information security

Question 1

Risk Appetite

Answer 1

Before the organization can or should proceed, it needs to
understand whether the current level of controls identified at
the end of the risk assessment process results in a level of risk
management it can accept

Question 2

risk tolerance

Answer 2

The risk tolerance (or risk threshold) works hand in glove with
risk appetite, as it more clearly defines the range of acceptable
risk for each initiative, plan, or activity
6

Question 3

Residual Risk

Answer 3

The residual risk is the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls.

Question 4

Risk Treatment/Response Options

Answer 4

1. Mitigation: Involves the implementation of some solution that will reduce an identified risk.
2. Transfer: Shift risk to another entity (some or all of the risk is being
   transferred to some external entity)
3. Avoidance: the organization abandons the risk-inducing activity altogether,
   effectively taking the asset out of service or discontinuing the
   activity so the risk is no longer present.
4. Acceptance: Management may be willing to accept an identified risk as is, with no effort to reduce it.

Question 5

Other Factors Impacting Response

Answer 5

Balancing Risk and Reward to maximize profits
Organizational Design
Organizational Culture
Residual Risk
Legal and Regulatory

Question 6

Feasibility and Cost Benefit Analysis

Answer 6

Before deciding on the strategy for a specific asset-vulnerability-
threat combination, all readily accessible information about the
consequences of the vulnerability must be explored

Question 7

Cost Benefit Analysis (CBA)

Answer 7

The criterion most commonly used when evaluating a project that
implements InfoSec controls and safeguards is economic
feasibility
Organizations can begin this type of economic feasibility analysis
by valuing the information assets and determining the loss in
value if those information assets became compromised

Question 8

Cost and benefit Analysis (CBA)

Answer 8

cost: Just as it is difficult to determine the value of information, it is
difficult to determine the cost of safeguarding it
benefit: Benefit is the value to the organization of using controls to prevent
losses associated with a specific vulnerability

Question 9

Other Methods of Establishing Feasibility

Answer 9

Organizational feasibility
Operational feasibility
Technical feasibility
Political feasibility

Question 10

Importance of Risk and Control Ownership

Answer 10

Ongoing activities, including control effectiveness assessments
and risk assessments, used to observe changes in risk. Security
managers perform risk monitoring to report risk levels to
executive management and to identify unexpected changes in
risk levels.
Key Risk Indicators
Training and Awareness
Risk Documentation

Question 11

Knowing yourself and knowing your enemy

Answer 11

if you know your enemy and yourself, you need not fear the result of a hundred battles. if you know yourself but not the enemy. for every victory gained you will also suffer a defeat (failure). if you know neither the enemy nor yourself, you will succumb (secome/تسلیم شدن) in every battle.

Question 12

Asset (اَسِت ）دارائی Identification

Answer 12

information system ocmponenets: People , procedures, data, software, hardware, netwroking

Question 13

Identifying Hardware, Software, and Network Assets

Answer 13

Many organizations use asset inventory systems to keep track of
their hardware, network, and software components
Determine which attributes of each of these information assets
should be tracked

Question 14

Identifying People, Procedures and Data Assets

Answer 14

Responsibility for identifying, describing, and evaluating these
information assets should be assigned to managers who possess
the necessary knowledge, experience, and judgment

Question 15

Assessing Values for Information Assets

Answer 15

As each information asset is identified, categorized, and
classified, a relative value must be assigned
Relative values are comparative judgments made to ensure that
the most valuable information assets are given the highest priority.

Question 16

Threat Assessment

Answer 16

Armed with a properly classified inventory, you can assess potential weaknesses in each information asset—a process known as threat assessment

Question 17

Identifying Threats

Answer 17

Each threat presents a unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy

Question 18

Prioritizing Threats

Answer 18

Just as it did with information assets, the organization should conduct a weighted table analysis with threats
The organization should list the categories of threats it faces, and then select categories that correspond to the questions of interest

Question 19

Vulnerability Assessment

Answer 19

Once the organization has identified and prioritized both its information assets and the threats facing those assets it can
begin to compare information asset to threats
Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset

Question 20

Different Forms of Vulnerabilities

Answer 20

forces of nature
human error or failure
software attacks
technical hardware failures or errors
theft

Question 21

Detection Techniques

Answer 21

netwrok device: vulnerability scanning
pen testing , netwrok architecture review
software application: vulnerability scanning
business processes: process review, internal audit (بازرسی）
operating system: vulnerability scanning

Question 22

Risk Assessment

Answer 22

Assessing the relative risk for each vulnerability is accomplished via a process called risk assessment
Risk assessment assigns a risk rating or score to each specific vulnerability
While this number does not mean anything in absolute terms, it enables you to gauge the relative risk associated with each vulnerable information asset, and it facilitates the creation of comparative ratings later in the risk control process

Question 23

calculating quantified risk

Answer 23

asset value (AV) :
An asset is anything of value to an organization
exposure factor (EF) :
This represents the percentage of the asset
value that will be lost if an incident were to occur.
SLE (Single Loss Expectancy): Represents the financial loss when a threat scenario occurs
one time
AV × EF = SLE
ARO (Annual Rate of Occurrence): Number of times this will occur in a year
ARO = Number of incidents per
year
ALE (Annual Loss Expectancy): annualized loss of asset value due to threat realization
SLE × ARO = ALE

Question 24

Qualitative Risk Analysis

Answer 24

Probability or likelihood
Impact : Australian and New Zealand Risk Management Standard 4360, uses qualitative methods of determining risk based on a
threat’s probability of occurrence and expected results of a successful attack.

Question 25

What are we trying to protect?

Answer 25

we are trying to protect the following items like: customer data: it includes the customer related specific information like SSN, name , address
financial data: clients bank account, credit and debit card information
service availability and productivity: continuous access of the resources to the legitimate users
reputation and brand image