Domain 2 Information Risk Management

Question 1

Introduction

• Risk
• Exposure
• Business Value

Answer 1

Introduction

• Risk - combination of probability/likelihood of an event and its consequences/impact
• Exposure - aka attack surface; exposure is affected by the extent and effectiveness of controls and where specific devices are located within a NW (i.e. device in middle has less exposure then one on perimeter)
• Business Value - classify assets by business value; business value is a combination of sensitivity or criticality of asset; should develop classification scheme to determine potential impact to organization if asset is compromised

Question 2

• Risk Management Overview
  
  • Controls
  • Countermeasures
  • Risk Communication Plan

Answer 2

• Risk Management Overview - Risk Mgmt is achieving optimal balance between realizing opportunities for gain and minimizing vulnerabilities for loss; ensuring there is an acceptable level of assurance and predictability to the desired outcomes; accomplished by ensuring impacts of threats exploiting vulnerabilities are within acceptable limits and costs and balancing risk exposure, implementing appropriate controls and countermeasures; RISK IS INHERENT IN ALL ACTIVITIES; provides rationale and justification for virtually all security activities;
• Controls - part of Risk Management Framework; incorporates policies, standards, procedures, etc; provides assurance that business objectives are achieved and undesired events are prevented, detected, or addressed; Framework includes people, process, technology and takes into consideration strategic, tactical, administrative, and operational components to be effective
• Countermeasures - process that counters specific threats, aka targeted control
• Risk Communication Plan - defines frequency, types, and recipients of information about risk; reduces overload or ‘risk noise’ of non-relevant information;

Question 3

Define Risk Assessment

Define Business Value

Four phases of Risk Assessment

Answer 3

Risk Assessment - coupled with BIA or information asset classification process to determine criticality and/or sensitivity of assets (business value); basis for identifying appropriate and cost-effective controls or countermeasures to mitigated identified risk;

1. Risk IDENTIFICATION

• A thorough assessment of Threat Landscape, a Vulnerability Assessment, and consideration of exposures;
• Then, determine risk scenarios (ways compromise may occur) and possible outcomes

2. Risk ANALYSIS

• deep analysis of identified risk through various methods, usually performing BIAs to develop a clear understanding of potential impacts
• combining vulnerability and threat information to determine risk in terms of likelihood and impact (i.e. VAR, ALE, ROSI, etc)

3. Risk EVALUATION

• uses results of analysis to determine if risk falls within acceptable limits or it must be mitigated;
• compare results against established criteria for risk acceptance and determine if further if any treatment is needed;

4. Risk RESPONSE/TREATMENT
   * risk ACCEPTANCE, risk MITIGATION, risk TRANSFER, risk AVOIDANCE

Question 4

• Risk Awareness Program
• Who are the first to be aware of problems?

Answer 4

• Risk Awareness Program - Awareness creates culture, shapes ethics, influences behavior; Risk Awareness acknowledges that risk is an integral part of business; using attacks on other organizations will bring awareness; important to achieve level of integration with other parts of organization, this will accomplish 1 of 6 governance outcomes (Assurance Process Integration); another governance outcome achieved is an Effective Risk Management Program)
• Who are the first to be aware of problems? - Staff and operational teams

Question 5

Developing a Risk Management Program

1. Establish Context and Purpose
2. Define Scope and Charter
3. Define Authority, Structure, and Reporting
4. Ensure Asset Identification, Classification, and Ownership
5. Determine Objectives
6. Determine Methodologies
7. Designate Program Development Team (Implementation Team)

Answer 5

Developing a Risk Management Program

1. Establish Context and Purpose

• Establish purpose for creating Risk Mgmt Program;
• Identify desired outcomes and Define objectives
• If there are several Risk Mgmt Functions within Org, determine how they will be integrated to maximize cost-effectiveness, reduce gaps in protection, reduce cross-purposes
• Context involves defining internal external environment; structure; authority;process;etc
• Determine risk appetite, risk tolerance;
• More effective with top-down approach;
• Deciding if risk-averse (cautious) or risk-aggressive (willing to take impacts)

2. Define Scope and Charter
   * Since there are typically multiple units that manage risks, define Scope of responsibility and authority; this prevents gaps, improves consistency, and duplication efforts (i.e. creating RACI chart)
3. Define Authority, Structure, and Reporting
   * A lack of clear governance and integration of risk management activities will lead to dire consequences and confusion. There should be clear structure on who has the authority to make decisions.
4. Ensure Asset Identification, Classification, and Ownership
   * Important to have accurate asset register; Assets need to be classified by business value, sensitivity, and criticality; Assets must have an owner, just as risk must have an owner with defined responsibilities; this promotes accountability for policy compliance;
5. Determine Objectives
   * Clear objectives and priorities; some risks cannot be address and must be accepted, some can wait, some need to be addressed immediately; determine priority by doing risk analysis
6. Determine Methodologies
   * Determine standard approach for organization to use
7. Designate Program Development Team (Implementation Team)
   * Determine team or individual that will be responsible for developing and implementing the risk management program

Question 6

The Risk Management Process

Answer 6

The Risk Management Process

1. Establish Scope and Boundaries - scope of responsibility internally and externally
2. Identify Information Assets and Valuations - determine the assets at risk and potential impacts of compromise
3. Perform Risk Assessment - risk IDENTIFICATION (threats, vulnerabilities, exposures), risk ANALYSIS (level of risk and potential impact), risk EVALUATION (whether risk meets criteria for acceptance)
4. Determine Risk Treatment/Response - selecting strategy to deal with risk exceeding acceptable risk level; (transfer (share), accept (retain), mitigate (reduce), avoid (terminate))
5. Accept Residual Risk - management decision to accept remaining risk after treatment;
6. Communicate About and Monitor Risk - communicate and monitor internally and externally to stakeholders
   7.

Question 7

Reference Model

Answer 7

A reference model will reflect the desired state; it is a snapshot of future state the organization would like their program to be at

Question 8

Defining a Risk Management FRAMEWORK

Answer 8

1. Policy - policy needs to define risk management, objectives, commitment; should be relevant to business goals; management should ensure policy is understood and standards are developed and maintained at all levels
2. Planning and Resourcing - identify resource requirements like trained personnel
3. Implementation Program - define steps to implement effective risk management system
4. Management Review - senior management conduct periodic review; retain records of review
5. Risk management Process
6. Risk Management Documentation

Question 9

• Defining the External Environment
• Defining the Internal Environment
• Gap Analysis within Risk Management

Answer 9

• Defining the External Environment - specifying environment in which the organization operates including the local market, competition, social, cultural conditions, etc
• Defining the Internal Environment - organization structure & culture, assets, goals, internal stakeholders, key business drivers
• Gap Analysis within Risk Management - gap between control effectiveness and control objective; important to periodically test controls for effectiveness. ineffective control fails to meet control objective and to achieve acceptable risk therefore needing to be modified or supplemented

Question 10

Determining the Risk Management CONTEXT

Answer 10

• Range of the organization and the processes to be assessed
• Full scope of risk management activities
• Roles and responsibilities of various parts of the organization participating in the risk management process
• Organizational culture in terms of risk-averseness or aggressiveness

Question 11

• Information Asset Identification and Valuation
  
  • Information Asset Valuation Strategies
    *

Answer 11

• Information Asset Identification and Valuation -This is the FIRST step in Risk Assessment; locate and inventory all assets and approximate their business value (i.e. sensitivity and/or criticality); Business value is part of risk determination; RISK = LIKELIHOOD x IMPACT; Business value helps classify assets and justify levels of protection (EXAMPLES: HW can be valued by replacement costs; value of information can be based on cost of recreating, restoring; value could be regulatory sanctions, theft losses, loss of share value, etc)
  
  • Information Asset Valuation Strategies - Asset valuation is not often done; having accurate inventory is rare; EFFECTIVE resource valuation does not have to be accurate, but there needs to be an approach. One approach could be a Matrix of Loss Scenarios and ranking impact of risk scenario;
    *

Question 12

General Risk Assessment Steps (Explain risk level and cost-benefit priorities)

Answer 12

Question 13

NIST Risk Assessment Methodology

Answer 13

Question 14

• Aggregated Risk
• Cascading Risk
• Systemic Risk
• Contagious Risk

Answer 14

• Aggregated Risk - multiple minor vulnerabilities, when combined, can cause a significant impact
• Cascading Risk - one failure leads to a chain reaction of failures
• Systemic Risk - incident occurs with business partner which affects large group within the area or industry
• Contagious Risk - events that happen at several enterprise’s business partner within a very short time

Question 15

Risk Assessment Methodology

• Factor Analysis of Information Risk (FAIR)

Answer 15

Risk Assessment Methodology

• Factor Analysis of Information Risk (FAIR) - primarily a complement to other assessment approaches with the objective of increasing accuracy of risk assessment
• FAIR provides:

1. Taxonomy - classification;
2. Method for measuring - Metrics;
3. A computational engine - mathematically simulating relationships among metrics
4. A simulation model - use the above 3 to analyze risk scenarios of any size or complexity

• 4 primary components of risk taxonomy

1. Frequency threat comes into contact with assets
2. Probability threat will actually act against asset
3. Probability of threat being successful of compromise
4. Probable impact to assets

• With FAIR, probabilistic risk assessment (PRA) is popular analysis tool to evaluate risk at every SDLC step from initiation to disposal;

Question 16

Techniques in Developing Risk Scenarios

Answer 16

Techniques in Developing Risk Scenarios

• Stay current with risk scenarios (always changing threat landscape)
• Use generic scenarios
• Scenarios should be relevant, not too many
• Ensure adequate personnel used to help
• Consider systemic and cascading risk
• Involve 1st line of defense; i.e. operations team will know a lot about current system vulnerabilities
• Derive complex scenarios from simple ones
• Look at historical information or similar organizations and their risk for reasonable predictions of risk

Question 17

Top Down and Bottom Up Risk Scenario Approach

Answer 17

Question 18

What makes a Risk Scenario

Answer 18

Question 19

• Threats
  
  • Internal Threats
  • External Threats

Answer 19

• Threats - threats are events with potential to cause harm to an information resource by exploiting vulnerabilities in the system; threats can be discovered through examining past failures, audit reports, media reports, N-CERTs, communication with internal groups
  
  • Internal Threats - employees are the cause of significant impacts, intentional or unintentional; most employees have more access then their actual job requires; solution to this is only give access on a need to know basis/least privilege, thorough BG checks, NDA at time of hiring, RoB;
  • External Threats - Natural Events (i.e. Flood, earthquake); Hacker; Advanced Persistent Threats (APTs); Most breaches are a result of targets of opportunity, easy targets
    *

Question 20

• Advance Persistent Threats (APTs)
  
  • Generic Lifecycle
  • Typical Sources

Answer 20

APTs - highly skilled hacker that 1. pursues its objectives repeatedly over extended period of time; 2. adapts to organizations resistance; 3. maintains level of interaction needed to execute its objectives;

1. Initial Compromise - attacker uses social engineering, spear phishing, zero day viruses
2. Establish Foothold - attacker plants remote admin SW in NW or create backdoors
3. Establish Privileges - use exploits or PW cracking
4. Internal Reconnaissance - collect info
5. Move Laterally - gain access to other workstations and collecting data
6. Maintain Presence - ensure continued control
7. Complete Mission - take data

Question 21

• Vulnerabilities

Answer 21

• Vulnerabilities - weaknesses; the extent of exposure must be considered to determine probability that vulnerability is exploited; find vulnerabilities before an attacker through vulnerability assessments and pen testing

Question 22

• Risk, Likelihood, and Impact
  
  • Factors to consider Likelihood
  • Diminishing Returns
  • Organization Culture in regards to Risk - Risk-averse vs Risk-aggressive

Answer 22

• Risk, Likelihood, and Impact - threats x vulnerabilities x consequences = risk;
• Factors to consider Likelihood

1. Volatility - when conditions vary, there may be times where the risk is greater then other times, increasing unpredictability and therefore requiring higher estimation of risk
2. Velocity - the extent of prior warning of an event and the amount of time between event occurrence and subsequent impact; if the amount of time is short - higher risk
3. Proximity - the time between event and impact (the greater the velocity, the closer the proximity)
4. Interdependency - risk may effect several areas; never consider risk in isolation, but instead concurrently or sequentially
5. Motivation - extent of attacker’s motive may determine which assets are attacked
6. Skill - level of skill can determine type and value of assets attacked
7. Visibility - high-visibility targets are more likely to be attacked

• Diminishing Returns - it is important to analyze cost benefit; there is a point of diminishing returns at which costs of additional controls rise faster than the benefit
• Organization Culture in regards to Risk; Risk-averse vs Risk-aggressive - risk-averse has lower risk acceptance, tighter security, higher control costs; risk-aggressive takes more chances, higher risk acceptance

Question 23

• Risk Register
• Risk Profile and what is included

Answer 23

• Risk Register - central repository for identified risks including specific threats, vulnerabilities, exposures, and assets affected; should include asset owner, risk owner, other stakeholders; risk register should be filled out during assessment process; risk register serves as a reference point for all risk management activities
• Risk Profile - overall identified risks within organization which includes:

1. Risk Register (Risk scenarios and Risk Analysis)
2. Risk Action Plan
3. Loss Events (historical and current)
4. Risk Factors
5. Independent Assessment Findings

Question 24

• Risk Analysis
• What does risk analysis involve?
• Techniques to estimate impact and likelihood
• Risk analysis techniques

Answer 24

• Risk Analysis - identified risk is assessed and the potential consequences determined; determines effectiveness of existing controls and the extent which the control mitigates the risk; Risk analysis involves
  
  • examination of risk sources (threats and vulnerabilities)
  • asset exposure
  • impact - may not be clear unless BIA has been performed
  • likelihood
  • assessment of existing controls
• Techniques to estimate impact and likelihood - past experience, practices standards guidelines, research, specialist/expert, experiments
• Risk analysis techniques - interviews, use of existing models, statistical analysis

Question 25

• Qualitative Analysis -
• Semiquantitative Analysis
• Quantitative Analysis
• Single Loss Expectancy (ALE)
  
  • Exposure Factor (EF)
• Annual Loss Expectancy (ALE)
  
  • Annualized Rate of Occurrence (ARO)
• Value At Risk (VAR)

Answer 25

• Qualitative Analysis - typically used as an initial assessment of risk, where non tangible assets exist, where there is lack of information or numerical data
• Semiquantitative Analysis - assigning values to scales used in qualitative assessment (i.e. Impact 1-5, 1 being low; likelihood 1-5, 1 being rare); typically inconsistent since #s are not accurate representation, #s are indicative and not real; Risk = 2 (low) x 1 (rare) = 2
• Quantitative Analysis - numerical values assigned to both impact and likelihood; accuracy is based on the assigned values; values can be determined by experiments or past data; can be expressed in monetary terms, technical, operational, human impact criteria
• Single Loss Expectancy (ALE) - type of quantitative analysis; AV x EF = SLE
  
  • Exposure Factor (EF) - probability that an event will occur and its likely impact, equals % of asset loss caused by the threat
• Annual Loss Expectancy (ALE) - type of quantitative analysis; annual expected financial loss from one threat; ARO x SLE = ALE
  
  • Annualized Rate of Occurrence (ARO) - # of times a threat on a single asset is estimated to occur (i.e. fire likely to occur once in 25 years, so 1 / 25 = 0.04
• Value At Risk (VAR) - computation based on historical data of the probability distribution of loss for a given period of time at a certainty factor of 95% or 99%; uses Monte Carlo simulations with thousands of iterations with random variables

Question 26

• OCTAVE
• What are the 3 phases?

Answer 26

• Operationally Critical Threat Asset Vulnerability Evaluation (OCTAVE) - approach to risk assessment and ranking; helps with all steps of risk management in identifying assets, then risks, then vulnerabilities, threats, action plan, etc; focuses on critical assets
• Three Phases are:

1. Build asset-based threat profiles (organizational evaluation) - determine critical assets and current protection measures; identify security requirements of critical assets; vulnerabilities and threat profile identified for each asset
2. Identify infrastructure vulnerabilities (technological evaluation) - identify network paths and classes of IT components related to each critical asset; determine extent to which each class of component is resistant to network attacks
3. Develop security strategy and mitigation plans (strategy and plan development) - establishes risk to the organization based on analysis; develops plan and ways to protect organization with senior mgmt approval

Question 27

Common risk analysis methods

• Bayesian Analysis
• Bow Tie Analysis
• Delphi Method
• Event Tree Analysis
• Fault Tree Analysis
• Markov Analysis
• Monte Carlo Analysis

Answer 27

Common risk analysis methods

• Bayesian Analysis - accuracy relies on prior distribution data to determine probability
• Bow Tie Analysis - diagram for RAR; The cause of the event is in the middle (“knot” of bow tie) and the triggers, controls, mitigation strategies, outcomes branch off the “knot”
• Delphi Method - uses expert opinion; usually 2 or more rounds of questionnaires; results summarized
• Event Tree Analysis - bottom up approach, forward thinking uses broad generalizations (inductive reasoning) of specific events to assess probability
• Fault Tree Analysis - top down approach; starts with the event and examines possible means for the event to occur; uses logical tree diagram
• Markov Analysis - analyzes systems that can exist in multiple states; makes the assumption that future events are independent of past events
• Monte Carlo Analysis - triangular or beta distributions are used; thousand of variations with random inputs based on historical information is used

Question 28

• Evaluation of Risk
  
  • When is Risk transfer chosen
  • what must be considered if risk is mitigated through use of controls?
  • What are risk response decisions based on?

Answer 28

• Evaluation of Risk - decisions are made in this phase on risk treatment after analysis; if risk meets acceptable risk criteria, its most likely accepted; if it exceeds and not within tolerance variance, mitigation; mitigation includes modification, transfer/sharing, or add controls or business reengineering of process; if cost is too high, mgmt may be forced to accept;
• Risk transfer is typically selected for low likelihood high impact i.e. Floods
• CONTROL RISK which is the probability the control will fail or be ineffective
• Risk decisions are based on: level of risk, consequences (impacts), likelihood (probability), aggregated impact of a series of events; cascading risk (domino effect); cost of treatment;

Question 29

• Risk Ranking
• Risk Ownership and Accountability

Answer 29

• Risk Ranking - combination of characteristics and capabilities of a threat, the severity of the vulnerability, the likelihood of attack being successful, the control risk, and the impact
  
  • Risk Ownership and Accountability - after risk assessment, owner needs to be identified; usually senior management; risk owner is ACCOUNTABLE for accepting risk based on risk appetite and selecting appropriate risk response and approving controls when mitigation is chosen; they are also accountable for ensuring monitoring of control effectiveness

Question 30

• Risk Treatment (Response) Options
  
  • Ignoring Risk
  • Avoid Risk
  • Transfer Risk
  • Mitigate Risk
  • Accept Risk
• Risk Acceptance Framework

Answer 30

• Risk Treatment (Response) Options - 1. Avoid (terminate activity giving rise to risk) 2. Transfer (usually transfers impact as well) 3. Mitigate (controls in place) 4. Accept
  
  • Ignoring risk is also an option and should only be done with likelihood and impact is so low or impact is so high and likelihood is so low (i.e. comet strike)
  • Avoid Risk - terminating continuation of product or service
  • Transfer Risk - usually through insurance or outsource to 3rd party; usually does not transfer risk or responsibility of compromise, but can transfer financial responsibility; risk transfer to insurance typically for high impact low likelihood events;
  • Mitigate Risk - implement or improve controls, countermeasures, modifying or eliminating risky processes; may reduce exposure, may prevent risk;
  • Accept Risk - one condition is if cost of mitigating is too high compared to the benefit or value of the asset or impact is too low;
  • Risk Acceptance Framework - useful tool used to set the criteria for the acceptance of risk and the level at which management acceptance is executed (i.e. Low - local mgmt can accept, Severe - BoD must accept and risk reduction must occur)

Question 31

• Inherent Risk
• Residual Risk
  
  • Reducing risk leads to what?
  • Residual risk objective?
  • If risk is lower than acceptable risk, what are the next steps?
  • Final acceptance of residual risk takes into account what?
• Risk Tolerance

Answer 31

• Inherent Risk - the risk prior to mitigation
• Residual Risk - the risk that remains after mitigation
  
  • Reducing risk inevitably introduces new risk
  • objective is for residual risk to equal criteria for acceptable risk and risk tolerance
  • risk that is higher then acceptable risk should be treated, risk that is lower then acceptable risk should be re-evaluated to determine whether excessive level of countermeasures or controls are in place for cost savings
  • Final acceptance of residual risk takes into account: Regulatory compliance, policy, sensitivity and criticality of relevant assets, acceptable levels of potential impacts, cost and effectiveness of implementation
• Risk Tolerance - allowable deviation from acceptable risk usually as % or range (i.e. + or - 10%)

Question 32

• Impact
  
  • Impact calculations are either quantitative or qualitative; give examples
  • How are impacts determined?

Answer 32

• Impact - all risk mgmt activities are designed to reduce impacts to an acceptable level to create or maintain value of organization; The result of any vulnerabilities exploited by a threat that causes a loss is an impact
  
  • Impact generally quantified as direct financial loss in short term and indirect financial loss in long term; (i.e. criminal liability, civil, loss of reputation, reduction of share value, breach of privacy)
    
    • Quantitative - range of financial impact; Qualitative - loss of reputation or market share;
  • Impacts are determined by performing BIA and subsequent analysis; BIA determines criticality and sensitivity of assets; basis for setting access control authorizations, BCP, RTO,RPO, MTO, SDO, AIW; prioritizes risk mgmt and asset valuations; tell us types of protections for assets and justification for costly controls for critical assets

Question 33

Understanding Risk Assessments and Controls

Answer 33

For Risk Assessments to be effective and reasonably accurate, it is necessary to ensure that they are conducted from beginning to end; This will allow for control minimization, eliminate duplication or redundancy; layered controls are effective however controls addressing the same risk are not

Question 34

Legal / Regulatory Requirements and Risk

Answer 34

• Legal and Regulatory requirements must be considered in terms of risk and impact. Senior mgmt must determine level of compliance and priority.
• Evaluation must be done to determine if already compliant. If not, regulation must be evaluated to determine level of risk;
• Organization must consider level of enforcement and its relative position to its peers bc enforcement actions are usually against those that are least compliant;
• The potential impact of full compliance, partial, or non, must be considered in financial or reputational impact;
• senior mgmt may decide risking sanctions is less costly than achieving compliance; or bc enforcement is limited or nonexistent compliance is not warranted;

Question 35

• Costs and Benefits of Controls
• TCO

Answer 35

• If costs outweigh benefits, organization must accept risk rather than mitigate; this is the principle of GAISP
• TCO - must consider full cycle of control or countermeasure from acquisitions costs, training, recurring maintenance, monitoring, decommissioning, etc

Question 36

Events Affecting Security Baselines

Answer 36

• Baseline security is defined as the minimum security level across the enterprise; baselines can be different for different assets; the higher the classification, the more restrictive controls
• Events such as control failure, vendor changes, protests, civil unrest, laws, regulations, changing threats can all be reasons for change in security baseline

Question 37

Information Asset Classification

• Business Value
• Business Dependency Assessment
  
  • Major Benefit of Asset Classfication
• Classification Steps

Answer 37

Information Asset Classification

• Business Value - Criticality and Sensitivity of asset; provides the basis for protection efforts, BCP, and user access control; mandatory step for effective Risk Management Program
  
  • Criticality - how important is the asset? determined by impact on organization as a result of the loss of an asset
  • Sensitivity - determined by the potential damage to the organization as a results of unauthorized disclosure
• If comprehensive classification is not possible, a less effective option is a business dependency assessment (used to provide basis for allocating protective activities)
• Major Benefit of Asset Classification - reduced risk of under protection and reduced cost of overprotection by tying security to business objectives
• Classification Steps

1. Asset inventory is complete with location, data owners, data users ,data custodians (including external assets)
2. ISM works with business units to classify assets based on business value (criticality and sensitivity); ensure all IT stakeholders review and approve guidelines for access control levels; keep levels to a minimum

Question 38

In a risk-averse organization, are users more likely to over classify or under classify assets?

Answer 38

Risk-averse organizations have low risk appetite and blame culture can exist; Overclassify because users worry they’ll be blamed if classification of assets is not done correctly

Question 39

Methods to determine Criticality of Assets and Impacts of Adverse Events

• What is the common process to determine impact
• What is the generally accepted practice when focusing on impact
• what are the steps determining information asset importance

Answer 39

Methods to determine Criticality of Assets and Impacts of Adverse Events

• BIA is the usual process to determine impact; COBIT,NIST,OCTAVE are resources;
• Generally accepted practice to focus on the impact of loss information assets rather than the event that causes them. It is not practical or cost-effective to list every event
• Steps in determining information asset importance

1. Divide organizational structure into business units or departments and rank them by importance or value to the business; rating is done by senior management
2. Identify critical functions to each department; these are tasks that help the unit in achieving its goals; rate these; this is the basic structure of the organization
3. Identify and rank assets and resources to those critical functions
4. Risks are listed; business owners are able to use this chart to identify which critical functions need risk responses first, the impacts, etc

Question 40

• BIA
  
  • What is commonly wrong with these assessments?
  • Necessary information for impact analysis?
  • If a BIA has not been performed and cannot be performed, how can sensitivity and criticality be determined?

Answer 40

Impact Assessment and analysis

• BIA - performed to determine impact of losing availability of any resources to any organization; establishes the escalation of that loss over time; identifies minimum resources needed to recover; prioritizes recovery of processes;
  
  • Different types of assessments: BIA, mission impact assessment, asset criticality, and resource dependency assessment
    
    • Common for these assessments to determine only worst-case so they are often unrealistic; A more effective approach involves performing small set of scenario analyses
    • Necessary information for impact analysis - system mission, criticality (impact of loss/system’s value), sensitivity (impact of unintended disclosure)
• If BIA cannot or has not been performed, determine system/data sensitivity based on the level of protection to maintain the CIA of the system/data
  
  • Loss of Confidentiality - protection against unauthorized disclosure; impact includes loss of public confidence, loss of customer base, legal action
  • Loss of Integrity - protection against improper modification; impact includes fraud, misinformed decisions; violation of integrity may be the first step in a successful attack against availability and confidentiality
  • Loss of Availability - mission-critical IT system or process is unavailable; impact includes loss of productive time, loss of system functionality, loss of operational effectiveness

Question 41

Advantages and Disadvantages of Qualitative Analysis and Quantitative Analysis

• Advantage Qualitative Analysis
• Disadvantage Qualitative Analysis
• Advantage Quantitative Analysis
• Disadvantage Quantitative Analysis

Answer 41

• Advantages and Disadvantages of Qualitative Analysis and Quantitative Analysis
  
  • Advantage Qualitative Analysis - prioritizes risk and identifies areas for immediate improvement
  • Disadvantage Qualitative Analysis - can not provide specific numerical values, therefore cost-benefit analysis is difficult
  • Advantage Quantitative Analysis - provides measurement of impact numerically and therefore cost-benefit analysis easy to do
  • Disadvantage Quantitative Analysis - using numerical values alone is not informative, additional information would be needed to accurately determine magnitude of impact (i.e. use qualitative analysis in combination)

Question 42

BIA Values

• RTO
  
  • Things to help determine RTO
  • How are BIAs generally conducted
  • RTO and its relation to BCP and DRP
  • RPO
  • SDO
  • MTO
  • AIW

Answer 42

BIA values

• RTO - the amount of time* to *recover to an acceptable level (SDO) of normal operations;
  
  • the asset’s criticality, recovery priorities, interdependencies, costs, cyclical needs (time of day, week, month), customer needs, contractual obligations, SLAs, regulatory, all help determine the RTO
  • RTO can vary depending on time of month or year; RTO is determined by performing BIA with developing BCP; System interconnections will need a BIA
  • BIA is generally conducted by interviewing Information Owners and Senior Mgmt; IO’s may have diff perspective then Senior mgmt as they work closely whereas senior mgmt may focus on other things such as cost or regulatory requirements; ISM considers both perspectives and the result will be factored into BCP to determine priority order for the recovery of assets
• RTO and its relation to BCP and DRP - Once RTO is known, organization can identify and develop contingency strategies that will meet the RTOs; The RTOs drive the order of priority for restoration; SOs prefer shorter RTOs, but it’s too costly; Near-instant recovery exists such as mirroring;
• RPO - the acceptable data loss in case of disruption of operations; indicates the most recent point in time to which is it acceptable to recover the data (generally the last backup); Depending on volume of data, important to reduce time between backups to prevent situation where recovery becomes impossible to achieve the RTO
• SDO - defines the minimal level of service that must be restored after an event to meet business requirements until normal operations are resumed; effected by RTO and RPO
• MTO - the maximum time* an organization can operate in *recovery mode. various factors such as amount of fuel, accessibility to site that may be located remotely, etc; MTO effects RTO which then effects RPO
• AIW - typically as long as the MTO; the amount of time* the organization can operate until *existence is threatened

Question 43

• Due Care vs Due Diligence

Answer 43

Due Care - “looking before you leap”; ongoing maintenance to ensure compliance; being proactive (i.e. looking at legal, regulatory, contractual requirements to stay compliant instead of waiting to be hit with a fine); actually implementing stuff; opposite of Due care is Negligence

Due Diligence - Understanding the ins and outs of the organization policies and procedures; Opposite of Due Diligence is “not doing your homework”

Due Diligence comes before Due Care

Question 44

Third-Party Service Providers

• Separation of responsibilities
• What can management not outsource?
• Example of outsource challenge and approaches to resolve

Answer 44

Third-Party Service Providers

• It is important to have separation of responsibilities aka “disconnect of responsibilities”; i.e. Organization may be responsible for Risk Assessment and Control Definition whereas 3rd party is responsible for control implementation and control monitoring;
• Although organizations can outsource Risk Management, they cannot outsource Responsibility;
• Outsourcing Challenges due to external organizations reluctancy to share technical details on their protection mechanism. Approaches to specify requirements or determine compliance:
  
  1. specify levels of protection in SLA and other outsourcing conracts
  2. SOC 2 report (control report) (Not sufficient on its own bc organizations define criteria for report)
  3. ISO 27001:2013 Certification (how to manage ISMS)
  4. Periodic compliance assessments directly or through 3rd party
  5. Develop incident response plans and procedures
  6. Research the external organizations Financial Capabilities via US Securities and Exchange reports and annual reports

Question 45

Risk Mgmt Integration with SDLC

• What is the importance of Change Management and Risk Management
• per NIST 800-30, what are the two main reasons for implementing risk management program?
• Risk Management and relation to SDLC
• Characteristics of SDLC Phases

Answer 45

Risk Mgmt Integration with SDLC

• Change Management is an important aspect to consider when implementing risk management process; ISM should be involved in Change Mgmt process and be aware of major changes that may have severe impacts and prompt risk assessments
• Per NIST 800-30 the two main reasons for implementing a risk management program is to minimize impact and to provide proper reasoning for decision making
• Risk Management is an iterative process that can be performed at each phase of the SDLC; SDLC phases may occur at the same time within a system; Risk Management should be thought of a life cycle and performed continuously through of the life of a system which will reduce costs and the need to perform annual risk assessments;
• Characteristics of SDLC Phases

Question 46

• Baseline
• Security Control Baseline
• What must be done prior to determining security control baseline for system?

Answer 46

• Baseline - an initial set of critical observations or data used for comparison
• Security Control Baseline - A set of controls that collectively mitigate risk to acceptable levels; sets standard for organization and allows for point of reference to measure against for compliance
  
  • Implementing baselines for security sets the minimum security requirements throughout the organization to keep risk at acceptable levels; implementing a classification scheme prior to implementing security control baseline is important to justify why systems may have more or less controls implemented; it is important to avoid overprotection or underproduction of systems by classifying assets;

Question 47

Good Metrics are:

Answer 47

SMART and MAC-RAP

Good Metrics help ensure controls are efficient and effective

Question 48

• KRI
• Criteria for Selecting Effective KRIs
• Examples of KRIs

Answer 48

• Key Risk Indicators (KRIs) - when an enterprise is subject to risk that exceeds a defined risk level; provides early warnings
  
  • related to risk appetite and tolerance so trigger levels can be defined that will enable stakeholders to take appropriate action in a timely manner
  • HIGHLY relevant and HIGH probability of predicting or indicating significant change in risk
  • Criteria for Selecting Effective KRIs
    
    1. Impact - indicators of risk with high potential impact or most likely KRIs
    2. Effort to implement, measure, and report - KRIs that are easy to measure are preferred
    3. Reliability - indicator should possess high correlation to the risk and outcome measure
    4. Sensitivity - capable of accurately indicating variances in risk level

Examples might include:

• Financial KRIs: economic downturn, regulatory changes.
• People KPIs: high staff turnover, low staff satisfaction.
• Operational KPIs: system failure, IT security breach.

Question 49

• Risk management documentation (Overview)
• Specific Documentation for Risk Management

Answer 49

• Risk management documentation (Overview)
  
  1. Objectives
  2. Audience
  3. Resources
  4. Assumptions
  5. Decisions
• Specific Documentation for Risk Management
  
  1. Risk Register (Source of Risk, Nature of Risk, Risk Owner, Risk Ranking, Risk Treatment, Existing Controls, Recommended Controls)
  2. Likelihood and Impact
  3. Initial Risk Rating
  4. Vulnerabilities
  5. Inventory of Assets
  6. Risk Treatment Plan
  7. Monitoring Plan and Audit Documents

Question 50

• Intangible Asset
• Patent

Answer 50

• Intangible assets - assets that cannot be touched. i.e. trade secret, brand reputation, customer loyalty and trust
• Patent - an idea that is novel, useful, and non-obvious but publicly accessible once registered