Fundamentals

Question 1

What are four examples of intangible assets?

Answer 1

1) Data
2) Brand
3) Reputation
4) Intellectual Property

Question 2

What is Risk Tolerance/Acceptable Risk?

Answer 2

The level of risk and organization is willing to accept.

Question 3

What is a Risk Treatment/Control? What 3 methods are there? What should a control or treatment not do?

Answer 3

The method used to lower/eliminate a risk. Examples in include isolation of, insurance for, elimination of, sharing of risk. These methods could be administrative, technical, procedural, substitution measures. Ensure that a control/treatment does not introduce new risks or that the new risks are easier to address/less serious than the initial risk.

Question 4

What is a Risk Registry? What is it used for?

Answer 4

A list of identified risks and characteristics, severity and likelihood of the risks. The Registry is often used to compare risks from many different sources.

Question 5

What 3 elements should be included at a minimum to cost effectively manage risk?

Answer 5

1) Protecting the Organization and its value chain.
2) Responding to events
3) Continuing Operations while recovering from events.

Question 6

Define CCP.

Answer 6

Critical Control Point-A point, step, or process at which controls can be applied to modify risk.

Question 7

What is a management system?

Answer 7

A framework of policies, processes, and procedures used to ensure that an organization can fulfill all tasks required to achieve its objectives.

Question 8

What is a risk driver?

Answer 8

An event, individual, process or trend having impact on the objectives of the organization.

Question 9

What is risk?

Answer 9

The effect of uncertainty on the achievement of strategic, tactical, and operational objectives.

Question 10

What is the difference between Risk Appetite, Tolerance, and Aversion?

Answer 10

Appetite: The risk an entity is willing to pursue, retain, or take. (The general level of risk you accept)
Tolerance: The risk an entity is ready to bear after risk treatment. (The ability to bear a realized risk)
Aversion: The risk a company is not willing to undertake.

Question 11

What is Risk Management Context?

Answer 11

Describes the scope, as well as risk control parameters, methods and plans currently in place for the risk management activities.

Question 12

What is a Risk Portfolio?

Answer 12

A complete collection and range of uncertainties that affect an organization’s future. Sometimes called a Risk Universe.

Question 13

What are the 5 Avenues to avoid risk?

Answer 13

1) Risk Avoidance
2) Risk Transfer
3) Risk Spreading (spread valuables over multiple sites)
4) Risk Reduction
5) Risk Acceptance

Question 14

What is risk management?

Answer 14

The systematic approach that identifies risk, calculates risk impact, eliminates or minimizes risk to an acceptable level. Risk management includes risk assessment as a sub-component.

Question 15

What is the difference between observability and exploitablity?

Answer 15

Observablity is an adversary’s ability to see a vulnerability.
Exploitablity is an adversary’s ability to take advantage of a vulnerability.

Question 16

What does mitigation focus on?

Answer 16

Soley on reducing consequences.

Question 17

What two things is a threat a combination of?

Answer 17

1) Adversary capabilities, motivation, and intent
2) Likelihood of attack (measured in terms of probability, and frequency

Question 18

What is the Threat Spectrum?

Answer 18

A summary of the threat actors and their motivations, intents, tools, and capabilities that could attack a facility.

Question 19

What are the six steps for carrying out both qualitative and quantitative performance based analysis?

Answer 19

1) Create an adversary sequence diagram
2) Conduct a path analysis
3) Perform Scenario Analysis
4) Complete a neutralization analysis
5) Determine system effectiveness and risk
6) Develop and analyze system effectiveness upgrades if risk is not acceptable.

Question 20

What three tools are used by a security program use to execute its mission?

Answer 20

1) Systems
2) Personnel
3) Regulations

Question 21

What are the 5 options of Risk Mitigation?

Answer 21

1) Assumption
2) Avoidance
3) Limitation (control implementation)
4) Transference
5) Site hardening

Question 22

What are consequential event threats?

Answer 22

Occurs because of a relationship between an event and another party. ex. a data-breach at a provider affects all of the providers clients.

Question 23

What is the difference between a threat and a hazard?

Answer 23

A hazard is a source of potential danger or adverse conditions (commonly natural).
A threat is the intention to cause damage or injury and is associated with humans.

Question 24

What is a loss event profile?

Answer 24

A list of the kinds of threats affecting the assets to be safeguarded.

Question 25

What is Risk? What three components does it take into account?

Answer 25

The potential for loss of or damage to an asset.
1) Asset Value
2) Threats or Hazards
3) Vulnerability