Chapter 4 Review

Question 1

Chapter 4 Review

An information security program comprises all the activities used to perform these 2 tasks in regards to risks

Answer 1

IDENTIFY and TREAT

At tactical and strategic levels, all activities in a program fulfill this purpose.

Question 2

Chapter 4 Review

A security program is outcomes based; when a strategy is developed, the objectives of the strategy are intended to achieve this thing.

Answer 2

DESIRED END STATES or OUTCOMES

After management has determined the desired outcomes of the information security program, development of a strategy can begin, together with initiating the process of developing information security governance structures, achieving organizational adoption and developing an implementation strategy that will define the scope and responsibilities of the security program

Question 3

Chapter 4 Review

These 2 activities are carried out in the security program bring the organization closer to desired states and outcomes.

Answer 3

TASKS and PROJECTS

Question 4

Chapter 4 Review

This activity in risk management is a process whereby the organization chooses how to handle an identified risk.

Answer 4

RISK TREATMENT

Question 5

Chapter 4 Review

The four risk treatment choices are;

Answer 5

1. ACCEPT
2. MITIGATE
3. TRANSFER
4. AVOID

Question 6

Chapter 4 Review

What decisions should be made by the affected line-of business owners, executive management, and steering committee

Answer 6

RISK TREATMENT DECISIONS

Question 7

Chapter 4 Review

After risk treatment, the leftover risk is known as this

Answer 7

RESIDUAL RISK

Question 8

Chapter 4 Review

This type of risk should be processed through the risk management process as though it were a new risk.

Answer 8

RESIDUAL RISK

Question 9

Chapter 4 Review

During risk treatment, the organization needs to consider these 2 areas of issues to ensure that risk treatment decisions and methods of risk mitigation do not themselves create compliance risk

Answer 9

LEGAL and REGULATORY

Question 10

Chapter 4 Review

The costs and benefits of risk treatment should also be considered. Although, as the adage goes, it doesn’t make sense to spend $20,000 to protect a $10,000 asset, the value and role of an asset need to be considered. As the adage continues, it may be a $10,000 asset, but it may also be a critical component in the earning of $1 million in revenue every month.

Question 11

Chapter 4 Review

This is the level of risk that an organization is willing to accept while in the pursuit of its mission, strategy, and objectives.

Answer 11

RISK APPETITE

Question 12

Chapter 4 Review

Risk treament and risk acceptance decisions should be assigned to and made by these 2 groups of people within the organisation who are accountable for those decisions.

Answer 12

BUSINESS OWNERS and EXECUTIVES

Question 13

Chapter 4 Review

This person facilitates and communicates risk treatment and ownership responsibilities; only in specific instances will they own a risk item

Answer 13

CISO

Question 14

Chapter 4 Review

Risk monitoring is the set of ongoing activities to detect this

Answer 14

CHANGES IN RISK

Question 15

Chapter 4 Review

Typical risk monitoring activities include these 4 assessments or audits;

1. R____ ; Evaluate a risk
2. V____ ; Evaluate a weakness
3. I____ A ____ ; Carried out by employees of the organisation
4. C____ S ____ ; Conducted by owners of he countermeasures

Answer 15

1. RISK ASSESSMENTS
2. VULNERABILITY ASSESSMENTS
3. INTERNAL AUDITS
4. CONTROL SELF ASSESSMENTS

Question 16

Chapter 4 Review

Key risk indicators are metrics used in a risk management program to communicate these to executive management

Answer 16

RISK TRENDS

Question 17

Chapter 4 Review

KRIs help an organization understand these in strategic business terms.

Answer 17

KEY RISKS

Question 18

Chapter 4 Review

These are the most useful KRIs as they help an organization better understand the rising and lowering probabilities of security incidents.

Answer 18

LEADING INDICATORS

Question 19

Chapter 4 Review

These 2 activities in relation to communication to affected personnel are essential for the success of a risk management program

Answer 19

TRAINING and INFORMATION DISSEMINATION

Question 20

Chapter 4 Review

This program helps the organization better understand the purpose of the risk management program and its part in it.

Answer 20

RISK AWARENESS PROGRAM

Question 21

Chapter 4 Review

Being a formal business process, a risk management program needs this activity to be completed so that it can be referenced

Answer 21

DOCUMENTED

Question 22

Chapter 4 Review

Required documentation as part of a formal risk management program needs to include these 5 key things

1. P____ ; Governance
2. P____ ; Methodologies
3. R____ ; Defining personnel and ownership
4. R____ ; Senior management taste for risk
5. R____ ; Records of risks

Answer 22

1. POLICIES and PROCESSESS
2. ROLES and RESPONSIBILITIES
3. RISK TOLERANCE/APPETITE
4. RECORDS (i.e. risk register)

Question 23

Chapter 4 Review