IT Risk and Risk Assessment

Question 1

Confidentiality

Answer 1

Only authorized individuals, processes or systems should have access to information on a need to know basis

Question 2

Integrity

Answer 2

Information should be protected from intentional, unauthorized or accidental changes

Question 3

Availability

Answer 3

Information or service must be available when and where needed

Question 4

Accountability

Answer 4

All actions must be associated with a discrete entity performing said action

Question 5

Risk Responses (OMATA)

Answer 5

1. Ownership
2. Mitigation
3. Avoidance
   4, Transfer
4. Acceptance

Question 6

Ways to reduce workforce risks

Answer 6

1. Job Rotation
2. Separation of Duties
3. Least Privilege (need-to-know)
4. Mandatory Vacations
5. Employee Termination
6. Vendor, Consultant, and Contractor Controls

Question 7

Risk Assessment Process

Answer 7

1. Prepare
2. Conduct
3. Communicate
4. Maintain

Question 8

Annual Loss Expectancy (ALE)

Answer 8

Gives a measure of the expected annual loss due to a vulnerability
ALE = ARO * SLE

Question 9

Core Information Security Principles

Answer 9

1. Confidentiality
2. Integrity
3. Availability
4. Accountability

Question 10

Annual Rate of Occurrence (ARO)

Answer 10

Estimate of how often a threat will be successful in exploiting a vulnerability over a period of 1 year

Question 11

Single Loss Expectancy (SLE)

Answer 11

Difference between original value and remaining value of an asset after a single exploit
SLE = asset value ($) * exposure value (%)

Question 12

Responsibility of Data/Information/Business Owners

Answer 12

Responsible for information asset (assigns data classification, ensures protection of data with controls)

Question 13

Responsibility of Data Custodian

Answer 13

Individual or function taking care of the information on behalf of the data owner
Responsible for availability of data, backup, and recovery

Question 14

Risk Management Process

Answer 14

1. Framing
2. Assessing
3. Responding
4. Monitoring

Question 15

Risk Assessment

Answer 15

Process of identifying, estimating, and prioritizing information security risks
Can be qualitative or quantitative

Question 16

Risk Assessment Evaluation

Answer 16

1. Threats to assets
2. Vulnerabilities present
3. Likelihood that a threat will be realized by taking advantage of an exposure
4. Impact of the exposure on the organization
5. Countermeasures available
6. Residual risk

Question 17

Risk Assessment Methodology

Answer 17

1. Risk assessment process
2. Explicit risk model
3. Assessment approach
4. Analysis approach

Question 18

Risk Factors

Answer 18

1. Vulnerability - flaw or weakness in system security
2. Threat - potential for threat-source to exercise particular vulnerability
3. Likelihood of occurrence - weighted risk factor based on analysis of probability a given threat is capable of exploiting a given vulnerability
4. Level of impact - magnitude of harm that can be expected

Question 19

Qualitative Risk Assessments

Answer 19

Used to assess risks based on NON-NUMERICAL categories or levels (i.e., low, medium, high)
Supports communicating risk results to decision makers
Results are descriptive rather than measurable
Used when: 1) Quantitative assessment skills are lacking 2) Timeframe is short 3) Paucity of data that can be used for risk assessment

Question 20

Quantitative Risk Assessments

Answer 20

Used to assess risks based on the use of NUMBERS
Supports cost-benefit analyses or alternative risk responses or courses of action
Usually done in conjunction with qualitative analysis
Aims to see whether the cost of the risk outweighs the cost of the countermeasure

Question 21

Semi-Quantitative Assessments

Answer 21

Used to asses risks that use bins, scales, or representative numbers whose values and meanings are not maintained in other contexts (i.e., 1 (low) - 10 (high))

Question 22

Conducting Risk Assessment

Answer 22

1. Identify threat source
2. Identify threat events
3. Identify vulnerabilities
4. Determine likelihood that identified threat source would initiate specific threat events (and they be successful)
5. Determine adverse impacts to organization
6. Determine information security risks as combination of likelihood of threat exploitation of vulnerabilities and impact of such exploitation