Chapter 2: Risk Management

Question 1

Risk management

Answer 1

process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level

Question 2

ISRM policy

Answer 2

information systems risk management policy; provides foundation/direction for the org’s security risk management processes and procedures and should address all issues of information security

Question 3

Threat

Answer 3

a potential cause of an unwanted incident, which may result in harm to a system or org

Question 4

Risk assessment methodology

Answer 4

NIST SP 800-30

Question 5

FRAP

Answer 5

Facilitated Risk Analysis Process

Question 6

OCTAVE

Answer 6

Operationally Critical Threat, Asset, and Vulnerability Evaluation

Question 7

FMEA

Answer 7

Failure Modes and Effect Analysis

Question 8

FMEA

Answer 8

Failure Modes and Effect Analysis; method for determining functions, identifying functional failures, and assessing the causes of failure and their effects through a structured process

Question 9

Fault tree analysis

Answer 9

a useful approach to detect failures which can take place within complex environments and systems

Question 10

Quantitative risk analysis

Answer 10

attempts to assign monetary values to components within the analysis

Question 11

Qualitative risk analysis

Answer 11

Uses judgment and intuition instead of numbers because qualitative items cannot be quantified with precision; involves people with requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience

Question 12

SLE

Answer 12

Single loss expectancy

Question 13

ARO

Answer 13

annual rate of occurrence; frequency per year

Question 14

ALE

Answer 14

annualized loss expectancy

Question 15

Annualized loss expectancy calculation

Answer 15

SLE x ARO = ALE

Question 16

Risk treatments

Answer 16

transferred, avoided, reduced, or accepted

Question 17

Total risk calculation

Answer 17

Threats x vulnerability x asset value = total risk

Question 18

Residual risk calculation

Answer 18

(Threats x vulnerability x asset value) x controls gap = residual risk

Question 19

Three categories of controls

Answer 19

administrative technical, and physical

Question 20

Types of controls (depending on their purpose)

Answer 20

Preventive, detective, corrective, deterrent, recovery, and compensating

Question 21

Security control verification

Answer 21

“did we implement the control right?”

Question 22

Security control validation

Answer 22

“did we implement the right control?”

Question 23

Supply chain

Answer 23

sequence of suppliers involved in delivering some product

Question 24

BCM

Answer 24

business continuity management; overarching approach to managing all aspects of BCP and DRP

Question 25

BCP

Answer 25

business continuity plan; strategy documents which detail procedures to ensure critical business functions are maintained and help minimize losses of life, operations, and systems

Question 26

BCP contents

Answer 26

provides procedures for emergency responses, extended backup operations, and post-disaster recovery. Should have enterprise-wide reach, with each individual org having its own detailed continuity and contingency plans. Needs to prioritize critical apps and provide a sequence for efficient recovery. Requires senior executive management support for initiating the plan and final approval; can quickly become outdated due to personnel turnover, reorganizations, and undocumented changes