Information Security Risk Management

Question 1

Risk management is the process that allows business managers to …

Answer 1

balance operational and economic costs of protective measures and achieve gains in mission capability by protecting business processes that support the business objectives or mission of the enterprise

Question 2

Risk assessment provides a …

Answer 2

process to systematically identify threats and then assign risk levels based on the specific organization conducting the assessment.

Question 3

What is the Risk Management goal?

Answer 3

to identify, control and minimize the impact of

uncertain events.

Question 4

What is a Risk Analysis?

Answer 4

It is a technique to identify and assess factors that may jeopardize the success of a project or achieve a
goal.

Question 5

What is a Risk Assessment?

Answer 5

It is the computation of risk. Risk is a threat that exploits some vulnerability that could cause harm to an asset (Asset * Threat * Vulnerability).

Question 6

What is a Risk Mitigation?

Answer 6

It is the process in which an organization implements controls and safeguards to prevent identified risks from ever occurring, while at the same time implementing a means of recovery should the risk become a reality in spite of all efforts.

Question 7

Risk management is made up of several distinct processes:

Answer 7

risk analysis, risk assessment, risk mitigation, vulnerability assessment, and controls evaluation.

Question 8

Risk Management Activities as per the SDLC - Analysis:

Answer 8

identified risks are used to support the development of system requirements, including security needs.

Question 9

Risk Management Activities as per the SDLC - Design:

Answer 9

Security needs lead to architecture and design tradeoffs.

Question 10

Risk Management Activities as per the SDLC - Development:

Answer 10

The security controls and safeguards are created or implemented as part of the development process.

Question 11

Risk Management Activities as per the SDLC - Test:

Answer 11

Safeguards and controls are tested to ensure that decisions regarding risks identified are reduced to acceptable levels prior to moving to production.

Question 12

Risk Management Activities as per the SDLC - Maintenance:

Answer 12

Controls and safeguards are re-examined when changes or updates occur or at regularly scheduled intervals.

Question 13

Risk analysis is a technique …

Answer 13

used to identify and assess factors that may jeopardize the success of a project or achieving a goal.

Question 14

When risk analysis should be conducted?

Answer 14

Whenever money or resources are to be spent.

Question 15

Organizations use the risk assessment to determine …

Answer 15

what threats exists to a specific asset and the associated risk level of that threat which allows threat prioritization.

Question 16

What are the risk assessment steps?

Answer 16

1) Asset definition, 2) Threat identification, 3) Determine probability of occurrence, 4) Determine the impact of the Threat, 5) Controls recommended, 6) Documentation.

Question 17

What are the typical deliverable of a risk assessment?

Answer 17

Threat identified, risk levels established, possible controls identified.

Question 18

What is a threat source?

Answer 18

Any circumstance or event with the potential to cause harm to the asset under review.

Question 19

Typical categories of threat source are:

Answer 19

Natural threats, human threats, environmental threats.

Question 20

How to obtain a complete list of threat sources?

Answer 20

Threat source checklist, and historical data.

Question 21

What is the advantage of use a checklist to identify the threat source?

Answer 21

Checklist does not provide an exhaustive list of threat sources. Checklist should be used to make sure that everything was covered or identified.

Question 22

ARO

Answer 22

Annual Rate of Occurrence

Question 23

What does impact means?

Answer 23

The measure of the magnitude of loss or harm to the value of an asset.

Question 24

What is the risk level process?

Answer 24

This is a process executed at Step 5 (Controls recommended) to determine the relative effectiveness (probability and impact) of a threat with the control in place.

Question 25

What is the Cost-benefit analysis process?

Answer 25

It determines if the control recommended is appropriate for the organization - the impact of implementing the new or enhanced control and the impact of not implementing the control.

Question 26

The cost-benefit analysis should consider the cost of implementation based on:

Answer 26

1) cost of implementing including initial outlay for hardware and software; 2) reduction in operational effectiveness; 3) Implementation of additional policies and procedures to support the news controls; 4) cost of possibly hiring/training additional staff; 5) the cost of education support personnel to maintain the effectiveness of the control.

Question 27

What is the Risk mitigation process?

Answer 27

It is a systematic methodology used by senior management to reduce organizational risk.

Question 28

What is the Risk Assumption?

Answer 28

When examining the threats and determining the risk level, it is determined that the best decision is to accept the potential risk and continue operating.

Question 29

What is the Risk Alleviation?

Answer 29

When senior management approves the implementation of the controls recommended by the risk management team that will lower the risk to an acceptable level.

Question 30

What is the Risk Avoidance?

Answer 30

When it is decided to avoid the risks by eliminating the process that could cause the risks.

Question 31

What is the Risk Limitation?

Answer 31

This is the standard process to limit the risk by implementing controls that minimize the adverse impact of a threat that would exercise a threat.

Question 32

What is the Risk Planning?

Answer 32

When it is decided to manage the risk by developing an architecture that prioritizes, implements, and maintain controls.

Question 33

What is the Risk Transference?

Answer 33

When management transfer the risk by using other options to compensate for a loss.

Question 34

Who must determine the value of a particular information resource?

Answer 34

Business manager owner.

Question 35

A threat is associated with three elements:

Answer 35

agent, motive, and results.

Question 36

ALE

Answer 36

Annual Loss Exposure.

Question 37

What is ALE (Annual Loss Exposure)?

Answer 37

The ALE takes the value of an asset and then uses the likelihood of a threat occurrence in a formula to calculate the ALE - (V × L = ALE).

Question 38

The control categories for both technical and nontechnical control methods can be further classified as:

Answer 38

avoidance, assurance, detection, and

recovery.

Question 39

Avoidance controls are:

Answer 39

Avoidance controls are proactive safeguards that attempt to minimize the risk of accidental or intentional intrusions.

Question 40

Assurance controls are:

Answer 40

Assurance controls are tools and strategies employed to ensure the ongoing effectiveness of the existing controls and safeguards.

Question 41

Detection controls are:

Answer 41

Detection controls are techniques and programs used to ensure early detection, interception, and response for security breaches.

Question 42

Recovery controls are:

Answer 42

Recovery controls are planning and response services to rapidly restore a secure environment and investigate the source of the breaches.

Question 43

Which standard provides a good basis for establishing a set of controls?

Answer 43

Information Technology—Code of Practice for Information Security Management (ISO/IEC 17799).

Question 44

What is the minimum content of a risk assessment report?

Answer 44

Assessment Team, Risk Assessment Scope Summary, Assessment Methodology Used, Assessment Findings and Action Plan, Full Findings Documentation, Conclusion.

Question 45

The risk assessment process has two key objectives:

Answer 45

to implement only those controls necessary, and to document management’s due diligence.

Question 46

The main advantage of the qualitative style of risk assessment is …

Answer 46

that it prioritizes the risks and identifies areas for immediate action and improvement.

Question 47

The main disadvantage of the qualitative style of risk assessment is …

Answer 47

that it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of recommended controls more difficult.

Question 48

The major advantage of quantitative risk assessment is …

Answer 48

that it provides a measurement of the impact’s magnitude, which can be used in the cost-benefit analysis of recommended controls.

Question 49

The major disadvantage of quantitative risk assessment is …

Answer 49

that depending on the numerical ranges used to express the measurement, the meaning of the quantitative risk assessment may be unclear, requiring the results to be interpreted in a qualitative manner.

Question 50

Gap analysis is used to …

Answer 50

assess generally accepted practices against current security conditions. Gap analysis measures the maturity level of the security program and it uses standards of good practice or accepted standards to set targets for future attainment.

Question 51

RTO

Answer 51

Recovery Time Objectives.

Question 52

Who determines the RTO?

Answer 52

The security manager should have knowledge of recovery time objectives for their organization.

Question 53

How to determine the RTO?

Answer 53

The organization must conduct a Business Impact Analysis (BIA) to address all potential disasters including sudden outages and rolling disasters.

Question 54

BIA

Answer 54

Business Impact Analysis.

Question 55

RPO

Answer 55

Recovery Point Objectives.

Question 56

There are four essential aspects of information classification:

Answer 56

(1) information classification from a legal standpoint, (2) responsibility for care and control of information, (3) integrity of the information, and (4) the criticality of the information and systems processing the information.