobile devices.
Breach of Physical Security
Stolen, lost, damaged, or modified data. Loss or damage to an organization’s data can be a critical threat if there are no backups or external archiving of the data as part of the organization’s data recovery and business continuity plan. Also, if the compromised data is of a confidential nature, this can also be a critical threat to the organization, depending on the potential damage that can arise from this compromise.
Hacker Attack
Attack on a network or web-based system is designed to bring down the network or prevent access to a particular device by flooding it with useless traffic. Can be launched in several ways. What was done manually with simple tools before is now automated and coordinated, on a massive scale with multiple systems.
Distributed Denial of Service (DDoS) Attack
When attackers use computers, Internet communications, and other cyber tools to penetrate and disrupt critical national infrastructures such as water, electric, and gas plants; oil and gasoline refineries; nuclear power plants; waste management plants; and so on.
Cyberterrorism
Identify weaknesses and gaps in the deployment of controls and to identify more accurately what areas require the highest level of protection.
Risk Assessment
Process of identifying all of the organization’s assets.
Asset Identification
What are the two types of assets?
Tangible and Intangible
What are some types of tangible assets?
Documentation, Data, Hardware, Software
What are some types of intangible assets?
Reputation, Services, Knowledge
What are the 5 aspects of the Risk Assessment Process?
- Asset Identification
- Information Classification
- Risk Assessment
- Risk Analysis
- Implementing Controls
What is the CIA Security Triad?
Confidentiality, Integrity, and Availability
Strengthens the organization in many ways. Labeling information secret or strictly confidential helps employees see the value of the information and give it a higher standard of care.
Information Classification
Specifies how employees are to handle specific information. For example, company policy might state, “All sensitive documents must be removed from the employee’s desk when leaving work. We support a clean desk policy.”
Information Classification
What are the two widely used classification systems?
Government Classification System and Commercial Classification System
Which aspect of the CIA Triad does the Government Classification System focus on?
Confidentiality
Which aspect of the CIA Triad does the Commerical Classification System focus on?
Integrity
What are the four categories of the Government Classification System?
Unclassified, Confidential, Secret, and Top Secret
Which Governmental Information Classification, if disclosed, would cause grave damage to national security.
Top Secret
Which Governmental Information Classification, if disclosed, would be expected to cause serious damage to national security.
Secret
Which Governmental Information Classification, if disclosed, could cause damage to national security and should be safeguarded against.
Confidential
Which Governmental Information Classification, does not have sensitive information and need not be protected unless For Official Use Only (FOUO) is appended to the classification.
Unclassified
Information that would not normally cause damage, but over time FOUO information could be compiled to deduce information of a higher classification.
Unclassified Information
Which Commercial Information Classification has the most sensitive rating.
Confidential
Which Commercial Information Classification includes the information that keeps a company competitive.
Confidential
Which Commercial Information Classification includes information that is internal use only, but its release or alteration could seriously affect or damage a corporation.
Confidential
Which Governmental Information Classification includes information that requires the highest level of control.
Top Secret
Which Governmental Information Classification includes information that may divulge significant scientific, technological, operational, and logistical as well as many other developments.
Secret
Which Commercial Information Classification includes restricted information that is considered personal in nature and might include medical records or human resource information.
Private
Which Commercial Information Classification includes information that requires controls to prevent its release to unauthorized parties. Damage could result from its loss of confidentiality or its loss of integrity.
Sensitive
Which Commercial Information Classification includes information, if disclosed, that could result in damage to the company due to loss of confidentiality or loss of integrity.
Sensitive
Which Commercial Information Classification includes information similar to unclassified information in that its disclosure or release would cause no damage to the corporation.
Public
Step of the Risk Assessment Process where potential risks and threats are identified and their impact determined.
Risk Assessment
Responsible for identifying and analyzing risks. Its members should consist of managers and employees from across the company.
Risk Management Team
What are the two techniques of Risk Analysis?
Quantitative and Qualitative
Method of the Risk Assessment Process that assigns a cost (monetary value) to the elements of risk assessment and the assets and threats of a risk analysis.
Quantitative
Method of the Risk Assessment Process that ranks threats by nonmonetary value and is based on scenario, intuition, and experience.
Qualitative
What are the two most widely used Quantitative Risk Assessment formulas?
- SLE = AV x EF
- ALE = ARO x SLE
What does SLE stand for in the SLE = AV x EF formula?
Single Loss Expectancy
What does AV stand for in the SLE = AV x EF formula?
Asset Value
What does EF stand for in the SLE = AV x EF formula?
Exposure Factor
What does ALE stand for in the ALE = ARO x SLE formula?
Annualized Loss Expectancy
What does ARO stand for in the ALE = ARO x SLE formula?
Annualized Rate of Occurrence
What does SLE stand for in the ALE = ARO x SLE formula?
Single Loss Expectancy
What are some examples of the resulting loss of a threat or vulnerabiity?
- Financial loss
- Danger or injury to staff, clients, or customers
- Breach of confidence or violation of law
- Exposure of confidential information
- Theft of equipment, hardware, or software
What are the quantifiable steps to calculate a loss?
- Determine the asset value (AV) for each information asset.
- Identify threats to the asset.
- Determine the exposure factor (EF) for each information asset in relation to each threat.
- Calculate the single loss expectancy (SLE).
- Calculate the annualized rate of occurrence (ARO).
- Calculate the annualized loss expectancy (ALE).
What is the strength of a quantitative risk assessment?
It assigns dollar values and dollar values are easy to understand.
What is the primary disadvantage of a quantitative risk assessment?
Because it is dollar-based, the team must attempt to compute a dollar value for all elements, which can be time consuming.
Type of risk assessment that is scenario-based and does not attempt to assign dollar values to the components of the risk analysis.
Qualitative
Risk assessment method that ranks the potential of a threat and sensitivity of assets by grade or scale such as low, medium, or high
Qualitative
Potential impact level assigned for risks that are a minor inconvenience.
Low
Potential impact level assigned for risks that can result in damage to an organization, cost a moderate amount of money to repair, and result in negative publicity.
Medium
Potential impact level assigned for risks that will result in a loss of goodwill between the company and client or employee.
High
Potential impact level assigned for risks that may result in a large legal action or fine or cause the company to lose significant revenue or earnings.
High
Potential impact level assigned for risks that can be tolerated for a short period of time but will not result in financial loss.
Low
What is a disadvantage of Qualitative Risk Assessments?
It does not provide cost values.
What are some examples of Qualitative assessment techniques?
ISAM, Delphi, and FRAP
What does ISAM stand for?
INFOSEC Assessment Methodology
Provides nongovernment organizations with the ability to complete a qualitative assessment that ranks assets as critical, high, medium, or low and to determine the impact based on CIA.
ISAM or INFOSEC Assessment Methodology
Group assessment process that allows individuals to contribute anonymous opinions and is often used to forecast the likelihood and outcomes of different types of events.
Delphi Technique
What does FRAP stand for?
Facilitated Risk Assessment Process
Subjective process that obtains results by asking a series of questions. It is designed to be completed in a matter of hours, making it a quick process to perform.
FRAP or Facilitated RIsk Assessment Process
What are the two assessment techniques used to study failures?
- Failure modes and effects analysis (FMEA)
- Failure mode, effects, and criticality analysis (FMECA).
What does FMEA stand for?
failure modes and effects analysis (FMEA)
What does FMECA stand for?
failure mode, effects, and criticality analysis (FMECA)
What is the next step after a quantitative or qualitative risk assessment is complete?
Make a risk determination and decide which security controls should be applied.
What is an assessment technique that can assist with examining loss and impact?
Risk Ranking using Aggregate Score
The total amount of risk the company is willing to accept.
Risk Appetite
Which alternative for handling potential risk eliminates the risk, to withdraw from the practice, or to not become involved. This may be a viable option; there may also be an opportunity cost associated with avoiding the activity.
Avoid
Which alternative for handling potential risk means that it is understood and has been evaluated. Senior management has made the decision that the benefits of moving forward outweigh the risk. If those in charge have not been provided with good data on risk or have made invalid assumptions, poor choices may be made. This can give rise to disasters with global impact (BP, Fukushima, Chernobyl, Challenger, and so on).
Accept
Which alternative for handling potential risk deflects it to a third party. For example, insurance is obtained. Instead of managing the risk directly, the organization incurs an ongoing continual cost from that third party.
Transfer
Which alternative for handling potential risk uses a control to reduce the risk. For example, installing a firewall is one method by which risk can be mitigated.
Mitigate
The risk that remains after your organization has taken proper precautions and implemented appropriate controls.
Residual Risk
Recognizes the areas where you are not compliant in regard to laws, policies, or regulations.
Risk Exception
Having some process, policy, or system in place that discourages others from exploiting a vulnerability that, if exploited, would realize the risk.
Risk Deterrence
What does AATM stand for?
Avoid, Accept, Transfer, Mitigate
What is the next step of the Risk Assessment Process after a decision has been made on how to handle identified risk?
Implement Controls
What document drives the process of Implementing Controls?
Risk Assessment Report
What is contained in the Risk Assessment Report
Findings, information, assessments, and recommendations
What are the three types of security controls?
Physical, Technical, and Operational
What types of security controls include locks, fences, CCTV, lights, gates, and guards.
Physical
What types of security controls include encryption, VPNs, security protocols (IPsec, SSL, TLS, and so on), VLANs, firewalls, and IDSs and are based on CIA requirements and organizational policies?
Technical
What types of security controls include hiring practices, security awareness training, employment practices, termination practices, business continuity, and disaster testing and training.
Operational
What are some of the purposes that security controls serve?
Prevention, deterrence, correction, mitigation
What is the purpose of implementing controls?
Address identified risks, threats, and vulnerabilities.
What is put in place to determine what controls are needed and determines total cost of an asset or countermeasure?
Total Cost or Ownership (TCO) Report
What types of costs are included in the TCO Report?
Purchase price, maintenance fees, updates, insruance, etc. All costs are included.
Used to verify that the employee has a clean background and that any negative history is uncovered before employment.
Background Check
Act of verifying someone’s educational background.
Education Verification
Defines what employees, contractors, and third parties are authorized to do on the organization’s IT infrastructure and its assets.
Acceptable Use Policy (AUP)
Contract that establishes confidentiality between two parties—the owner of the information and the recipient of that information.
Non-disclosure Agreement (NDA)
What issues does an employee handbook address?
- Security practices, policies, and procedures
- Paid holiday and vacation policy
- Work schedule and overtime policy
- Moonlighting and outside employment
- Employee evaluations
- Disaster response and emergency procedures
- Disciplinary procedures for noncompliance
Just because an employee is cleared to access a particular file, document, or physical location, this doesn’t mean that they should be able to do so.
The principle of lease privilege
What are some common employee controls?
- Mandatory Vacations
- Job Rotation
- Dual Control
- Separation of Duties
- Least Privilege
Which employee control uncovers misuse and gives the organization a time to audit the employee while they are not at work.
Mandatory Vacations
Which employee control rotates employees to new areas of assignment.
Job Rotation
What are the benefits of Job Rotation?
*Helps ensure backup if an employee is not available.
*Reduces fraud or misuse by providing the company with a means of moving people to prevent an individual from having too much control over an area.
Where is the Mandatory Vacation control most widely used?
Financial firms or applied to job roles where money is handled.
Which employee control requires employees to work together to complete critical actions, thereby forcing employees who are planning anything illegal to collude with others. A common example is that of a combination or code for a safe. Two employees are required to open it successfully.
Dual Control
Which employee control is closely related to Dual Control, where an activity, such as cryptographic recovery, is divided up among several individuals so that no one person acting alone can perform the entire key recovery process?
M of N Concept
Which employee control limits what one employee can do. For example, one employee may be able to write a check, but another must approve it.
Separation of Duties
Which employee control restricts the employee’s access to only what is needed to do the job and nothing more. This control is closely related to need to know.
Least Privilege
What are some common training methods?
- Apprenticeship programs
- Classroom training
- Continuing education programs
- Degree programs
- In-house training
- On-the-job training
- Vendor training
Technique used to determine whether a planned action is or is not acceptable.
Cost-benefit Analysis
What common way to determine cost-benefit analysis is calculated by dividing net profits by total assets?
Return on Investment (ROI)
Maintaining control over your inventory, which must be identified, managed, and continually monitored to derive a reliable return on investment.
Asset Management
Determines how much time will lapse before accrued benefits will overtake accrued and continuing costs.
Payback Analysis
What are the three steps of cost-benefit analysis?
- calculate costs
- calculate benefits
- compare the results
Purchase price of an asset plus the cost of operation; commonly overlooked when evaluating intangible benefits in a cost-benefit analysis.
Total Cost of Ownership (TCO)
What all is included in the TCO?
purchase price, cost of operations (costs of environmental modifications, compatibility with other countermeasures, maintenance costs, testing costs, support contracts, etc.)
Allows organizations to evaluate the operating effectiveness of controls on or near a real-time basis.
Continuous Monitoring
What should continuous monitoring include?
- Configuration management
- Control processes
- Security impact analyses
- Assessment of selected security
- Security status reporting
- Active involvement of asset owners
What should continuous monitoring address?
- Reporting progress
- Addressing vulnerabilities
- Describing how the information system owner intends to address those vulnerabilities
Risks continously reviewed, assessed, and monitored as new assets are identified.
Risk Management Lifecycle
Involved at nearly every step of the risk management process; contains each risk as it is identified, assessed, owned by someone, responded to, and ultimately reassessed and monitored.
Risk Register
Processes used to plan, allocate, and control information security resources; used for IT governance and include people, processes, and technologies.
Enterprise Security Architecture (ESA) Framework
What are two examples of Enterprise Security Architecture (ESA) Frameworks?
Enterprise Architecture (EA) and Sherwood Applied Business Security Architecture (SABSA)
ESA framework that is used by the federal government to ensure that business strategy and IT investments are aligned.
Enterprise Architecture (EA)
ESA framework that is a strategy based on an architectural viewpoint.
Sherwood Applied Business Security Architecture (SABSA)
What are defined metrics are typically included in an ESA framework?
- Strategic alignment
- Effective risk management
- Value delivery
- Resource management
- Performance measurement
- Process assurance integration
What are some of the most popular ESA frameworks?
11.FISMA risk management framework
COSO Enterprise Risk Management Framewor*k
ISO 31000 for Risk Management
What is the Prudent Person Rule?
Legal principle that is used to restrict the choices of the financial manager of an account to the types of investments that a person seeking reasonable income and preservation of capital might buy for their own portfolio.
Defines a company’s primary goal.
Mission Statement
Formation of a plan for what to do should the business suffer an interruption.
Business Continuity Planning (BCP)
Formal process designed to identify mission-essential functions in an organization and facilitate the identification of the critical systems that support those functions that must be continued during an emergency.
Business Impact Analysis
Any event that has the potential to disrupt an organization’s business.
Disaster
Triggered by an event that has the potential to disrupt an organization’s business; identifies and prioritizes the risks posed to the facility by an internal or external disaster.
Disaster Recovery Plan
What are the two key concepts in business continuity planning?
Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
Set duration of time that a business can still function and process information after experiencing a significant interruption to its operations. That is the time that the business has to recover operations.
Recovery Point Objective (RPO)
Amount of actual time (duration) since the beginning of the interruption that is deemed tolerable before the interruption is considered intolerable to the business.
Recovery Time Objective (RTO)
Percentage measurement (0–100 percent) of how much computing power is needed. This is based on a percentage of the production system that you will need during an emergency.
Recovery Service Level (RSL)
The length of time between an interruption and the recovery from that interruption.
Mean Time to Recovery (MTTR)
Measure of the reliability of a system or component. It’s a crucial element of maintenance management, representing the average time that a system or component will operate before it fails.
Mean Time Between Failure (MTBF)
What are the four types of Disaster Recovery Sites?
Cold Site, Warm Site, Hot Site, Mobile Site
Cheapest Disaster Recovery Site that will require the most time to have running. Likely initial steps involve opening boxes, equipment is available to set up but partial setup and configuration are not done.
Cold Site
Disaster Recovery site that is probably already running but still requires considerable effort to resume operations. Likely initial steps involve restoring backups, equipment is set up and configured and ready to turn on.
Warm Site
Disaster Recovery site that with minimal efforts to resume operations. Likely initial steps involve assuring minimal data loss since the disaster event place with equipment setu up and running as a copy to the lost data center.
Hot Site
A Disaster Recovery site that can be moved or mobilized to a new location. Picture a truck trailer filled with equipment to mirror your data center.
Mobile Site
What are some methods to review and evaluate the effectiveness of existing security controls?
Gap Analysis, Audits, Vulnerability Assessments, and Ethical Hacking
Security control evaluation method that involves an examination of an area or environment designed to report the difference between “where we are” and “where we want to be.”
Gap Analysis
Security control evaluation method that is typically a review of a company’s technical, physical, and administrative controls.
Information Security Audit
Security control evaluation method that utilizes tools and scanners to provide information on vulnerabilities within a targeted application or system or an entire network.
Vulnerability Assessment Tools
How are vulnerabilities ussally graded in a vulnerability assessment tool?
High, Medium, or Low
Security control evaluation method that is the process of looking at a network in the same way as an attacker would.
Ethical Hacking
What is the goal of the Ethical Hacker evaluation method?
Attempting to determine what the attacker can access and obtain, what an attacker can do with that information, and whether anyone would notice what the attacker is doing.
What is another name for Ethical Hacking?
Penetration Testing
What is the purpose of Lessons Learned?
Determine the effectiveness of processes, identify improvements, and provide insights and recommendations for when these processes are repeated.
Written contract that specifies the levels of service that will be provided by the vendor and what the customer can do if the vendor fails to meet the terms.
Service Level Agreement (SLA)
What is another name for Lessons Learned?
After Action Review
A method of measuring something, or the results obtained from this.
Metrics
Help an organization better measure important metrics such as scalability, availability, and reliability.
Key Performance Indicator (KPI)
Metrics that predict potential risks that can negatively impact businesses.
Key Risk Indicators (KRI)
Accomplishment of a given task measured against preset known standards of accuracy, completeness, cost, and speed.
Performance
One of the most well-known types of SLAs that detail the agreed-on amount of uptime. For example, they can be used for network services such as a WAN link or equipment like servers.
Uptime Agreements
The percentage of help-desk or response calls answered within a given time.
Time Service Factor
The number of callers who hang up while waiting for a service representative to answer.
Abandon Rate
The number of resolutions that are made on the first call and do not require the user to call back to the help desk to follow up or seek additional measures for resolution.
First Call Resolution
Delay; determine how long it takes an application to respond or even the amount of delay in a WAN network.
Latency
The ability of a program, application, or network to continue to function as scale, volume, or throughput is changed.
Scalability
The ability to meet or achieve a specific goal.
Capability
The extent to which a product can be used by specified users to achieve specified goals.
Usability
Must meet the criteria of usability to be viable and effective.
Security Requirements
Identify problems that demand finding a balance between different factors, such as the time and cost.
Trade-off Analysis
Defines the capability to restore systems to the exact point in time at which the failure occurred.
Recoverability
Usable through the expected time of use.
Maintainability
The functional state of a system and, in the networking world, is often simplified to uptime.
Availability
Total operating time divided by the number of failures
mean time between failure (MTBF)
The amount of time it takes to restore a system if and when a failure occurs.
mean time to recovery (MTTR)
First step in prevention that provide a planned approach to practice procedures, such as those drafted for disaster recovery.
Testing Plans
What are five types of Testing Plans?
Walk-through, Checklist, Tabletop Exercise, Parallel and Simulation Tests, and Full Interruption Test
Straightforward exercise where you manually perform and analyze the steps of disaster recovery without causing any real disruption.
Walk-through
The easiest form of testing; read through procedures and steps toward disaster recovery. Any glaring gaps or concerns are analyzed further.
Checklist
Raise situational awareness in the context of information security, foster discussion of incident response, demonstrate scenarios that are most likely to occur.
Tabletop Exercise
Simulates a disaster recovery by running through all the steps alongside the disaster recovery systems and processes.
Parallel Test
Going through all motions in the disaster recovery process but leaving production systems running.
Simulation Test
True test of confidence in disaster recovery planning. Production systems are temporarily taken offline once disaster recovery systems are set up and ready to assume the place of the shutdown systems.
Full Interruption Test
Audit conducted to improve an entity’s operations; monitors the operations of the organization regarding the improvement of effectiveness, control, governance processes, and risk management.
Internal Audit
Audit of the organization by an independent audit firm, which is not controlled by the organization that it is auditing
External Audit
Why are external audits performed?
Statutory requirements to verify whether security controls, processes, and documentation are in accordance with acceptable standards and regulatory requirements.
Why are internal audits performed?
Provide an independent opinion and consultancy to senior management and those charged with governance.
You’ve been told there is a problem. Obtain a specific description of the problem.
Define the Problem
Ask yourself questions when something fails or is not working properly.
Gather the Facts
Think about all the possibilities for why something doesn’t work or why something is behaving in a certain way.
Brainstorm
Make a step-by-step list of the possibilities for testing. Test each possibility to see if it corrects the problem.
Implement
Think back to what you have done, and then document causes and solutions to the problem.
Evaluate
Risk assessment technique that is more subjective, not monetary-based, and uses descriptors such as critical, high, medium, and low.
Qualitative
Risk assessment technique that assigns and uses monetary values against known risks.
Quantitative
Provide the necessary information about an organization’s IT infrastructure and its assets’ current level of security so that the assessor can provide recommendations for increasing or enhancing that level of security.
Risk and Vulnerability Assessments
True or False: Conducting a Risk Assessment is difficult and prone to errors.
True
What should the cost of a control not exceed?
The value of the asset.
Threats coupled with vulnerabilities can lead to what?
Loss
True or False: Business continuity and DR plans must be practiced periodically.
True
Formalized approach to risk prioritization that lets an organization conduct reviews in a structured manner.
Risk Assessment
Process of applying controls to reduce the probability or impact of a risk.
Risk Mitigation
