Info RM and Compliance Flashcards
Can you decide on avoiding, transferring, mitigating, and accepting a risk without involving committee members?
No
In a merger, when should a comprehensive risk assessment be conducted?
ASAP
What requirements for information security are cited in GDPR?
Personal data shall be protected against loss, destruction, or damage
What are examples of risk acceptance?
Omitting something from a risk register or getting a system owner’s approval on a risk,
What is an example of risk transfer?
Moving source code from an off-premise repository to an IaaS repository?
What reporting is required for companies that accept payment cards?
Annual self-assessment questionnaire (SAQ) and attestation of compliance (AOC)
How should assets be classified?
Value, criticality, and/or sensitivity to the organization
What are the 4 phases of risk management?
Reporting, assessing, evaluating, and monitoring
What is OCTAVE?
Operational Critical Threat Assessment and Vulnerability Evaluation. Framework with 8 (Octa) steps that helps identify, rank, and prioritize events for assessment.
- Establish criteria for measuring risks
- Create an information asset profile
- Identify information asset container
- Recognize areas for concern
- Identify threat actor and scenarios
- Identify risks
- Analyze risks
- Choose countermeasures and control
What is the Bowtie method?
Diagrams link between cause, control, and consequence
What is the Delphi Method?
Expert judgement through 2 or more rounds of questionnaires
What is a Fault Tree Analysis
Top down diagrammed analysis of single events
What is the ETA method?
Event Tree Analysis. Derived from fault tree analysis, a log-model technique which is forward looking and bottom-up
What is Markov Analysis
Analysis of systems in various states
What is the Open Fair concept?
Statistical inference based on prior distribution data to determine probabilities
What are Monte Carol Simulations?
Establishes aggregate variations for a large number of inputs
What does NIST publish?
Framework for improving critical infrastructure cybersecurity
What does US-CERT publish
US Computer Emergency Readiness Team produces threat warning information
What does ISACA publish?
RiskIT Framework
What does the Computer Security Resource Center publish?
National Vulnerability Database (NVD)
What does Verizon publish?
The Annual Data Breach Investigation Report
What is the Risk Acceptance Framework?
Low: Risk accepted by local supervisors
Medium: Risk accepted by CIO
High: Risk accepted by CIO, CISO, or other directors based on probable impact
Severe: Risk accepted only by BoD with management notification
What is the threat lifecycle
Agent actor > attack > vulnerability > impact
What is RTO?
Recoverability Time Objective: A period of time from the onset of an outage until the resumption of service
What is RPO?
Recovery Point Objective: The period of acceptable data loss due to an incident or a disaster
What is RCapO
Recovery Capacity Objective: The capacity of a temporary or recovery process, as compared to the normal process
What is SDO?
Service Delivery Objective: Level of quality of service that is required after an incident, as compared to business normal operations
What is MTD?
Maximum Tolerable Downtime: Theoretical time period, measured from the onset of a disaster, after which the organization’s ongoing viability would be at risk
What is MTO/MAO
Maximum Tolerable Outage aka Maximum Acceptable Outage MAO: The maximum period of time that an organization can tolerate operating in recovery