CRISC Review Flashcards
Risk Assessment involves two specific requirements
–Risk Identification: Threat plus Vulnerability - Internal or External / Intentional or Unintentional
–Risk Analysis: Impact on system reliability, security and speed and consequence of failure to mitigate identified risks
Risk Monitoring is the process that
systematically tracks and evaluates the performance of risk mitigation actions
The Risk Management structure involves:
planning, assessment (identification-analysis), handling, monitoring and mitigation.
Threats are characterized as those that are
Imminent; those that are Emerging; those that are Consistent and those that are Persistent.
Delphi is
a security risk assessment and information gathering technique that uses the consensus of subject matter experts to determine mission risk
Quantitative Risk Assessment is a process used to
analyze numerically the probability of each risk and its consequence on mission objectives
Quantitative Risk Assessment Techniques include
interviewing, sensitivity analysis, decision tree analysis, and simulation
Qualitative risk analysis is the process of
assessing the impact and likelihood of identified risks. What is the the probability and likelihood that the risk will occur and what is the consequence to mission objectives
The focus of mission centric Risk Analysis should be based on
the economic balance between the impact of risks and the cost of protective measures
Threat and vulnerability assessments typically evaluate
all elements of a business process for threats and vulnerabilities and identify the likelihood of occurrence and the business impact if the threats were to be realized
While defining risk management strategies, the risk control professional needs to
analyze the organizations objectives and risk tolerance and define a risk management framework based on this analysis
The risk assessment is used to
identify and evaluate the impact of failure on critical business processes and to determine time frames, priorities, resources and interdependencies
Countermeasures are selected by
Risk Managers and can counter attacks, reduce inherent risks, resolve vulnerabilities and improve the state of security
Determining manual or automated test and evaluation processes should be based on
organizational requirements
Accepting the Residual Risk is central to
the accreditation authorities decision
Security Features Assessment
Verify/Validate effectiveness of security controls (technical/non-technical)
It is most important to paint a vision for
the future and then draw a road map from the starting point – this requires that the current state and desired future state be fully understood.
Transferring risk involves
shifting some or all of the negative impact of a threat along with ownership to a third party
Identifying the appropriate Risk Analysis tool requires
identifying the requirement, determination, determining data collection, identifying an analytical methodology and determining ROI
Residual Risk can be mitigated by
eliminating or reducing the impact of system threat/vulnerability pair, adding targeted controls to reduce the capacity and motivation of a threat-source, reducing the magnitude of the adverse impact
Risk Management focus on
stipulating Information protection security policy, standards and guidelines and helps to ensure System Security Policies are up-to-date to ensure all significant risks are addressed
Information that is no longer required should be
analyzed under the retention policy to determine whether the organization is required to maintain the data for business, legal or regulatory reasons
Laws and regulations of the country of origin may not be
enforceable in the foreign country
the laws and regulations of a foreign outsourcer may
also impact the enterprise
Information security governance models are
highly dependent on the complexity of the organizational structure
Data owners are responsible for
assigning user entitlement changes and approving access to the systems for which they are responsible.
A data classification policy describes
the data classification categories; levels of protection; and roles and responsibilities of potential users including data owners
The primary benefit of classifying information assets is
to identify controls that are proportional to the risks
Risk is constantly changing. Evaluating risk
annually or when there is a significant change should take into consideration a reasonable time frame while allowing flexibility to address significant changes
Risk evaluation should take into consideration
the potential size and likelihood of the loss
A compliance-oriented BIA will
identify all of the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities.
For IT to be successful in delivering against business requirements, management should
develop an internal control system that will make a link to the business process
Contingency planning provides both
preventive and recovery controls
Program Risk Management is the ability
to assess security needs and capabilities, select appropriate safeguards, implement required controls, select adequate test controls, implement and manage changes and accept residual risk
Risk consequences place
people at risk, can place system continuity and information at risk, can place organizational mission at risk and can place organizational reputation at risk (difficult to quantify)
Risk Assessment performed as part of the contingency response must
consider all possible threats, must assess the potential impact of a loss, must evaluate critical organizational needs and must establish recovery priorities
Using a list of possible scenarios with threats and impacts will
better frame the range of risk and facilitate a more informed discussion and decision
A knowledge management platform with workflow and polling features will
automate the process of maintaining the risk register
The value of the server should be based on
its replacement cost; however, the financial impact to the enterprise may be much broader, based on the function that the server performs for the business and the value it brings to the enterprise
Social engineering is the act of
manipulating people into divulging confidential information or performing actions that allow an unauthorized individual to gain access to sensitive information and/or systems
What provides the best measure of the risk to an asset
The product of the probability and magnitude of the impact
Background screening is the most suitable method for
assuring the integrity of a prospective staff member
Without a policy defining who has the responsibility for granting access to specific data or systems there is
an increased risk that one could gain unauthorized access
Threat sources can originate from
Foreign (Nation) States with hostile intentions, terrorist threat groups, activists (Hacktivists) conducting publicity-seeking attacks, criminals engaged in electronic crime, hackers, crackers, virus writers and even Script Kiddies but the main source disgruntled employees (authorized users)
Attack avenues include attacks through
an internal LAN, attacks through a trust-relationship, attacks through physical access, attacks from the insider
The lack of adequate controls represents
A vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers
What’s the objective of RM
Ensuring that all residual risk is maintained at a level acceptable to the business
Acceptance of a risk is an alternative to be considered
in the risk response process
After putting into place an effective risk management program, the remaining risk is called
residual risk
Residual risk is
any risk remaining after appropriate controls or countermeasures have been implemented to mitigate the target risk.
An enterprise may decide to accept a specific risk because
the protection would cost more than the potential loss
A risk assessment should be conducted to clarify
the risk whenever the company’s policies cannot be followed
The manager needs to base the proposed risk response on a
risk evaluation, the business need and the requirements for the enterprise
Risk should be reduced to a level
that an organization is willing to accept
Organizational requirements should determine
determine when a risk has been reduced to an acceptable level