Domain 1 - Chapter 2 - Personnel Security and Risk Management Concepts

Question 1

What is the weakest element in any security solution?

Answer 1

Human

Question 2

What are job responsibilities?

Answer 2

Specific work tasks an employee is required to perform on a regular basis.

Question 3

What is the removal of an employee’s identity from an Identity and Access Management system (IAM) system.

Answer 3

Offboarding

Question 4

_______exists when several entities or organizations are involved in a project.

Answer 4

Multiparty risk

Question 5

What is a VMS?

Answer 5

Vendor Management System
A software solution that assists with the management and procurement of staffing services, hardware, software, and other needed products and services.

Question 6

What is compliance?

Answer 6

The act of conforming to or adhering to rules, policies, regulations, standards, or requirements.

Question 7

What is the detailed process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.

Answer 7

Risk management

Question 8

What is risk assessment/risk analysis?

Answer 8

The examination of an environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damager it would cause if it did occur.

Question 9

What is risk response?

Answer 9

Involves evaluating countermeasures, safeguards, and security controls using a cost/benefit analysis;

Question 10

What is meat by risk awareness?

Answer 10

An effort to increase the knowledge of risk within an organization.

Question 11

What is an asset?

Answer 11

Anything used in a business process or task.

Question 12

What is asset valuation

Answer 12

Value assigned to an asset based on a number of factors to include importance to the organization, used in critical process, actual costs, and nonmonetary expenses/costs.

Question 13

What is a threat?

Answer 13

Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset is a threat.

Question 14

What is a threat agent/actors?

Answer 14

Person or entity that intentionally exploit vulnerabilities.

Question 15

What is a threat event?

Answer 15

Accidental occurrences and intentional exploitations of vulnerabilities. - Earthquakes, fires, human error, ….

Question 16

What is a vulnerabiity?

Answer 16

A weakness in asset or of the absence or the weakness of a safeguard or countermeasure. - loophole, flaw, oversight, error, limitation…

Question 17

What is exposure?

Answer 17

Being susceptible to asset loss because or a threat.

Question 18

What is a risk?

Answer 18

The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result.

Question 19

Risk formula

Answer 19

risk = threat * vulnerability

Question 20

What is a safeguard?

Answer 20

Anything that removes or reduces a vulnerability or protects against one or more specific threats.

Question 21

What is an attack?

Answer 21

The intentional attempted exploitation of a vulnerability by a threat agent to cause damage, loss, or disclosure of assets.

Question 22

What is a breach?

Answer 22

Breach = Intrusion = Penetration

Occurrence of a security mechanism being bypassed or thwarted by a threat agent.

Question 23

Threats exploit _____.

Answer 23

vulnerabilities

Question 24

Who is primarily responsible for risk management?

Answer 24

Upper Management

Question 25

Identify two risk assessment types?

Answer 25

Quantitative and Qualitative

Question 26

What are the six major elements of quantitative risk analysis?

Answer 26

Assign asset value (AV)
Calculate exposure factor (EF)
Calculate single loss expectancy (SLE)
Assess the annualized rate of occurrence (ARO)
Derive the annualized loss expectancy (ALE)
Perform cost/benefit analysis of countermeasures

Question 27

What is Exposure Factor (EF)?

Answer 27

The percentage of loss that an organization would experience if a specific asset were violated by a realized risk.

Question 28

What is a Single Loss Expectancy (SLE)?

Answer 28

The potential loss associated with a single realized threat against a specific asset.

SLE = asset value (AV) * exposure factor (EF)

Question 29

What is a Single Loss Expectancy (SLE)?

Answer 29

The potential loss associated with a single realized threat against a specific asset.

SLE = asset value (AV) * exposure factor (EF)
SLE = AV * EF

Question 30

Annualized Rate of Occurence

Answer 30

The expected frequency with which a specific threat or risk will occur within a SINGLE YEAR.

Question 31

Annualized loss Expectancy

Answer 31

The possible yearly loss of all instances of a specific realize threat against a specific asset.

ALE = single loss expectancy (SLE) * annualized rate of occurrence 
ALE = SLE * ARO

Question 32

What is risk appetitie?

Answer 32

The total amount of risk that an organization willing to shoulder in aggregate across all assets.

Question 33

What is risk capacity?

Answer 33

The level of risk an organization is able to shoulder.

Question 34

What is risk tolerance?

Answer 34

The amount or the level of risk an organization will accept per individual asset-threat pair.

Question 35

What is risk limit?

Answer 35

The maximum level of risk above the risk target that will be tolerated before further risk management actions are taken.

Question 36

Risk responses?

Answer 36

Risk Mitigation
Risk Assignment
Risk Deterrence 
Risk Avoidance 
Risk Acceptance
Risk Rejection

Question 37

Risk mitigation

Answer 37

Implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats.

Encryption; firewalls;

Question 38

Risk Assignment

Answer 38

The placement of the responsibility of loss due to a risk onto another entity or organization.

Question 39

Risk Detterence

Answer 39

The process of implementing deterrents to would-be violators or security and policy.

Question 40

Risk Avoidance

Answer 40

The process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option.

Question 41

Risk Acceptance

Answer 41

The result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk. Management has agreed to accept the consequences and the loss if the risk is realized.

Question 42

Risk Rejection

Answer 42

Ignoring a risk can be considered negligence in court

Question 43

What are inherent risks?

Answer 43

Initial risk

Question 44

What are residual risks?

Answer 44

The risk that management has chose to accept rather than mitigate.

Question 45

What are total risk(s)?

Answer 45

The amount of risk an organization would face if no safeguards were implemented.

Total risk = threats * vulnerabilities * asset value

Question 46

What is the control gap?

Answer 46

The difference between total risk and residual risk; the amount of risk that is reduced by implementing safeguards.

Total risk - controls gap = residual risk

Question 47

What is ACS?

Answer 47

Annualized Cost of the Safeguard

Question 48

What is the cost/benefit calculation?

Answer 48

ALE pre-safeguard - ALE post safe-guard - annual cost of safeguard = value of the safeguard for the company.

(ALE1 - ALE2) - ACS

If the result is negative, the safeguard is not a financially responsible choice.

Question 49

Are policies and procedures defined by an organization’s security policy and other regulations or requirements….

Answer 49

Administrative controls

Question 50

The hardware or software mechanisms used to manage access and provide protection for IT resources and systems.

Answer 50

Technical/logical controls

Question 51

Protection to the facility and real-world objects.

Answer 51

Physical controls

Question 52

What are preventative controls?

Answer 52

Controls deployed to thwart or stop unwanted or unauthorized activity from occurring.
fence, locks, authentication, access control vestibules, alarm systems, encryption, auditing

Question 53

What are deterrent controls?

Answer 53

Deployed to discourage security policy violations.

policies, security awareness training, badges,

Question 54

What are detective controls?

Answer 54

Deployed to discover or detect unwanted or unauthorized activity.
security guards, CCTV, motion detectors, audit trails, IDS’s

Question 55

What are compensating controls?

Answer 55

Deployed to provide various options to other existing controls to aid in enforcement and support of security policies.

Question 56

What are corrective controls?

Answer 56

Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occured

Question 57

What are recovery controls?

Answer 57

An extension of corrective controls but have more advanced or complex abilities. Attempts to repair or restore resources, functions, and capabilities after a security policy violation.

Question 58

What are directive controls?

Answer 58

Deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.

Question 59

What is a SCA?

Answer 59

Security Control Assessment

Question 60

What is a Security Control Assessment (SCA)?

Answer 60

The formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation.

Question 61

Goals of a SCA?

Answer 61

To ensure the effectiveness of the security mechanisms, evaluate the quality and thoroughness of the risk management processes of the organization, and produce a report of the relative strengths and weaknesses of the deployed security infrastructure.

Question 62

Security controls should provide benefits that can be ______and _____.

Answer 62

monitored; measured

Question 63

What is risk reporting?

Answer 63

A key task to perform at the conclusion of a risk analysis.

Question 64

What is a risk register/risk log?

Answer 64

A document that inventories all the identified risk to an organization or system or within an individual projects.

Question 65

What is an ERM?

Answer 65

Enterprise Risk Management program

An ERM assesses the key indicators and activities of a mature, sustainable, and repeatable risk management process.

Question 66

____ established the Risk Management Framework and the Cybersecurity Framework

Answer 66

NIST

Question 67

What is a risk framework?

Answer 67

A guideline for how risk is to be assessed, resolved, and monitored.

Question 68

Cybersecurity Framework is designed for ______?

Answer 68

Critical infrastructure and Commercial organizations

Question 69

CSF is based on framework core that consists of what five functions?

Answer 69

Identify
Protect
Detect
Respond
Recover

Question 70

Risk Management Framework is designed for ____ ?

Answer 70

Federal Agencies

Question 71

List the six (seven) cyclical RMF phases?

Answer 71

Prepare - 
Categorize
Implement
Assess
Authorize
Authorize
Monitor

Question 72

List social engineering types?

Answer 72

Authority 
Intimidation 
Consensus
Scarcity
Familiarity
Trust 
Urgency

Question 73

What is whaling?

Answer 73

A form of spear phishing that targets specific high-value individuals (by title, by industry, from media coverage…) C-level executives

Question 74

What is smishing?

Answer 74

Spam over instant messaging

Question 75

What is vishing?

Answer 75

Voice-based phishing

Question 76

What is typo-squatting?

Answer 76

The practice of traffic redirected to a alternate website based on a mistyped character e.g. Googlee

Question 77

What is the Delphi technique?

Answer 77

An anonymous feedback and response process used to arrive at a consensus.

Question 78

NIST SP 800-37 Rev 2

Answer 78

RMF

Question 79

What is RMM?

Answer 79

Risk Maturity Model
A means to assess the key indicators and activities of a mature, sustainable, and repeatable risk management process.

Ad hoc - Chaotic starting point

Preliminary - Loose attempts at following risk management processes, but each dept may perform risk assessment uniquely

Defined - A common or standardized risk framework is adopted organization-wide

Integrated - Risk management operation are integrated into business processes, metrics are used to gather effectiveness data, and risk is considered an element in business strategy decisions.

Optimized - Focuses on achieving objectives rather than reacting