Information Risk Management

Question 1

What is Risk ?

Answer 1

Risk = Threat * Vulnerability

Question 2

Risk Management Lifecycle is

Answer 2

iterative

Question 3

What is the Lifecycle phases?

Answer 3

IT Risk Identification
IT Risk Assessment
Risk Response And Mitigation
Risk and Control Monitoring and Reporting

Question 4

What are the steps to do Risk Managing as in program management

Answer 4

Identify our Risk Management team
What is in and what is out of scope?
Which methods are we using?
Which tools are we using?
What are the acceptable risk levels, which type of risk appetite do we have in our enterprise?
Identify our assets: Tangible and Intangible

Question 5

What are the steps of Risk Assessment?

Answer 5

Quantitative and Qualitative Risk Analysis
Uncertainty analysis
Everything is done on a cost-benefit analysis
Risk Mitigation/Risk Transference/ Risk Acceptance/ Risk Avoidance
Risk Rejection is NEVER acceptable
We assess the current countermeasures: Are they god enough? Do we need to improve on them? Do we need to implement entirely new countermeasures?

Question 6

Describe Qualitative Risk Analysis

Answer 6

How likely is it to happen and how bad is it if it happens?
This is a vague guess or a feeling, and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis

Question 7

Describe Quantitative Risk Analysis

Answer 7

What will actually cost in $? This is fact based analysis, Total $ value of asset, math is involved

Question 8

What is a Threat?

Answer 8

A potentially harmful incident (Tsunami, earthquake, tornado…)

Question 9

What is vulnerability?

Answer 9

A weakness that can allow the threat to do harm. having a data center in the tsunami flood area, not earthquake resistant, not applying patches and antivirus,..

Question 10

How do you describe the Impact?

Answer 10

Can at times be added to give a more full picture. Risk= ThreatVulnerabilityImpact (How bad is it?)

Question 11

What is Total risk defined?

Answer 11

TR= Threat * Vulnerability * Asset Value

Question 12

What is Residual Risk?

Answer 12

Total Risk - Countermeasures

Question 13

What tool is usually used to make a qualitative risk analysis?

Answer 13

A Risk Analysis Matrix usually 6 by 6 where the columns can starts from (left to right) insignificant, Minor, Moderate, Major, and Catastrophic; and the Rows start (top left to bottom left) with Almost Certain, Likely, Possible, unlikely, and Rare

Question 14

How would you rate the loss of a laptop?

Answer 14

How likely is one get stolen or left somewhere? (Possible or Likely) and the risk could be L= Low; M = Medium; H = High; E= Extreme)
How bad if it happens? it would depend if the laptop is encrypted or has PII/PHI content

Question 15

What other tool is also used for qualitative analysis?

Answer 15

Risk Registers: a spreadsheet with the following columns: Category, Name, Risk #, Probability, Impact, Mitigation, Contingency, Risk Score after Mitigation, Action By, and Action When

Question 16

Describe Quantitative Analysis

Answer 16

Is when we want exactly enough security for our needs: This is where we put a number on that. We find the asset’s value : How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year.

Question 17

What is AV?

Answer 17

Asset value - How much is the asset worth?

Question 18

What is EF?

Answer 18

Exposure Factor - Percentage of Asset Value Lost?

Question 19

What is SLE - (AV*EF) ?

Answer 19

What does it cost if it happens once?

Question 20

Annual Rate of Occurrence (ARO)

Answer 20

How often will this happen each year?