Domain 2 - Risk Management

Question 1

what is an asset

Answer 1

something of tangible or intangible value worth protecting

Question 2

what is a vulnerability

Answer 2

weakness in the design, implementation, operation, or internal control process that could expose a system to adverse threats - lack of adequate controls

Question 3

what is a threat

Answer 3

something that could pose loss to all or part of an asset

Question 4

what is probability

Answer 4

the likelihood the risk will occur

Question 5

what is impact

Answer 5

damage caused if the risk event occurs. refereed to as severity

Question 6

what is a threat agent

Answer 6

what carries out the attack

Question 7

what is an exploit

Answer 7

an instance of compromise

Question 8

what is needed for something to be considered a risk

Answer 8

1. asset
2. vulnerability
3. threat

Question 9

what are the two things the gives a risk value

Answer 9

1. probability
2. impact

Question 10

what is risk called in the future and onces its happened

Answer 10

1. future risk is a risk
2. once a risk has occured its called an incident

Question 11

what is inherent risk

Answer 11

with all businiess endeavors there is some degree of risk

Question 12

what is residual risk

Answer 12

risk that remains after a cotnrol has been implemented

Question 13

how much mitigation should be applied to a risk

Answer 13

until the residual risk is withing the level that management is willing to accept (management risk tolerance)

Question 14

what is secondary risk

Answer 14

one risk may cause a second risk or the risk created after applying a control

Question 15

what is risk appetite

s

Answer 15

senior management approach to risk - what they are willing to accept
* risk seeking
* risk neutral
* risk adverse

Question 16

what is risk tolerance

Answer 16

acceptable level of varation that management is willing to allow for any particular risk

Question 17

what is risk profile

Answer 17

an organizations current exposure to risk

Question 18

what is risk threshold

Answer 18

a quantified lit beyond which your organziation is not willing to go

Question 19

what is risk capacity

Answer 19

amount of risk an organization can absorb without threanening is viability

Question 20

what is risk utility

Answer 20

the positive outcome desired from taking a risk

Question 21

controls

Answer 21

proactive and reactive mechanisms put in place to manage risks

Question 22

what is systemic risk

Answer 22

catory of risk that describes threats to system, market or econimic segment

Question 23

contagious risk

Answer 23

events that impact multiple organaizations in a short time
* dyn DDOS to many orgs - amazon, twitter, google etc.
* loss of trust and confidents in the payment and settlement systems

Question 24

what is obsure risk

Answer 24

risk that has not yet occrurred and is unlikely or difficult to fathom (black swan event)

Question 25

what are the steps to creating a risk management program

Answer 25

1. establish context and purpose * frame out environment what is the purpse of the program 2. define scope and charter * authority of project manager is defined (who takes the lead) * who has ultimate accountability * who are the owners of data 3. define authority, structure and reporting 4. ensure asset identification, classification and ownership 5. determine objectives 6. determine methodologies 7. designate program development team * we want a cross functional team with a wide varieity of exposure to risk and knowledge not just yes people

Question 26

what 4 things do data owners do

Answer 26

1. involved in day-to-day risk management 2. follow risk process 3. apply internal controls and risk responses 4. responsible for making decisions about their data

Question 27

governance does what 3 things

Answer 27

1. oversee and challenge risk management 2. provide guidance and direction 3. develp risk management framework

Question 28

per NIST 800-30 what are the 4 steps to a risk management process

Answer 28

1. address how your organization frame risk or establish risk context * describe th eenvironment in which risk-based decisions are made. the framing component is to produce a risk management strategy * this addresses how the ogranization assess risk, respond to risk and monitor risk 2. addresses how organizations assess risk * the purpose of risk assessment is to identify threats to the organization (i.e., operations, assets and individuals) or threats directed through oganizations agains other oganizations or the nation * vulnerabilities internal and external to organizations * the harm (i.e.,adverse imact) that may occur given the potential for threats exploiting vulnerabilites * the likelihood that harm will occur * typically a function of the degreeo fharm and lielihood of harm to occur 3. how organizations respond to risk. The purpose of risk response is to provide a consistant, organizational-wide response to risk in accordance with the organizational risk frame * developing alternative courses of action * evaluate alternative courses of action * determine appropriate courses of action consistent with the organizational risk tolerance * implementing risk responses based on selected courses of action 4. how organizations monitor risk over time * determine ongoing effectiveness of risk responses (consistent with the organization risk frame) * identify risk-impacting changes to informational systems and the environment * verify that planned risk responses are implemented

Question 29

do we focus on IT risk just because they are IT risk

Answer 29

no, we only focus on business impacting risks

Question 30

3 assessment approaches

Answer 30

1. threat orientation - starts with identification of threat sources and events; focuses on threat scenario development 2. ***asset/impact-oriented - starts with the identification of impacts or consequences of concnern and critical assets, possibly using the results of business impact analyses*** 3. vulnerability-oriented - starts with a set of predisposing conditions or exploitable weaknesses/deficiences in the oganizational information systems or environment; identifites threat events that could exploit those vulnerabilites