Informationn Security And Risk Management

Question 1

Risk management

Answer 1

The process of minimising potential losses.

In the case a loss occurs, risk management practices determine how to reduce the costs.

Question 2

Risk assessment techniques

Answer 2

Risk assessment techniques determine the level of risk and determine if the level of risk exceeds an organisation’s risk tolerance.

Question 3

NIST

Answer 3

National Institute of Standards and Technology

Question 4

4 Risk management processes

Answer 4

• framing
• assessing
• monitoring
• responding

Question 5

Risk assessment

Answer 5

Activities that are carried out to discover, describe, analyse and evaluate risks. They can be quantitative, quantitative or both

Question 6

Qualitative risk assessment

Answer 6

Collects descriptive information, including information that cannot be reduced to measurable values.

It will typically identify a number is characteristics about an asset or activity, including:
- classification
- vulnerabilities
- threats
- threat probability
- impact
- countermeasures

Question 7

Classification

Answer 7

Assets may be classified according to risk level, business function of the sensitivity or criticality of data stored or processed by the asset.

Question 8

Vulnerabilities

Answer 8

These are weaknesses in design, configuration, documentation, procedure or implementation

Question 9

Threats

Answer 9

Potential activities that would exploit specific vulnerabilities and result in a security incident.

Question 10

Threat probability

Answer 10

An expression of the likelihood that a specific threat will be carried out, usually expressed in Low/Medium/High or simple numeric scale.

Question 11

Impact

Answer 11

An expression of the influence upon the organisation if a threat was carried out.

Question 12

Countermeasures

Answer 12

These are actual or proposed measures that reduce the risk associated with vulnerabilities or threats.

Question 13

Quantitative Risk Assessment

Answer 13

Quantitative assessments tata assessing and evaluating risks as discrete mathematical valuations.

It can be thought as an extension of qualitative risk assessment.

Question 14

Asset value

Answer 14

This is a dollar figure that may represent the replacement cost of an asset but it could also represent income derived from the use of that asset.

Question 15

Exposure Factor

Answer 15

The proportion of an asset’s value that is likely to be lost through a particular threat, usually expressed as a percentage.

Question 16

Single Loss Expectancy

Answer 16

SLE is the cost of a single Loss through the single event relisation of a particular threat. This is the result of the calculation:

SLE = asset value ($) x exposure Factor (%)

Question 17

ARO

Answer 17

Annualized Rate of Occurance

The probability that a loss will occur in a year’s time.

Question 18

ALE

Answer 18

Annual Loss Expectancy

The yearly estimate of a loss of an asset, calculated as follows:

ALE = ARO X SLE

Question 19

Costs of Countermeasures

Answer 19

Each countermeasure had a specific cost associated with it. This may be the first of additional protective equipment, software or Labour.

Question 20

Changes in exposure Factor

Answer 20

A specific countermeasure may have an impact on a specific threat.

Question 21

Changes in single Loss Expectancy

Answer 21

Specific countermeasures may influence the influence the probability that a loss will occur.

Question 22

Risk Assessment Methodologies

Answer 22

OCTAVE
FRAP
Spanning Tree Analysis
NIST 800-30

Question 23

Risk Treatment

Answer 23

Once a risk assessment is performed an organisation’s management can begin the process of determining what steps can be taken to manage the risk identified.

The fire general Autriche to risk management are:

• Risk acceptance
• Risk avoidance
• Risk mitigation
• Risk transfer

Question 24

Risk Avoidance

Answer 24

The associated activity that introduced the risk is discontinued.

Question 25

Risk Mitigation

Answer 25

This involves the use of countermeasure to reduce the risks initially identified in the risk analysis.

Question 26

Risk Acceptance

Answer 26

The act of foregoing mitigation of low impact risks. Accepting the risks.

Question 27

Risk transfer

Answer 27

Typically involves the use of insurance as a mean of mitigating risks.

Question 28

Residual risk

Answer 28

In a given risk situation, generally only some of the risk can be avoided, reduced or transferred. They is always some remaining risk, called residual risk.

Question 29

Security Management Concepts

Answer 29

Security control CIA Triad Defense in Depth Single points of failure Fail Open, Fail Closed, Fail Soft privacy

Question 30

ISO 27001 Standard

Answer 30

Is a top down process approach to security Management that requires continuous improvement in an organisation security Management system

Question 31

Security Controls

Answer 31

The measures that are taken to reduce risks through the origination and enforcement of security policies. The types of controls used are: - Detective - Deterrent - Preventive - Corrective - Recovery - Compensating

Question 32

CIA Triad

Answer 32

The core principles of information security are: - Confidentiality - Integrity - Availability

Question 33

Confidentiality

Answer 33

The principle of Confidentiality asserts that only properly authorized parties can access information and functions.

Question 34

Integrity

Answer 34

The principle of Integrity asserts that information and functions can be added, altered or removed only by authorized persons and means.

Question 35

Availability

Answer 35

The principle of Availability asserts that systems, functions and data must be available when an authorized user needs to access them. Different levels of Availability exist based upon predefined parameters regarding levels and types of service

Question 36

Defense in Depth

Answer 36

Defense in Depth implies a layered defense consisting of two or more protective methods that protect some asset. It defines a process balancing protection capability, cost, performance and operations considerations. Some characteristics of defense in Depth: - heterogeneity - holistic/comprehensive protection The objectives of defense in Depth is to reduce the probability that a threat can act upon an asset. This occurs in three ways: - single vulnerability - single malfunction - Fail open

Question 37

Heterogeneity in defense in Depth

Answer 37

A good defense in Depth mechanism may contain different types of protective mechanisms

Question 38

Comprehensive protection in defense in Depth

Answer 38

Each later of the defense fully protects an asset against the type of threat that the defense is designed to block

Question 39

Single vulnerability

Answer 39

If one of the components of a Defense in Depth had an exploitable vulnerability, chances are that another layer in the defense still not have the same vulnerability.

Question 40

Single malfunction

Answer 40

If one of the components of a Defense in Depth malfunctions, chances are that another layer in the defense will not malfunction.

Question 41

Fail Open in Defense in Depth

Answer 41

If one of the components in a defense in depth fails open, the other components will continue to operate and protect the asset