CRISC Review Flashcards
Risk Assessment involves two specific requirements
–Risk Identification: Threat plus Vulnerability - Internal or External / Intentional or Unintentional
–Risk Analysis: Impact on system reliability, security and speed and consequence of failure to mitigate identified risks
Risk Monitoring is the process that
systematically tracks and evaluates the performance of risk mitigation actions
The Risk Management structure involves:
planning, assessment (identification-analysis), handling, monitoring and mitigation.
Threats are characterized as those that are
Imminent; those that are Emerging; those that are Consistent and those that are Persistent.
Delphi is
a security risk assessment and information gathering technique that uses the consensus of subject matter experts to determine mission risk
Quantitative Risk Assessment is a process used to
analyze numerically the probability of each risk and its consequence on mission objectives
Quantitative Risk Assessment Techniques include
interviewing, sensitivity analysis, decision tree analysis, and simulation
Qualitative risk analysis is the process of
assessing the impact and likelihood of identified risks. What is the the probability and likelihood that the risk will occur and what is the consequence to mission objectives
The focus of mission centric Risk Analysis should be based on
the economic balance between the impact of risks and the cost of protective measures
Threat and vulnerability assessments typically evaluate
all elements of a business process for threats and vulnerabilities and identify the likelihood of occurrence and the business impact if the threats were to be realized
While defining risk management strategies, the risk control professional needs to
analyze the organizations objectives and risk tolerance and define a risk management framework based on this analysis
The risk assessment is used to
identify and evaluate the impact of failure on critical business processes and to determine time frames, priorities, resources and interdependencies
Countermeasures are selected by
Risk Managers and can counter attacks, reduce inherent risks, resolve vulnerabilities and improve the state of security
Determining manual or automated test and evaluation processes should be based on
organizational requirements
Accepting the Residual Risk is central to
the accreditation authorities decision
Security Features Assessment
Verify/Validate effectiveness of security controls (technical/non-technical)
It is most important to paint a vision for
the future and then draw a road map from the starting point – this requires that the current state and desired future state be fully understood.
Transferring risk involves
shifting some or all of the negative impact of a threat along with ownership to a third party
Identifying the appropriate Risk Analysis tool requires
identifying the requirement, determination, determining data collection, identifying an analytical methodology and determining ROI
Residual Risk can be mitigated by
eliminating or reducing the impact of system threat/vulnerability pair, adding targeted controls to reduce the capacity and motivation of a threat-source, reducing the magnitude of the adverse impact
Risk Management focus on
stipulating Information protection security policy, standards and guidelines and helps to ensure System Security Policies are up-to-date to ensure all significant risks are addressed
Information that is no longer required should be
analyzed under the retention policy to determine whether the organization is required to maintain the data for business, legal or regulatory reasons
Laws and regulations of the country of origin may not be
enforceable in the foreign country
the laws and regulations of a foreign outsourcer may
also impact the enterprise
Information security governance models are
highly dependent on the complexity of the organizational structure
Data owners are responsible for
assigning user entitlement changes and approving access to the systems for which they are responsible.
A data classification policy describes
the data classification categories; levels of protection; and roles and responsibilities of potential users including data owners
The primary benefit of classifying information assets is
to identify controls that are proportional to the risks
Risk is constantly changing. Evaluating risk
annually or when there is a significant change should take into consideration a reasonable time frame while allowing flexibility to address significant changes
Risk evaluation should take into consideration
the potential size and likelihood of the loss
A compliance-oriented BIA will
identify all of the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities.
For IT to be successful in delivering against business requirements, management should
develop an internal control system that will make a link to the business process
Contingency planning provides both
preventive and recovery controls
Program Risk Management is the ability
to assess security needs and capabilities, select appropriate safeguards, implement required controls, select adequate test controls, implement and manage changes and accept residual risk
Risk consequences place
people at risk, can place system continuity and information at risk, can place organizational mission at risk and can place organizational reputation at risk (difficult to quantify)
Risk Assessment performed as part of the contingency response must
consider all possible threats, must assess the potential impact of a loss, must evaluate critical organizational needs and must establish recovery priorities
Using a list of possible scenarios with threats and impacts will
better frame the range of risk and facilitate a more informed discussion and decision
A knowledge management platform with workflow and polling features will
automate the process of maintaining the risk register
The value of the server should be based on
its replacement cost; however, the financial impact to the enterprise may be much broader, based on the function that the server performs for the business and the value it brings to the enterprise
Social engineering is the act of
manipulating people into divulging confidential information or performing actions that allow an unauthorized individual to gain access to sensitive information and/or systems
What provides the best measure of the risk to an asset
The product of the probability and magnitude of the impact
Background screening is the most suitable method for
assuring the integrity of a prospective staff member
Without a policy defining who has the responsibility for granting access to specific data or systems there is
an increased risk that one could gain unauthorized access
Threat sources can originate from
Foreign (Nation) States with hostile intentions, terrorist threat groups, activists (Hacktivists) conducting publicity-seeking attacks, criminals engaged in electronic crime, hackers, crackers, virus writers and even Script Kiddies but the main source disgruntled employees (authorized users)
Attack avenues include attacks through
an internal LAN, attacks through a trust-relationship, attacks through physical access, attacks from the insider
The lack of adequate controls represents
A vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers
What’s the objective of RM
Ensuring that all residual risk is maintained at a level acceptable to the business
Acceptance of a risk is an alternative to be considered
in the risk response process
After putting into place an effective risk management program, the remaining risk is called
residual risk
Residual risk is
any risk remaining after appropriate controls or countermeasures have been implemented to mitigate the target risk.
An enterprise may decide to accept a specific risk because
the protection would cost more than the potential loss
A risk assessment should be conducted to clarify
the risk whenever the company’s policies cannot be followed
The manager needs to base the proposed risk response on a
risk evaluation, the business need and the requirements for the enterprise
Risk should be reduced to a level
that an organization is willing to accept
Organizational requirements should determine
determine when a risk has been reduced to an acceptable level
Risk control professionals should use risk assessment techniques to
justify and implement a risk mitigation strategy as efficiently as possible
Effective risk management requires
participation, support and acceptance by all applicable members of the enterprise, beginning with the executive levels
Typically, when the probability of an incident is low, but the impact is high, risk is
transferred to another entity (e.g. insurance company)
The Total Cost of Ownership (TCO) is
the most relevant piece of information to be included in the CBA because it establishes a cost baseline that must be considered for the full life cycle of the control
When the cost of control is more that the cost of the potential impact, the risk should
be accepted
An insurance can compensate an enterprise for
an entire loss or financial risk
The primary reason for initiating a policy exception process is
when the risk is justified by the benefit
The risk register details
all identified risks, including description, category, cause, probability, impact, proposed responses, owners and current state
Risk is constantly changing, so a previously conducted risk assessment may not include
measured risk that has been introduced since the last assessment
Without identifying new risk, other procedures will
only be useful for a limited period
A network vulnerability assessment intends to identify
known vulnerabilities that are based on common misconfigurations and missing updates
Security design flaws require
a deeper level analysis
Accepted risk should be reviewed
regularly to ensure that the initial risk acceptance rationale is still valid within the current business context
What is the mose effective way to deal with risk
Implementing monitoring techniques that will detect and deal with potential fraud cases
A successful risk management practice minimizes
the residual risk to the enterprise
The enterprise should first assess the likelihood of a similar incident occurring based on
available information
Not reporting an intrusion is equivalent to
hiding a malicious intrusion
What is not a requirement and is dependent on the enterprise policy
Reporting to the public
What would make it impossible to locate a data warehouse containing customer information in another country.
Privacy laws prohibiting the cross-border flow of PII
What is the first step when developing a risk monitoring program
Conducting a capability assessment
End-user-developed applications may not be
subject to an independent outside review by systems analysts and, frequently, are not created in the context of a formal development methodology
What is a risk of allowing high-risk computers onto the enterprise’s network
a VPN implementation
Qualitative (impact) risk assessment methods include using
interviewing and the Delphi method
A risk register provides a report of
all current identified risk within an enterprise, including compliance risk, with the status of the corrective actions or exceptions that are associated with them
Risk reporting is the only activity that is part of
risk monitoring
An independent benchmark of capabilities will allow
an enterprise to understand its level of capability compared to other organizations within its industry
Capability maturity modeling allows an enterprise to
understand its level of maturity in its risk capabilities, which is an indicator of operational readiness and effectiveness
The most important factor when designing IS controls is that they
advance the interests of the business by addressing stakeholder requirements
Investments in risk management technologies should be based on
a value analysis and a sound business case
IT is more efficient to
establish a baseline standard and then develop additional standards for locations that must meet specific requirements
Recovery Time Objectives are a primary deliverable of a
BIA
The data owner is responsible for
applying the proper classification to the data
Privacy protection is necessary to ensure
that the receiving party has the appropriate level of protection for personal data
Establishing an Acceptable Use Policy (APU) is the best measure for
preventing data leakage
Role-Based-Access-Controls provide access according to
business needs and provide the most effective measure to protect against the insider threat
Periodic security reviews are the best way to ensure that contract programmers comply with
organizational security policies
A mail relay should normally be placed
within a DMZ to shield the internal network
Establishing predetermined, automatic expiration dates is the best way to enhance
the removal of system access for contractors and other temporary users
PKI
combines public key encryption with a trusted third party to publish and revoke digital certificates that contain the public key of the sender
What is the most effective way to prevent external security risks
Network address translation
What provides the most effective protection of data on mobile devices
Encryption
When configuring a biometric access control system that protects a high-security data center the system’s sensitivity level should be set to
a higher false reject rate.
Encryption of stored data will help ensure
the actual data cannot be recovered without the encryption key
Understanding the security architecture is important in
managing complex information infrastructures
Control effectiveness requires a process to
verify test results and intended objectives to verify that the control process works as intended
In regards to Outsourced service providers, system auditing is an effective way to ensure
that outsourced service providers comply with the enterprise’s information security policy.
What should be updated frequently as new software is released
Information security policies and procedures
What is used to help verify change management is used to determine whether unauthorized modification were made to production programs.
Compliance testing
Continuous monitoring is effective when
incidents have a high impact and frequency
What is the most useful metric for monitoring violation logs.
Penetration attempts investigation
The optimum time to perform a penetration test is
after changes are made to the infrastructure because they may inadvertently introduce new exposures.
Performing regular penetration tests ensures
that a network is adequately secured against external attacks.
The effectiveness of organizational awareness programs is best measured by
a quantitative (impact) evaluation to ensure user comprehension
What ensures a proper understanding of risk and success criteria
A clearly stated definition of scope
A CMM can assist a risk manager in
measuring the existing level of risk processes against their desired state
Methodology illustrates
the process and formulates the basis to align expectations and the execution of the assessment
Conducting security code reviews for the entire SW application can
effectively identify software “back-doors”
What can be quickly identified by conducting an automated code comparison.
Unauthorized code modifications
By conducting a physical count of tape inventory provides
a substantive test of completeness.
System owners should be notified immediately when
a vulnerability within a trusted system or component is identified
What can be monitored through “honey-pots”
Hacker activity
Server sampling can verify
NAV signatures are current
Risk impact can be determined based on
- known risks (those that can be easily identified)
- known unknown (an identifiable uncertainty)
- unknown (risks that are known but do not know what their impact) and
- unknown unknown risks (existence has yet to be encountered).
Incident evaluation involves
identification, analysis, assessment, response, recovery, and reporting.
Risk Assessment performed as part of the contingency response. must consider
- all possible threats,
- must assess the potential impact a loss of CIA,
- must evaluate critical organizational needs and
- must establish recovery priorities.
Risk-Based Auditing requires
- identifying threats;
- identifying vulnerabilities;
- identifying assets; and
- identifying countermeasures
To asses IT risk what needs to be evaluated using what approaches
threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches
A properly configured information security infrastructure should be based on
a comprehensive risk assessment.
The primary concern of a comprehensive data retention policy should focus on
business requirements
Configuration Management provides the greatest likelihood of information security weaknesses through
misconfiguration and failure to update OS code correctly and on a timely basis.
BIA should include the examination of
risk, incidents and interdependencies as part of the activity to identify impact to business objectives.
What is the first step necessary to understand the impact and requirement of new regulations
Assessing whether existing controls meet requirements
The most useful metric is one that measures
the degree to which complete follow-through has taken place.
What are most likely to inadvertently introduce new exposures
Changes in the system infrastructure
To truly judge effectiveness of user awareness training some means of
measurable testing is necessary to confirm user comprehension
To correct the vulnerabilities, the system owner needs to
be notified quickly before an incident can take place.
What is the best choice to diverting a hacker away from critical files and altering security of the hackers presence
Honeypots
The only effective way to check the currency of signature files is to
look at a sample of servers.
Monitoring tools can focus on:
Transaction Data; Conditions; Changes; Process Integrity; Error management; and Continuous Monitoring.
Strategic Planning involves the annual evaluation of
the maturity of controls and provides a barometer of controls in their current state, a comparison to previous periods and the target maturity level.
Advanced Persistent Threat is
a Threat Source that has both the capability and the intent to persistently and effectively target a critical information infrastructure.
A Continuous Risk Management (CRM) process provides
a disciplined and documented approach to risk management throughout the system life cycle by facilitating Identification; Planning; Analysis; Tracking and Controlling risk activities.
Risk reporting content must be
clear; concise; useful; timely; target audience; and available based on need to know
Risk-Based Auditing Methodologies requires
preparation, assessment, mitigation, reporting and follow-up.
