Domain Five: Risk Management

Question 1

Define the Business Impact document ?

Answer 1

The business impact analysis is often seen as being a document but it is also a set of processes comprising of several different functions and roles within the organisation identifying key business functions or processes that will be impacted during a disruption.

Question 2

What are the two key metrics used in the BIA ?

Answer 2

Mean Time Between Failure
Mean Time to Repair

Question 3

What is the first stage in the BIA process or document ?

Answer 3

We need to firstly identify critical functions and then associate the systems that aid those functions. We need to be able to answer the following questions

Do we know what services our customers always expect to be available ?
Do we know what service our employees need available at all times ?

This stage needs SMEs from all the functional areas to help identify this.

Question 4

What are the five impct areas a BIA document or process should consider ?

Answer 4

Life
Property
Safety
Financial
Reputation

Question 5

What is a privacy threshold assement ?

Answer 5

A privacy threshold assessment is conducted to determine what levels of information a system is collecting to determine a privacy impact assessment is required.

Question 6

What is a privacy impact assessment ?

Answer 6

A privacy impact assessment determines the impact on PII contained within that system if it is compromised.

Question 7

What is the RPO ?

Answer 7

RPO is the maximum allowable time between backups

Question 8

What is the RTo ?

Answer 8

RTO is the maximum time allowed to restore backups. It designates the amount of real time that can pass before the disruption begins to seriously and unacceptable impede the flow of normal business operations

Question 9

Describe the four common data sensitivity types ?

Answer 9

Public - Free to all
Proprietary - This is information peculiar to that organisation and can include such things as trade secrets
Confidential Information - Requires restrictive access through such mechanisms as NDA
Private Information - This information sensitivity includes PII and PHI and should be protected extensively

Question 10

Describe the role of the privacy officer ?

Answer 10

Is responsible for the organisations data privacy. They implement policies and procedures to help carry out privacy controls.

Question 11

Describe the role of the data steward ?

Answer 11

Manages the day to day control and protection of data for the organisation responsible for compliancy and regulatory understanding

Question 12

Describe the role of the data owner ?

Answer 12

Responsible for specific data sets but delegates the day to day procedures around data

Question 13

What are the three reasons for having a data retention policy ?

Answer 13

Version Control - Returning to a last know state
Recovery from Cyber attacks - Especially as attacks are not always discovered immediately
Legal/Regulatory compliance

Question 14

Name some of the techniques for data sanitisation ?

Answer 14

Burning
Shredding
Pulping
Pulverising
Degaussing
Purging
Wiping

Question 15

What in digital forensics is the order of volatility ?

Answer 15

Data for investigations should be collected in an order to make sure that most volatile sources prone to destruction as harvested first.

CPU Cache and Registers
Remaining data stored in RAM
Temporary File Systems
Files Written to Disk
Remote monitoring data for the system
Archived Data

Question 16

What is chain of custody ?

Answer 16

As evidence is collected, we need to ensure that we maintain the integrity of the evidence collected. Everyone that comes into contact with the evidence must be documented and the chain of custody document should show how the evidence was stored.

Question 17

Name some of the sources we can use for evidence ?

Answer 17

There are several sources of information. We should also capture hashes of the system to be able to prove that it has remained unaltered during the investigation.

Capturing System Images
Network Traffic and Logs
Capturing Video
Screenshots
Witness Interviews

Question 18

What is legal hold ?

Answer 18

Legal hold refers to special procedures put in place to aid any court proceedings.

Question 19

What does the term preservation mean ?

Answer 19

Preservation procedures should be put in place to maintain the integrity of the evidence

Question 20

What are the three areas to consider with recovery ?

Answer 20

Active Logging, Strategic Intelligence, Counterintelligence gathering

Question 21

What are the different types of backup ?

Answer 21

Full - Backup of whole drive irrespective of whats changed
Incremental/Differential - Backup of whats changed between full backups
Snapshots - VM backups used to spin up new backups

Question 22

Define continuity of operations ?

Answer 22

Usually attributed to the US Federal Government helps to ensure operations through unanticipated events. The US Government mandates that agencies need to continue to provide services even during times of crisis.

Question 23

What is continuity planning ?

Answer 23

Usually attributed to the US Federal Government helps to ensure operations through unanticipated events. The US Government mandates that agencies need to continue to provide services even during times of crisis.

Question 24

What are the five control of disaster recovery controls ?

Answer 24

Deterrant - Those controls that deter but do not prevent, Preventative - Those controls that prevent something from occurring.
Compensatory - Are those mechanisms that are put in place to satisfy requirements for a security measure when management has deemed it to impractical to implement the actual fix.
Corrective - Remediate a risk after being discovered
Detective - Detects events after they have been discovered
Directive controls - Direct on how to achieve security compliancy such as policies

Question 25

What are the three disaster recovery control types ?

Answer 25

Administrative, Technical, Physical, Operational

Question 26

Give an example of a administrative technical control type ?

Answer 26

Acceptable Use Policy

Question 27

Give an example of a physical control type ?

Answer 27

Crash Barrier

Question 28

Give an example of a technical control type ?

Answer 28

IPS

Question 29

What are the Geographic consideration for disaster recovery and planning

Answer 29

Locations Selection
Legal Considerations
Off Site storage
Distance
Data Sovereignty

Question 30

What are the three categories for recovery sites ?

Answer 30

Hot - Like for like replacement always on including software and data
Warm - Infrastructure in place but software and backups may need to be restored
Cold - Site is available but infrastructure and everything else needs to be put in place

Question 31

What is incident response ?

Answer 31

This is how we recover minimising downtime and reducing damage when an incident occurs.

Question 32

What are the six stages of incident response ?

Answer 32

Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned

Question 33

What are the main categories of incident response ?

Answer 33

External/Removable Media
Attrition
Web
Email
Improper Usage
Loss or Theft of Equipment
Other

Question 34

What is the role of security management in incident response ?

Answer 34

Responsible for leading the response team during planning and carrying out IR procedures. They also offer corporate support for the IR team.

Question 35

What is the role of the compliance officer in incident response ?

Answer 35

They help to advise what steps need to be taken to maintain compliance with various rules and procedures.

Question 36

What is the role of the incident response team ?

Answer 36

This team is a specialised group, they train and are tested for incident response. These individuals walk through exercises to determine when, why and who to engage during particular incidents.

Question 37

What is the role of supplementary technical staff in incident response ?

Answer 37

Used to provide technical help over and above that in the IR team.

Question 38

What is the role of the Cyber Incident Response team ?

Answer 38

Responsible for providing detailed Cybersecurity knowledge.

Question 39

What are the personnel functions in Organisational Security?

Answer 39

Policies, Background checks,and JMl

Question 40

What is the purpose of the exit interview ?

Answer 40

Determines the morale and culture of the team as well as a chance to gain an understanding of where things have gone wrong and can be improved.

Question 41

What is a acceptable use policy ?

Answer 41

Also known as Rules of Behaviour - May include security policies such as the restriction of social media or personal email.

Question 42

What are adverse actions ?

Answer 42

Describes the steps taken when abuse has taken place

Question 43

Name the six agreement types ?

Answer 43

SLA, Memorandum of Understanding, Standard Operating Procedures, Business Partner Agreement, Interconnection security agreement, Memorandum of agreement

Question 44

What is a clean desk policy

Answer 44

Removal each day of documents and printouts that could compromise security.

Question 45

How often do we embark on a continuous education program ?

Answer 45

Annually

Question 46

Why should we have mandatory job holidays and rotation ?

Answer 46

Besides cross training and other issues it also helps prevent users being involved in malicious actions as well as highlighting improvements required in processes and job functions.

Question 47

What is the thinking behind separation of duties ?

Answer 47

Also for security purposes as it avoids a single person being compromised due to have complete access and knowledge of a system.

Question 48

What is single loss expectance (SLE) ?

Answer 48

This is the monetary cost of an event to an organisation

Question 49

What is the annual rate of occurrence (ARO) ?

Answer 49

This is the number of times a year an event occurs

Question 50

What is annual loss expectancy (ALE) ?

Answer 50

SLE * ARO

This represents the actual cost to the company and can be used to determine if a compensating control is worth it.

Question 51

What are the four main risk response techniques ?

Answer 51

Risk Acceptance, Risk Avoidance, Risk Transferrance, Risk Mitigation

Question 52

What are the two main sources of threats ?

Answer 52

Environmental and Man Made

Question 53

Describe the relationships betwee control categories and types

Answer 53

Categories contain types.

Question 54

Describe the detective control category ?

Answer 54

Controls that detect activity after the event has taken place

Question 55

What type of control is a threat assessment ?

Answer 55

Managerial

Question 56

What type of control is a sign warning you of a guard dog ?

Answer 56

Deterrent - Its tempting to say physical but the sign does not physically prevent someone from doing something.

Question 57

What is the most common way to ensure that companies destroy data ?

Answer 57

Signing of a contract that mandates this and that the third party has certification standards around this area.

Question 58

Describe the role of the CEO in an organisation ?

Answer 58

The chief executive officer manages the companies operations. The CEO is hired by the board and is dismissed by the board and has their performance reviews and compensations determined by the board.

Question 59

What are the three areas covered by a GRC program ?

Answer 59

Governance, Risk and Compliance

Question 60

What are the two types of governance models ?

Answer 60

Centralised and Decentralised

Question 61

What is a centralised governance model ?

Answer 61

Top Down - Central Authority creates policies and standards

Question 62

What is a decentralised governance model ?

Answer 62

Bottom Up - Individual teams responsible for governance

Question 63

What is a definition of a policy ?

Answer 63

High level statement of management intent.

Question 64

What are some typical points covered in a policy ?

Answer 64

A statement of the importance of cybersecurity to the organisation
A requirement that staff and contractors maintain CIA principles and guidelines
A statement on the ownership and creation of information created or processed by the organisation
Designation of the CISO or other individual as the executive responsible for Cybersecurity issues
Delegation of authority to CISO the ability to create standards, procedures and guidelines and to implement them

Question 65

What is a business continuity policy document ?

Answer 65

Describes steps to protect and recover critical business systems in response to unforseen outage and that the data assets are recovered and protected.

Question 66

What is a change management policy ?

Answer 66

Describe how the organisation will review, approve and implement proposed changes to information systems

Question 67

What is an incident response policy ?

Answer 67

Describes how an organisation will respond to security incidents

Question 68

Describe an acceptable use policy ?

Answer 68

Also known as Rules of Behaviour - May include security policies such as the restriction of social media or personal email.

Question 69

Describe and information security policy ?

Answer 69

Provides high level authority and guidance for security program

Question 70

What is a standard ?

Answer 70

Provide mandatory requirements describing how an organisation will carry out its information security policies. These may include specific configuration settings used for common operating systems, the controls that have to be in place for sensitive information. Standards are approved at a lower level than policies and therefore can change more frequently.

Question 71

What is a guideline ?

Answer 71

Guidelines provide best practices and recommendations. Compliance is not mandatory and guidelines are offered in the spirit or providing helpful advice.

Question 72

What two ways can policy effectiveness be measured ?

Answer 72

This can be a combination of tool based (SIEM) and human based (Feedback, Exit Interviews)

Question 73

What is the primary goal of change management ?

Answer 73

The primary goal of change management is to ensure that changes do not cause outages. Change management processes ensure that appropriate personnel review and approval of changes takes place before implementation and also ensure testing and documentation have taken place.

Question 74

What are the six steps in a typical change request proces ?

Answer 74

Request, Review, Accept or Request, Test, Schedule, Document

Question 75

What is a NDA ?

Answer 75

Non Disclosure Agreements often require that employees protect any confidential information that they gain access to in the course of their employment. Usually signed on hire and reminded about on exit.

Question 76

What are the two main consideration during the vendor selection process ?

Answer 76

There are two aspects of vendor selection that should be considered

Due Diligence and Conflict of Interests

Question 77

What three ways can we use to assess a vendor ?

Answer 77

Penetration Testing
Questionnaire
Supply Chain Analysis

Question 78

What is a master service agreement ?

Answer 78

Provide an umbrella contract for the work that a vendor does with an organisation over an extended period of time. Typically cover privacy and security agreements and then can be referenced in statement of work and work orders.

Question 79

What are the three consideration around vendor monitoring ?

Answer 79

The rules of engagement agreement should specify monitoring requirements.
KPI metrics should also be established
Compliance Monitoring is also fundamental

Question 80

What is HIPPA ?

Answer 80

Includes security and privacy rules that affect health care providers, health insurers, and health information clearing houses in the United States.

Question 81

What is PCIDSS ?

Answer 81

Provides detailed rules about the storage, processing, and transmission of credit card and debit card information. PCIDSS is not law but rather a contractual obligation that applies to credit card merchants and service providers worldwide.

Question 82

What is the Gramm Leach Bliley act ?

Answer 82

Covers US Financial services. Requires that there is a distinct security program with an individual responsible for it.

Question 83

What is the Sarbanes Oxley Act ?

Answer 83

Act applies to the financial records of US publicly traded companies and requires that those companies have a strong degree of assurance for the IT systems that store and process those records.

Question 84

What is the Family and Educational Rights Privacy Act (FERPA)

Answer 84

Covers student records and requires US educational institutions implement security and privacy controls for student educational records.

Question 85

Whats involved with internal compliance reporting ?

Answer 85

Internal Reporting typically involves regular reports to management or the board highlighting the state of compliance, identifying the gaps and what is required to improve.

Question 86

What is external compliance reporting ?

Answer 86

This is mandated by external regulatory bodies or as part of contractual obligations. It involves providing the necessary documentation and evidence to external entities to demonstrate that the organisation is in compliance with the relevant laws and regulations.

Question 87

What does the term due care mean in compliance monitoring ?

Answer 87

Refers to the ongoing efforts to ensure that the implemented policies and controls are effectively and continuously maintained throw a process of regular review, updates to policies and proactive steps.

Question 88

What is meant by acknowledgement in the due care process of compliance monitoring ?

Answer 88

Part of the due care process it means ensuring that employees and business partners state that they are aware of the compliance requirements.

Question 89

What does attestation mean in the compliance monitoring process ?

Answer 89

Is the step where employees and business partners state they are aware of these compliance requirements and have also confirmed that they have adhered to these standards.

Question 90

Whats the difference between an incremental and a differential backup ?

Answer 90

An incremental back up just backsup changes since the last backup. Differential backsup all the changes since last fullbackup so it gets progressively large until reset at next full backup.

Question 91

What is the NIST Core detailing ?

Answer 91

Covers the five functions of

Identify
Protect
Detect
Recover
Respond

Which is then further subdivided into further sub categories

Question 92

What is a framework tier in NIST CF ?

Answer 92

Assessment of ready your organisation is to implement cybersecurity objectives. It is an example of a maturity model.

Question 93

What is a profile in NIST CF ?

Answer 93

Describes how an organisation might use the framework to describe its current state and then a separate profile to describe its future state.

Question 94

Is Risk Acceptance the same as doing nothing ?

Answer 94

This occurs when it is not financially viable to tackle the risk - This is usually when the control is more expensive than the actual risk. It is not to be viewed as deliberately not taking action.

Often their are exceptions where the risk is acknowledged and is accepted as an exception. An exemption is like an exception but will need a more formal sign off.

Question 95

What is inherent risk ?

Answer 95

The inherent risk facing an organisation is the original level of risk that exists before implementing any controls.

Question 96

What is residual risk ?

Answer 96

Is the risk left after controls have been implemented

Question 97

What is risk appetite ?

Answer 97

Is the level of risk that is willing to be accepted as the cost of doing business

Question 98

What is risk threshold ?

Answer 98

It is the level at which a risk becomes unacceptable

Question 99

What is risk tolerance ?

Answer 99

The ability to withstand risk and maintain operations.

Question 100

What are key risk indicators ?

Answer 100

Metrics to measure and provide early warning for increasing levels of risk.

Question 101

What three stances come under risk appetite ?

Answer 101

Expansionary, Conservative, Neutral

Question 102

Name three common items on a risk register ?

Answer 102

Risk Owner
Risk Threshold Information
Key Risk Indicators

Question 103

What are the four ways of risk reporting ?

Answer 103

Adhoc reports, Regular Updates, Dashboard, Risk Trend Analysis

Question 104

What is the Mean Time Between Failure (MTBF) ?

Answer 104

BIA metric about the reliability of a system. It is the expected amount of time between failures.

Question 105

What is the Mean Time To Repair (MTTR) ?

Answer 105

BIA metric is the average amount of time to restore the system to its normal operating state after failure

Question 106

In a data inventory should only human readable files be included ?

Answer 106

No - It is important that the data inventory should contain all types of information that may contain sensitive information even non human readable binary files should be included if they contain sensitive information.

Question 107

What items are typically part of a data inventory ?

Answer 107

PII, Legal, Financial, Regulatory, Intellectual Property, PHI

Question 108

What is a data subject ?

Answer 108

Individuals whose data is being processed

Question 109

What should be the response when a data breach occurs ?

Answer 109

Implement Response plan. Some regulations such as GDPR mandate that the breech is publically notified.

Question 110

I want to encrypt data at rest on my disk what options do I have ?

Answer 110

FDE, File, Volume, Partition

Question 111

I want to encrypt a large amount of data on disk but I dont want to encrypt the whole drive what is my next best option ?

Answer 111

Volume

Question 112

What three options do I have to encrypt data at rest in a database ?

Answer 112

Transparent Level Encryption (Whole database), Record, Column

Question 113

What is the process of tracking user activity for cost, billing and audit purposes ?

Answer 113

Accounting

Question 113

What is certificate verification ?

Answer 113

When you receive the certificate you should verify it by

Checking it is not on the Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP)
Digital Signature is Authentic
Certificate contains data you are trusting

Question 114

What is certificate pinning ?

Answer 114

Certificate pinning is where we specify the exact certificate we trust so for example only accept the certificates from one particular CA.

Question 115

What is OCSP ?

Answer 115

This eliminates the latency of CRL it is a process where the browser in real time can determine the status of a certificate by issuing a OCSP request to CA OCSP server and it will receive a status of Good, Revoked or Unknown

Question 116

What are CRL and the issues with them ?

Answer 116

A list of revoked certificates and when they are revoked. They are maintained by multiple CAs.
The main issue is that the list has to be downloaded to be used by browser so there can be a lag from when the certifcate was revoked and when the browser notices.

Question 117

What is certificate stapling ?

Answer 117

It is costly having the browser send OCSP request every time on the CAs servers so instead of having individual clients contact the OCSP server it is usual for the web server to do this every twenty four hours and staple the response to the certificate. The browser then verifies both the certificate and the OCSP response.

Question 118

When is a certificate revoked ?

Answer 118

Certificate has been compromised
Certificate has been erroneously issued
Details have changed
Security Association has changed

Question 119

What are the binary formats for certificates ?

Answer 119

PFX and DER

Question 120

What formats are PEM and PB7

Answer 120

Text

Question 121

The .crt extension covers which formats ?

Answer 121

PEM and DER

Question 122

What typically takes place in the preparation phase in the incident response process ?

Answer 122

Defining roles and responsibilities and conducting regular training drills

Question 123

Whats the difference between TCO and ROI ?

Answer 123

TCO covers the whole lifetime of the asset whereas ROI doesnt.

Question 124

Who determines the means of processing data, the Data Owner or the Data Controller ?

Answer 124

Data Controller

Question 125

What is more secure cellular, wifi or bluetooth ?

Answer 125

Cellular

Question 126

What is a horizontal password attack ?

Answer 126

Using the same user password combo to attack multiple accounts

Question 127

Does a shadow IT actor have malicious intent ?

Answer 127

No

Question 128

What is a feature of SCAP ?

Answer 128

All data is encrypted before it is stored

Question 129

Why is deguassing not as effective as pulverising ?

Answer 129

Doesnt work on all types of disks

Question 130

What is a conservative approach to risk ?

Answer 130

Avoiding risk as much as possible

Question 131

What is a exapansionary approach to risk ?

Answer 131

Willing to take on higher levels of risk for greater rewards

Question 132

What is a neutral approach to risk ?

Answer 132

Balanced approach

Question 133

What is a tabletop exercise ?

Answer 133

Used to talk through processes. Team members are given scenarios and are asked questions on how they would respond, what issues may arise and what they would need to do to accomplish tasks and then document improvements to IR plane. Can resemble a brainstorming session.

Question 134

What is a simulation ?

Answer 134

Can be a wide variety of events and simulate individual functions or elements of a plan. They can also be done at full scale or organisation wide.

Question 135

What is the major differences between DKIM, SPA and DMARC ?

Answer 135

DKIM - Tags in DKIM Signature Header SPA - List of authentic Email servers as DNS Recors and DMARC uses both to determine whether you should accept a email as being from sender by rejecting or quarantining

Question 136

What is the CVSS category 0

Answer 136

None

Question 137

What is the CVSS category 0.1 - 3.9

Answer 137

Low

Question 138

What is the CVSS category 4.0 - 6.9

Answer 138

Medium

Question 139

What is the CVSS category 7.0 - 8.9

Answer 139

Hiigh

Question 140

What is the CVSS category 9.0 - 10.00

Answer 140

Critical

Question 141

What other data sources should be taken into account alongside CVE scores ?

Answer 141

Log Reviews
SIEM
Configuration Management System

Question 142

What are the four categories of pen test

Answer 142

Physical, Offensive, Defensive and Integrated

Question 143

What should a behaviours section in a pentest rules of engagement cover ?

Answer 143

Determines which behaviours are in scope. Common behaviours are shunning, deny listing or other active testing which may be usefull if a full simulation but need to be removed if we are looking at for examples a response to a breach.

Question 144

Which legislation mandates the implementation of risk assessments, internal controls, and audit procedures for ensuring transparency and accountability in financial reporting in the US?

Answer 144

SOX

Question 145

What is FISMA ?

Answer 145

FISMA (Federal Information Security Management Act) aims to govern the security of data processed by federal government agencies, but it doesn’t specifically focus on financial transparency and accountability.

Question 146

What is operational security ?

Answer 146

Operational security is a risk management process that encourages managers to view information protection from an adversary’s perspective. Data loss prevention is a set of tools and processes designed to detect a potential data breach and prevent them by monitoring and controlling data transfers.

Question 147

What is a strong indicator of compromise pertaining to logs ?

Answer 147

A missing log is a strong sign of an attacker’s presence since they often remove or alter logs to hide their actions.