Domain 2 Information Risk Management Flashcards

Question

* Qualitative Analysis - * Semiquantitative Analysis * Quantitative Analysis * Single Loss Expectancy (ALE) * Exposure Factor (EF) * Annual Loss Expectancy (ALE) * Annualized Rate of Occurrence (ARO) * Value At Risk (VAR)

Answer 1

* **Qualitative Analysis** - typically used as an initial assessment of risk, where non tangible assets exist, where there is lack of information or numerical data * **Semiquantitative Analysis** - assigning values to scales used in qualitative assessment (i.e. Impact 1-5, 1 being low; likelihood 1-5, 1 being rare); typically inconsistent since #s are not accurate representation, #s are indicative and not real; Risk = 2 (low) x 1 (rare) = 2 * **Quantitative Analysis** - numerical values assigned to both impact and likelihood; accuracy is based on the assigned values; values can be determined by experiments or past data; can be expressed in monetary terms, technical, operational, human impact criteria * **Single Loss Expectancy (ALE)** - type of quantitative analysis; AV x EF = SLE * **Exposure Factor (EF)** - probability that an event will occur and its likely impact, equals % of asset loss caused by the threat * **Annual Loss Expectancy** **(ALE)** - type of quantitative analysis; annual expected financial loss from one threat; ARO x SLE = ALE * **Annualized Rate of Occurrence (ARO)** - # of times a threat on a single asset is estimated to occur (i.e. fire likely to occur once in 25 years, so 1 / 25 = 0.04 * **Value At Risk (VAR)** - computation based on historical data of the probability distribution of loss for a given period of time at a certainty factor of 95% or 99%; uses Monte Carlo simulations with thousands of iterations with random variables

Answer 2

* **Operationally Critical Threat Asset Vulnerability Evaluation (OCTAVE)** - approach to risk assessment and ranking; helps with all steps of risk management in identifying assets, then risks, then vulnerabilities, threats, action plan, etc; focuses on critical assets * Three Phases are: 1. **Build asset-based threat profiles (organizational evaluation)** - determine critical assets and current protection measures; identify security requirements of critical assets; vulnerabilities and threat profile identified for each asset 2. **Identify infrastructure vulnerabilities (technological evaluation)** - identify network paths and classes of IT components related to each critical asset; determine extent to which each class of component is resistant to network attacks 3. **Develop security strategy and mitigation plans (strategy and plan development)** - establishes risk to the organization based on analysis; develops plan and ways to protect organization with senior mgmt approval

Answer 3

Common risk analysis methods * **Bayesian Analysis** - accuracy relies on prior distribution data to determine probability * **Bow Tie Analysis** - diagram for RAR; The cause of the event is in the middle ("knot" of bow tie) and the triggers, controls, mitigation strategies, outcomes branch off the “knot” * **Delphi Method** - uses _expert_ opinion; usually 2 or more rounds of questionnaires; results summarized * **Event Tree Analysis** - bottom up approach, forward thinking uses broad generalizations (inductive reasoning) of specific events to assess probability * **Fault Tree Analysis** - top down approach; starts with the event and examines possible means for the event to occur; uses logical tree diagram * **Markov Analysis** - analyzes systems that can exist in multiple states; makes the assumption that future events are independent of past events * **Monte Carlo Analysis** - triangular or beta distributions are used; thousand of variations with random inputs based on historical information is used

Answer 4

* **Evaluation of Risk** - decisions are made in this phase on risk treatment after analysis; if risk meets acceptable risk criteria, its most likely accepted; if it exceeds and not within tolerance variance, mitigation; mitigation includes modification, transfer/sharing, or add controls or business reengineering of process; if cost is too high, mgmt may be forced to accept; * Risk transfer is typically selected for low likelihood high impact i.e. Floods * CONTROL RISK which is the probability the control will fail or be ineffective * Risk decisions are based on: level of risk, consequences (impacts), likelihood (probability), aggregated impact of a series of events; cascading risk (domino effect); cost of treatment;

Answer 5

* **Risk Ranking** - combination of characteristics and capabilities of a threat, the severity of the vulnerability, the likelihood of attack being successful, the control risk, and the impact * **Risk Ownership and Accountability** - after risk assessment, owner needs to be identified; usually senior management; risk owner is ACCOUNTABLE for accepting risk based on risk appetite and selecting appropriate risk response and approving controls when mitigation is chosen; they are also accountable for ensuring monitoring of control effectiveness

Answer 6

* **Risk Treatment (Response) Options** - 1. Avoid (terminate activity giving rise to risk) 2. Transfer (usually transfers impact as well) 3. Mitigate (controls in place) 4. Accept * **Ignoring risk** is also an option and should only be done with likelihood and impact is so low or impact is so high and likelihood is so low (i.e. comet strike) * **Avoid Risk** - terminating continuation of product or service * **Transfer Risk** - usually through insurance or outsource to 3rd party; usually does not transfer risk or responsibility of compromise, but can transfer financial responsibility; risk transfer to insurance typically for high impact low likelihood events; * **Mitigate Risk** - implement or improve controls, countermeasures, modifying or eliminating risky processes; may reduce exposure, may prevent risk; * **Accept Risk** - one condition is if cost of mitigating is too high compared to the benefit or value of the asset or impact is too low; * **Risk Acceptance Framework** - useful tool used to set the criteria for the acceptance of risk and the level at which management acceptance is executed (i.e. Low - local mgmt can accept, Severe - BoD must accept and risk reduction must occur)

Answer 7

* **Inherent Risk** - the risk prior to mitigation * **Residual Risk** - the risk that remains after mitigation * **Reducing risk** inevitably introduces new risk * **objective** is for residual risk to equal criteria for acceptable risk and risk tolerance * risk that is higher then acceptable risk should be treated, **risk that is lower** then acceptable risk should be re-evaluated to determine whether excessive level of countermeasures or controls are in place for cost savings * **Final acceptance** of residual risk takes into account: Regulatory compliance, policy, sensitivity and criticality of relevant assets, acceptable levels of potential impacts, cost and effectiveness of implementation * **Risk Tolerance** - allowable deviation from acceptable risk usually as % or range (i.e. + or - 10%)

Answer 8

* **Impact** - all risk mgmt activities are designed to reduce impacts to an acceptable level to create or maintain value of organization; The result of any vulnerabilities exploited by a threat that causes a loss is an impact * Impact generally quantified as direct financial loss in short term and indirect financial loss in long term; (i.e. criminal liability, civil, loss of reputation, reduction of share value, breach of privacy) * Quantitative - range of financial impact; Qualitative - loss of reputation or market share; * Impacts are determined by performing **BIA** and subsequent analysis; BIA determines **criticality and sensitivity** of assets; basis for setting **access control** **authorizations**, **BCP, RTO,RPO, MTO, SDO, AIW**; prioritizes **risk mgmt and asset valuations;** tell us **types of protections** for assets and **justification for costly controls** for critical assets

Answer 9

For Risk Assessments to be effective and reasonably accurate, it is necessary to ensure that they are conducted from beginning to end; This will allow for control minimization, eliminate duplication or redundancy; layered controls are effective however controls addressing the same risk are not

Answer 10

* Legal and Regulatory requirements must be considered in terms of **risk and impact**. Senior mgmt must determine level of compliance and priority. * Evaluation must be done to determine if already compliant. If not, regulation must be evaluated to determine level of risk; * Organization must consider **level of enforcement and its relative position to its peers** bc enforcement actions are usually against those that are least compliant; * The **potential impact** of full compliance, partial, or non, must be considered in financial or reputational impact; * senior mgmt may decide risking sanctions is less costly than achieving compliance; or bc enforcement is limited or nonexistent compliance is not warranted;

Answer 11

* If **costs** outweigh **benefits**, organization must accept risk rather than mitigate; this is the principle of GAISP * **TCO** - must consider full cycle of control or countermeasure from acquisitions costs, training, recurring maintenance, monitoring, decommissioning, etc

Answer 12

* Baseline security is defined as the minimum security level across the enterprise; baselines can be different for different assets; the higher the classification, the more restrictive controls * Events such as control failure, vendor changes, protests, civil unrest, laws, regulations, changing threats can all be reasons for change in security baseline

Answer 13

Information Asset Classification * **Business Value** - Criticality and Sensitivity of asset; provides the basis for protection efforts, BCP, and user access control; mandatory step for effective Risk Management Program * **Criticality** - how important is the asset? determined by _impact_ on organization as a result of the _loss of an asset_ * **Sensitivity** - determined by the _potential damage_ to the organization as a results of _unauthorized disclosure_ * If comprehensive classification is not possible, a less effective option is a **business dependency assessment** (used to provide basis for allocating protective activities) * **Major Benefit of Asset Classification** - reduced risk of under protection and reduced cost of overprotection by tying security to business objectives * **Classification Steps** 1. Asset inventory is complete with location, data owners, data users ,data custodians (including external assets) 2. ISM works with business units to classify assets based on business value (criticality and sensitivity); ensure all IT stakeholders review and approve guidelines for access control levels; keep levels to a minimum

Answer 14

Risk-averse organizations have low risk appetite and blame culture can exist; Overclassify because users worry they'll be blamed if classification of assets is not done correctly

Answer 15

Methods to determine Criticality of Assets and Impacts of Adverse Events * BIA is the usual **process** to determine impact; COBIT,NIST,OCTAVE are resources; * **Generally accepted practice to** focus on the impact of loss information assets rather than the event that causes them. It is not practical or cost-effective to list every event * **Steps** in determining information asset importance 1. Divide organizational structure into business units or departments and rank them by importance or value to the business; rating is done by senior management 2. Identify critical functions to each department; these are tasks that help the unit in achieving its goals; rate these; this is the basic structure of the organization 3. Identify and rank assets and resources to those critical functions 4. Risks are listed; business owners are able to use this chart to identify which critical functions need risk responses first, the impacts, etc

Answer 16

Impact Assessment and analysis * **BIA** - performed to determine impact of losing availability of any resources to any organization; establishes the escalation of that loss over time; identifies minimum resources needed to recover; prioritizes recovery of processes; * Different types of assessments: BIA, mission impact assessment, asset criticality, and resource dependency assessment * **Common** for these assessments to determine only worst-case so they are often unrealistic; A more effective approach involves performing small set of scenario analyses * **Necessary information for impact analysis** - system mission, criticality (impact of loss/system's value), sensitivity (impact of unintended disclosure) * **If BIA cannot or has not been performed**, determine system/data sensitivity based on the level of protection to maintain the CIA of the system/data * **Loss of Confidentiality** - protection against unauthorized disclosure; impact includes loss of public confidence, loss of customer base, legal action * **Loss of Integrity** - protection against improper modification; impact includes fraud, misinformed decisions; violation of integrity may be the first step in a successful attack against availability and confidentiality * **Loss of Availability** - mission-critical IT system or process is unavailable; impact includes loss of productive time, loss of system functionality, loss of operational effectiveness

Answer 17

* Advantages and Disadvantages of Qualitative Analysis and Quantitative Analysis * **Advantage Qualitative Analysis** - prioritizes risk and identifies areas for immediate improvement * **Disadvantage Qualitative Analysis** - can not provide specific numerical values, therefore cost-benefit analysis is difficult * **Advantage Quantitative Analysis** - provides measurement of impact numerically and therefore cost-benefit analysis easy to do * **Disadvantage Quantitative Analysis** - using numerical values alone is not informative, additional information would be needed to accurately determine magnitude of impact (i.e. use qualitative analysis in combination)

Answer 18

BIA values * **RTO** - the *_amount of time*_ to _*recover to an acceptable level_* (SDO) of normal operations; * the asset's criticality, recovery priorities, interdependencies, costs, cyclical needs (time of day, week, month), customer needs, contractual obligations, SLAs, regulatory, all **help determine the RTO** * RTO can vary depending on time of month or year; RTO is determined by performing BIA with developing BCP; System interconnections will need a BIA * **BIA is generally conducted** by interviewing Information Owners and Senior Mgmt; IO's may have diff perspective then Senior mgmt as they work closely whereas senior mgmt may focus on other things such as cost or regulatory requirements; ISM considers both perspectives and the result will be factored into BCP to determine priority order for the recovery of assets * **RTO and its relation to BCP and DRP** - Once RTO is known, organization can identify and develop contingency strategies that will meet the RTOs; The RTOs drive the order of priority for restoration; SOs prefer shorter RTOs, but it's too costly; Near-instant recovery exists such as mirroring; * **RPO** - the *_acceptable data loss_* in case of disruption of operations; indicates the most recent point in time to which is it acceptable to recover the data (generally the last backup); Depending on volume of data, important to reduce time between backups to prevent situation where recovery becomes impossible to achieve the RTO * **SDO** - defines the *_minimal level of service_* that must be restored after an event to meet business requirements until normal operations are resumed; effected by RTO and RPO * **MTO** - the *_maximum time*_ an organization can operate in _*recovery mode_*. various factors such as amount of fuel, accessibility to site that may be located remotely, etc; MTO effects RTO which then effects RPO * **AIW** - typically as long as the MTO; the *_amount of time*_ the organization can operate until _*existence is threatened_*

Answer 19

Due Care - “looking before you leap”; ongoing maintenance to ensure compliance; being proactive (i.e. looking at legal, regulatory, contractual requirements to stay compliant instead of waiting to be hit with a fine); actually implementing stuff; opposite of Due care is Negligence Due Diligence - Understanding the ins and outs of the organization policies and procedures; Opposite of Due Diligence is “not doing your homework” Due Diligence comes before Due Care

Answer 20

Third-Party Service Providers * It is important to have **separation of responsibilities** aka “disconnect of responsibilities”; i.e. Organization may be responsible for Risk Assessment and Control Definition whereas 3rd party is responsible for control implementation and control monitoring; * Although organizations can outsource Risk Management, they **cannot outsource Responsibility**; * **Outsourcing Challenges** due to external organizations reluctancy to share technical details on their protection mechanism. **Approaches** to specify requirements or determine compliance: 1. specify levels of protection in **SLA** and other outsourcing conracts 2. **SOC 2** report (control report) (Not sufficient on its own bc organizations define criteria for report) 3. ISO 27001:2013 **Certification** (how to manage ISMS) 4. **Periodic compliance assessments** directly or through 3rd party 5. Develop **incident response plans and procedures** 6. Research the external organizations **Financial Capabilities** via US Securities and Exchange reports and annual reports

Answer 21

Risk Mgmt Integration with SDLC * **Change Management** is an important aspect to consider when implementing risk management process; ISM should be involved in Change Mgmt process and be aware of major changes that may have severe impacts and prompt risk assessments * Per **NIST 800-30** the two main reasons for implementing a risk management program is to *minimize impact* and to provide *proper reasoning for decision making* * Risk Management is an _iterative_ process that can be performed at each phase of the SDLC; SDLC phases may occur at the same time within a system; Risk Management should be thought of a life cycle and performed continuously through of the life of a system which will reduce costs and the need to perform annual risk assessments; * Characteristics of SDLC Phases

Answer 22

* **Baseline** - an initial set of critical observations or data used for comparison * **Security Control Baseline** - A set of controls that collectively mitigate risk to acceptable levels; sets standard for organization and allows for point of reference to measure against for compliance * Implementing baselines for security sets the minimum security requirements throughout the organization to keep risk at acceptable levels; **implementing a classification scheme** prior to implementing security control baseline is important to justify why systems may have more or less controls implemented; it is important to avoid overprotection or underproduction of systems by classifying assets;

Answer 23

SMART and MAC-RAP Good Metrics help ensure controls are efficient and effective

Answer 24

* **Key Risk Indicators (KRIs)** - when an enterprise is subject to risk that exceeds a defined risk level; provides early warnings * related to risk appetite and tolerance so trigger levels can be defined that will enable stakeholders to take appropriate action in a timely manner * HIGHLY relevant and HIGH probability of predicting or indicating significant change in risk * **Criteria for Selecting Effective KRIs** 1. _Impact_ - indicators of risk with *high potential impact* or most likely KRIs 2. _Effort to implement, measure, and report_ - KRIs that are *easy* to measure are preferred 3. _Reliability_ - indicator should possess *high correlation* to the risk and outcome measure 4. _Sensitivity_ - capable of accurately indicating *variances* in risk level **Examples might include:** * Financial KRIs: economic downturn, regulatory changes. * People KPIs: high staff turnover, low staff satisfaction. * Operational KPIs: system failure, IT security breach.

Answer 25

* **Risk management documentation (Overview)** 1. Objectives 2. Audience 3. Resources 4. Assumptions 5. Decisions * **Specific Documentation for Risk Management** 1. Risk Register (Source of Risk, Nature of Risk, Risk Owner, Risk Ranking, Risk Treatment, Existing Controls, Recommended Controls) 2. Likelihood and Impact 3. Initial Risk Rating 4. Vulnerabilities 5. Inventory of Assets 6. Risk Treatment Plan 7. Monitoring Plan and Audit Documents

Answer 26

* Intangible assets - assets that _cannot be touched_. i.e. trade secret, brand reputation, customer loyalty and trust * Patent - an idea that is novel, useful, and non-obvious but publicly accessible once registered