Chapter 6: Risk and Personnel Management

Question 1

Define documentation review.

Answer 1

Documentation review is the process of reading the exchanged materials and verifying them against standards and expectations. This refers to security documentation in an audit.

Question 2

What is ATO?

Answer 2

Authority to operate

Question 3

What can often be the consequence of providing insufficient documentation to meet requirements of third party governance in an audit?

Answer 3

Failing to provide sufficient documentation to meet the requirements of third party governance.

Question 4

What happens if you lose your ATO?

Answer 4

Generally, a full documentation review is required, along with an on-site review showing full compliance.

Question 5

Why is understanding risk management concepts important?

Answer 5

It’s on the CISSP Exam, it’s also esssential to the establishment of a sufficient security stance, proper security governance, and legal proof of due care and due diligence.

Question 6

What is the primary goal of risk management?

Answer 6

Reducing risk to an acceptable level.

Question 7

Define asset.

Answer 7

An asset is anything within an environment that should be protected.

Question 8

What can the loss or disclosure of an asset cause?

Answer 8

An overall security compromise, loss of productivity, reduction in profits, additional expenditures, discontinuation of the organization, and numerous intangible consequences.

Question 9

Define asset valuation.

Answer 9

A dollar value assigned to an asset based on actual cost and nonmonitary expenditures.

Question 10

Define threats.

Answer 10

Any potential occurrences that may cause an undesirable or unwanted outcome for an organization for a specific asset. Can be intentional or accidental. Threat agents are usually people, but can other. Fire, earthquate, etc.

Question 11

Define vulnerability.

Answer 11

The weakness in an asset or the absence of the weakness of a safeguard of countermeasure. A flaw, loophole, oversight, error, limitation, frailty, or susceptibility in the IT infrastructure or any other aspect of an organization.

Question 12

Define exposure.

Answer 12

Being susceptible to asset loss because of a threat.

Question 13

Define risk

Answer 13

The possiblity or likelihood that a threat will exploit a vulnerability to cause harm to an asset.

risk = threat * vulnerability

Question 14

Define safeguard

Answer 14

Anything that removes or reduces a vulnerability or protects against one or more specific threats. Also called a countermeasure.

Question 15

Define attack

Answer 15

The exploitation of a vulnerability by a threat agent. Any intentional atempt to exploit a vulnerability of an organizations security infrastructure to cause damage, loss, or disclosure of assets.

Question 16

Define breach

Answer 16

The occurrence of a security mechanism being bypassed or thwarted by a threat agent

Question 17

Asset valuation details

Answer 17

p 246

Question 18

What are the six steps of quantitative risk analysis?

Answer 18

1. Inventory assets and assign value
2. Produce a list of all possible threats for each asset, calculate the exposure factor (EF) and single loss expectancy (SLE)
3. Perform a threat analysis to calculate likelihood of each threat being realized per year == annualized rate of occurrence (ARO)
4. Derive overall loss potential per threat by calculating the annualized loss expectancy (ALE)
5. Research countermeasures for each threat, calculate changes to ARO and ALE based on an applied countermeasure
6. Perform a cost/benefit analysis of each countermeasure and select the most appropriate

Question 19

What is exposure factor?

Answer 19

The percentage of loss that an orgamization would experience if a specific asset were violated by a realized risk, expressed as a percentage. Assets aren’t necessarily completely lost (100%) when compromised, they may just become less valuable.

Question 20

What is Single Loss Expectancy?

Answer 20

The cost associated with a single realized risk against a specific asset. It’s asset value (AV) * exposure factor (EF), and is a dollar value.

Question 21

What is Annualized Rate of Occurrence?

Answer 21

The expected frequency with which a specific threat or risk will occur within a single year. Can range from 0-any. >1 means the risk occurs on average more than once per year.

Question 22

What is Annualized Loss Expectancy?

Answer 22

The possible yearly cost of all instances of a specific realized threat against a specific asset

ALE = SLE * ARO

Question 23

What is a hybrid risk assessment?

Answer 23

One that uses quantitative as well as qualitative approaches.

Question 24

List techniques that can be used to perform qualitative risk analysis.

Answer 24

brainstorming
delphi technique
storyboarding
focus groups
surveys
questionnaires
checklists
one-on-one meetings
interviews

Question 25

What is a scenario?

Answer 25

A written description of a single major threat.

Question 26

Table on 254

Answer 26

.

Question 27

What is the Controls Gap?

Answer 27

The difference between total risk and residual risk. The amount of risk that is reduced by implementing safeguards.

Question 28

What are the four possible responses to risk?

Answer 28

Reduce or mitigate
Assign or transfer
Accept
Reject or ignore

Question 29

What is risk mitigation?

Answer 29

Implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. Also risk avoidance, which is eliminating the risk cause (removing FTP to avoid FTP attacks).

Question 30

What is risk assignment?

Answer 30

Placement of the cost of loss a risk represents onto another entity or organization. This includes buying insurance.

Question 31

What is risk acceptance?

Answer 31

Valuation by management of the cost/benefit analysis and determination that the cost of the countermeasure greatly outweighs the possible cost of loss due to risk. Management agrees to accept the consequences.

Question 32

What is risk rejection?

Answer 32

Denying that the risk exists.

Question 33

What is residual risk?

Answer 33

The risk that remains after countermeasures are applied.

Question 34

What is the formula for total risk?

Answer 34

total risk = threats * vulnerabilities * asset value

Question 35

List elements of constructing job descriptions which support personnel security.

Answer 35

Separation of duties
Job responsibilities
Job rotation

Question 36

What is separation of duties?

Answer 36

Dividing critical, significant, and sensitive work tasks among several individuals preventing any one person from having the ability to undermine or subvert vital security mechanisms. Protects against collusion.

Question 37

What are job responsibilities, and how do they support personnel security?

Answer 37

The specific work tasks an employee is required to perform on a regular basis. Used with least privilege. Your job responsibilities determine your access.

Question 38

What is job rotation?

Answer 38

Rotating employees among job positions. Provides knowledge redundancy. Reduces risk of fraud, data modification, theft, sabotage, information misuse.

Question 39

Why is reviewing a person’s online identity useful?

Answer 39

It can give insight into a person’s attitude, intelligence, loyalty, common sense, diligence, honesty, respect, consistency, and adherence to social norms or corporate culture.

Question 40

What is a Service Level Agreement?

Answer 40

AKA SLA. A document that defines levels of performance, expectation, compensation and consequences for entities, persons, or organizations that are external to the primary organization.

Question 41

List the issues commonly addressed in an SLA.

Answer 41

system uptime (%)
peak load
average load
maximum consecutive downtime (seconds/minutes)
responsibility for diagnostics
failover time (if redundancy is in place)