Information Security Risk Management Flashcards

1
Q

Risk management is the process that allows business managers to …

A

balance operational and economic costs of protective measures and achieve gains in mission capability by protecting business processes that support the business objectives or mission of the enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk assessment provides a …

A

process to systematically identify threats and then assign risk levels based on the specific organization conducting the assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the Risk Management goal?

A

to identify, control and minimize the impact of

uncertain events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a Risk Analysis?

A

It is a technique to identify and assess factors that may jeopardize the success of a project or achieve a
goal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a Risk Assessment?

A

It is the computation of risk. Risk is a threat that exploits some vulnerability that could cause harm to an asset (Asset * Threat * Vulnerability).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a Risk Mitigation?

A

It is the process in which an organization implements controls and safeguards to prevent identified risks from ever occurring, while at the same time implementing a means of recovery should the risk become a reality in spite of all efforts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Risk management is made up of several distinct processes:

A

risk analysis, risk assessment, risk mitigation, vulnerability assessment, and controls evaluation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Risk Management Activities as per the SDLC - Analysis:

A

identified risks are used to support the development of system requirements, including security needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk Management Activities as per the SDLC - Design:

A

Security needs lead to architecture and design tradeoffs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk Management Activities as per the SDLC - Development:

A

The security controls and safeguards are created or implemented as part of the development process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Risk Management Activities as per the SDLC - Test:

A

Safeguards and controls are tested to ensure that decisions regarding risks identified are reduced to acceptable levels prior to moving to production.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Risk Management Activities as per the SDLC - Maintenance:

A

Controls and safeguards are re-examined when changes or updates occur or at regularly scheduled intervals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Risk analysis is a technique …

A

used to identify and assess factors that may jeopardize the success of a project or achieving a goal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When risk analysis should be conducted?

A

Whenever money or resources are to be spent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Organizations use the risk assessment to determine …

A

what threats exists to a specific asset and the associated risk level of that threat which allows threat prioritization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the risk assessment steps?

A

1) Asset definition, 2) Threat identification, 3) Determine probability of occurrence, 4) Determine the impact of the Threat, 5) Controls recommended, 6) Documentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the typical deliverable of a risk assessment?

A

Threat identified, risk levels established, possible controls identified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a threat source?

A

Any circumstance or event with the potential to cause harm to the asset under review.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Typical categories of threat source are:

A

Natural threats, human threats, environmental threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How to obtain a complete list of threat sources?

A

Threat source checklist, and historical data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the advantage of use a checklist to identify the threat source?

A

Checklist does not provide an exhaustive list of threat sources. Checklist should be used to make sure that everything was covered or identified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

ARO

A

Annual Rate of Occurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What does impact means?

A

The measure of the magnitude of loss or harm to the value of an asset.

24
Q

What is the risk level process?

A

This is a process executed at Step 5 (Controls recommended) to determine the relative effectiveness (probability and impact) of a threat with the control in place.

25
Q

What is the Cost-benefit analysis process?

A

It determines if the control recommended is appropriate for the organization - the impact of implementing the new or enhanced control and the impact of not implementing the control.

26
Q

The cost-benefit analysis should consider the cost of implementation based on:

A

1) cost of implementing including initial outlay for hardware and software; 2) reduction in operational effectiveness; 3) Implementation of additional policies and procedures to support the news controls; 4) cost of possibly hiring/training additional staff; 5) the cost of education support personnel to maintain the effectiveness of the control.

27
Q

What is the Risk mitigation process?

A

It is a systematic methodology used by senior management to reduce organizational risk.

28
Q

What is the Risk Assumption?

A

When examining the threats and determining the risk level, it is determined that the best decision is to accept the potential risk and continue operating.

29
Q

What is the Risk Alleviation?

A

When senior management approves the implementation of the controls recommended by the risk management team that will lower the risk to an acceptable level.

30
Q

What is the Risk Avoidance?

A

When it is decided to avoid the risks by eliminating the process that could cause the risks.

31
Q

What is the Risk Limitation?

A

This is the standard process to limit the risk by implementing controls that minimize the adverse impact of a threat that would exercise a threat.

32
Q

What is the Risk Planning?

A

When it is decided to manage the risk by developing an architecture that prioritizes, implements, and maintain controls.

33
Q

What is the Risk Transference?

A

When management transfer the risk by using other options to compensate for a loss.

34
Q

Who must determine the value of a particular information resource?

A

Business manager owner.

35
Q

A threat is associated with three elements:

A

agent, motive, and results.

36
Q

ALE

A

Annual Loss Exposure.

37
Q

What is ALE (Annual Loss Exposure)?

A

The ALE takes the value of an asset and then uses the likelihood of a threat occurrence in a formula to calculate the ALE - (V × L = ALE).

38
Q

The control categories for both technical and nontechnical control methods can be further classified as:

A

avoidance, assurance, detection, and

recovery.

39
Q

Avoidance controls are:

A

Avoidance controls are proactive safeguards that attempt to minimize the risk of accidental or intentional intrusions.

40
Q

Assurance controls are:

A

Assurance controls are tools and strategies employed to ensure the ongoing effectiveness of the existing controls and safeguards.

41
Q

Detection controls are:

A

Detection controls are techniques and programs used to ensure early detection, interception, and response for security breaches.

42
Q

Recovery controls are:

A

Recovery controls are planning and response services to rapidly restore a secure environment and investigate the source of the breaches.

43
Q

Which standard provides a good basis for establishing a set of controls?

A

Information Technology—Code of Practice for Information Security Management (ISO/IEC 17799).

44
Q

What is the minimum content of a risk assessment report?

A

Assessment Team, Risk Assessment Scope Summary, Assessment Methodology Used, Assessment Findings and Action Plan, Full Findings Documentation, Conclusion.

45
Q

The risk assessment process has two key objectives:

A

to implement only those controls necessary, and to document management’s due diligence.

46
Q

The main advantage of the qualitative style of risk assessment is …

A

that it prioritizes the risks and identifies areas for immediate action and improvement.

47
Q

The main disadvantage of the qualitative style of risk assessment is …

A

that it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of recommended controls more difficult.

48
Q

The major advantage of quantitative risk assessment is …

A

that it provides a measurement of the impact’s magnitude, which can be used in the cost-benefit analysis of recommended controls.

49
Q

The major disadvantage of quantitative risk assessment is …

A

that depending on the numerical ranges used to express the measurement, the meaning of the quantitative risk assessment may be unclear, requiring the results to be interpreted in a qualitative manner.

50
Q

Gap analysis is used to …

A

assess generally accepted practices against current security conditions. Gap analysis measures the maturity level of the security program and it uses standards of good practice or accepted standards to set targets for future attainment.

51
Q

RTO

A

Recovery Time Objectives.

52
Q

Who determines the RTO?

A

The security manager should have knowledge of recovery time objectives for their organization.

53
Q

How to determine the RTO?

A

The organization must conduct a Business Impact Analysis (BIA) to address all potential disasters including sudden outages and rolling disasters.

54
Q

BIA

A

Business Impact Analysis.

55
Q

RPO

A

Recovery Point Objectives.

56
Q

There are four essential aspects of information classification:

A

(1) information classification from a legal standpoint, (2) responsibility for care and control of information, (3) integrity of the information, and (4) the criticality of the information and systems processing the information.