IT risk assessment

Question 1

what is risk assessment?

Answer 1

process used to identify and evaluate risk and its potential effects, which includes evaluation of the

• critical functions necessary for an enterprise to continue business operations
• risk associated with each of the critical functions
• controls in place to reduce exposure and their cost
• prioritization of the risk on the basis of their likelihood and potential impact
• relationship between the risk and the enterprise risk appetite and tolerance

Question 2

what is a Bayesian analysis

Answer 2

method of statistical inference that uses prior distribution data to determine the probability of a result

Question 3

what is business impact analysis

Answer 3

process to determine the impact of losing the support of any resource. in addition to identifying initial impact, a comprehensive BIA seeks to establish the escalation of loss over time. the goal of a BIA is to provide reliable data on the basis of whether senior management can make the appropriate decision

Question 4

what is a fault tree analysis?

Answer 4

starts with an event and examines possible means for the event to occur (top-down) and displays these results in a logical tree diagram.

Question 5

what is an event tree analysis?

Answer 5

forward looking , bottom up model that uses inductive reasoning to assess the probability of different events resulting in possible outcomes.

Question 6

what is a cause and consequence analysis

Answer 6

combines techniques of a fault tree analysis and an event tree analysis and allows for time delays to be considered

Question 7

what is a cause and effect analysis

Answer 7

looks at factors that contributed to a certain effect and groups the causes into categories (using brainstorming), which are then displayed using a diagram, typically a tree structure or a fishbone

Question 8

what is a hazard analysis and critical control points?

Answer 8

originally designed for the food safety industry, this system proactively prevents risk and assures quality, reliability and safety of processes.

Question 9

what is Hazop

Answer 9

structured means of identifying and evaluating potential risk by looking at possible deviations from existing processes

Question 10

what is human reliability analysis?

Answer 10

HRA examines the effect of human error on systems and their performance

Question 11

what is layers of protection analysis

Answer 11

LOPA is a semi-quantitative risk analysis technique that uses aspects of HAZOP data to determine risk associated with risk events. it also looks at controls and their effectiveness.

Question 12

what is a markov analysis

Answer 12

Markov analysis is used to analyze systems that can exists in multiple states

Question 13

what is a preliminary hazard analysis?

Answer 13

looks at what threats or hazards may harm an organization’s activities, facilities or systems. the result if a list of potential risk

Question 14

reliability centered maintenance

Answer 14

analyzes the functions and potential failures of a specific asset, particularly a physical asset such as an equipment

Question 15

sneak circuit analysis

Answer 15

use to identify design errors or sneak conditions such as latent hardware, software or integrated conditions that are often undetected by system tests and ma result in improper operations, loss of availability, program delays or injury to personnel.

Question 16

what are policies

Answer 16

policies provide direction regarding acceptable and unacceptable behaviors and actions to the organization. standards and procedures support the requirements defined in the policies set by the organization.

Question 17

what are the different level of policies ?

Answer 17

High level policy: issued as a way to address the objectives of the organizations mission and vision statement. this policy does not have a technical focus in order to prevent it from becoming outdated when technology changes

technical and functional policy: include specifics regarding technology use. these policies are subject to change as technology changes and new systems are developed

Question 18

what are some considerations that affect risk assessment related to technology?

Answer 18

• age of equipment
• expertise available for maintenance
• variety of vendors/suppliers
• documentation of systems
• availability of replacement parts
• ability to test systems or equipment
• operating environment and user expertise
• ability to patch/mitigate vulnerabilities

Question 19

why is it important to have an enterprise approach to architecture?

Answer 19

the lack of an enterprise architecture results in ownership gaps between systems and unclear areas of responsibility for incident or configuration management.

Question 20

List the control categories

Answer 20

o Preventative controls: inhibit attempts to violate security policy. E.g. encryption, user authentication and vault construction doors
o Deterrent: provide warnings that may dissuade threat agents from attempting compromise. E.g. warning banners on login screen and rewards for the arrest of hackers
o Directive: mandate behavior by specifying what actions are and are not permitted. E.g. a policy
o Detective: provide warning of violations or attempted violations of security policy. Audit trails, intrusion detection systems and checksums
o Corrective: remediate errors, omissions, unauthorized uses and intrusions when detected. E.g. data backups, error correction, and automated failover are examples of corrective controls
o Compensating: an alternate form of a control that corrects a deficiency or weakness in the control structure of the enterprise. This may be considered when an entity cannot meet a stated requirement due to legitimate technical or business constraints but can create a comparably accepted level of risk by other means. E.g. placing unsecured systems on isolated network segments with strong perimeter security and adding third-party challenge-response mechanisms to devices that do not support individual login accounts.

Question 21

with respect to the control environment, list the cases where risk is serious?

Answer 21

o Controls are inadequate,
o the wrong controls are being used,
o controls are ignored or bypassed,
o controls are poorly maintained,
o logs or control data are not reviewed,
o controls are not tested,
o changes to the configuration of controls are not managed,
o controls can be physically accessed and altered,
o duties are inadequately segregated. Individuals are able to perform two or more of the following
• approve changes, make changes, monitor changes, analyze changes, report on changes.

Question 22

what is a control current state assessment?

Answer 22

refers to the condition of the program at a point in time.

Question 23

what are some tools used to determine the current state of IT risks?

Answer 23

• Audits
• business continuity plans
• capability maturity model
• control tests
• incident reports
• IT operations and management evaluation
• enterprise architecture assessment
• logs
• media reports of new threats and vulnerabilities
• observation
• self assessment
• third party assurance
• user feedback
• vendor reports
• vulnerability assessment and penetration tests

Question 24

what is the purpose of a business continuity plan?

what is the goal of bcp?

Answer 24

enable a business to continue critical services in the event of a disruption, up to and including the ability to survive a disastrous interruption.

the goal of a bcp is to provide a reduced but sufficient level of functionality in the business operations immediately after encountering an interruption and while recovery is taking place.

Question 25

what is the first step for a new BCP?

Answer 25

identify the business process of strategic importance, meaning those key processes that are responsible for both the permanent growth of the business and for the fulfillment of the business goals.

Question 26

what is the core source of data used in the bcp planning?

Answer 26

Business impact analysis, which identifies the critical time lines for services and products associated with value creation.

Question 27

what is an RPO and RTO?

Answer 27

Recovery point objective: defines how much data can be lost in recovery.

Recovery time objective: how quickly it must be accomplished.

Question 28

what is disaster recovery?

Answer 28

refers to the reestablishment of business and IT services following a disaster or incident within a predefined schedule and budget. a comprehensive DRP includes specific information on hardware and software requirements for restoration, which systems and applications should be restored in what order, how to accomplish the restorations under multiple scenarios, and how many user longs are required in what time frames.

Question 29

what is the function of a capability maturity model?

Answer 29

used to compare the state of the organization’s risk management program to an established model of capability maturity, which captures the essential elements of effective processes for one or more disciplines.

Question 30

what is incident management?

Answer 30

incident management starts with the preparation and planning that build an incident response plan. The organization should prevent incidents where possible but also have the controls in place to detect and respond to an incident when it occurs.

Question 31

what is the primary focus of an incident management?

Answer 31

to get the organization’s affected systems and operations back into normal service as quickly as possible.

• help with information gathering for evidence collection
• each incident can be examined to extract lessons learned to improve prevention, detection and recovery from future incidents of a similar nature.

Question 32

what is enterprise architecture?

Answer 32

focuses on producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there. this view should demonstrate links between IT and organizational objectives and produce a view of current risk and controls.

Question 33

why are log reviews important

Answer 33

log reviews can identify risk-relevant events such as compliance violations, suspicious behavior, errors, probes or scans and abnormal activity.

Question 34

what are NDA

Answer 34

they are necessary to protect the IP of the organization from being disclosed to unauthorized personnel

Question 35

list and describe the phases in SDLC

Answer 35

1. Initiation: the need for an IT system is expressed and the purpose and scope of the IT system is documented.
2. development and acquisition: the IT system is designed, purchased, programmed, developed or otherwise constructed
3. implementation: the system security features should be configured, enabled, tested and verified
4. operation and maintenance: the system performs its functions. typically the system will undergo updates or changes to hardware and software and may be altered due to changes to organizational processes, policies and procedures.
5. disposal: disposition of information, hardware and software. activities may include moving, archiving, discarding or destroying information and sanitizing the hardware and software.

Question 36

describe how risk is imbedded in the SDLC

Answer 36

1. initiation: identified risk is used to support the development of the system requirements, including security requirements and a security concept of operations (strategy)
2. development and acquisition: risk identified during this phase can be used to support security analyses of the IT system that may lead to architecture and design trade-offs during system development.
3. implementation: decisions made regarding risk must be made prior to system operations
4. operation and maintenance: risk management activities are performed for periodic system reauthorization or reaccreditation or whenever major changes are made to the IT system.
5. disposal: risk management activities are performed for system components that will be disposed and ensure that residual data are appropriately handled and that system migration is conducted in a secure and systematic manner.

Question 37

what are key tasks to perform during the SDLC to expressly document the risk associated with the development of a new program.

Answer 37

1. security categorization of the proposed system; CIA requirements.
2. BIA; what impact would an outage have on critical business processes?
3. PIA: what laws or regulations apply? what sensitive data are processed, stored or transmitted by the system?
4. training for staff and a secure environment? good code practices
5. awareness of vulnerabilities with selected technology or operational environment

Question 38

what is a sensitivity analysis?

Answer 38

a quantitative risk analysis technique that

• helps determine which risk factors potentially have the most impact
• examines the extent to which the uncertainty of each element affects the target object when all other uncertain elements are held at their baseline values.

Question 39

what is threat modelling?

Answer 39

examines the nature of the threat and potential threat scenarios. it is done by mapping potential methods, approaches, steps and techniques used by an adversary to perpetrate an attack.

helps build systems with attention to defensive controls, built in security features and proper placement within a strategy of overlapping defenses.

Question 40

what is use case modelling

Answer 40

examines how a system will function to deliver value to its users. looks at all the possible errors, mistakes, and intentional deviations from expected user behavior that a system could endure.

helps ensure that a system is built with resiliency and ability to handle errors and misuse

Question 41

what is a gap analysis?

Answer 41

a process of documenting the desired state or condition of risk that management wants to reach and then carefully analyzing and evaluating the current conditions of the organization, the risk practitioner can identify the existence of a risk gap and the scope of actions that may be needed to close the gap

current state = KPI or KGI
desired state = KRI

Question 42

what is a threat based scenario and when is it commonly used?

Answer 42

Threat based scenario examines a risk event on the basis of threat agents and seeks to identify potential methods of attack. this method is especially beneficial when examining the emergence of new threats and determining the risk related to APTs

Question 43

what is a vulnerability based approach?

Answer 43

examines the organizations known vulnerabilities and then attempts to anticipate threats that could exploit those vulnerabilities, projecting from those the consequence and magnitude of impact

Question 44

what is an asset/impact approach?

Answer 44

based on the identification of critical and sensitive assets and the potential ways that these could be damaged

Question 45

what is risk ranking?

Answer 45

using the results of an assessment to place risk in an order that can be used to direct the risk response effort

Question 46

what is OCTAVE?

Answer 46

OCTAVE focuses on critical assets and the risk to those assets using a comprehensive, systematic, context-driven and self-directed evaluation approach.

• phase 1 : build asset-based threat profiles (org evaluation)
• phase 2: identify infrastructure vulnerabilities (tech evaluation)
• phase 3: develop security strategy and mitigation plans (strategy and plan development)

Question 47

describe risk appetite bands

Answer 47

• risk within the risk appetite = acceptable
• risk outside the appetite but within tolerance = unacceptable
• risk that is outside tolerance = really unacceptable

Question 48

describe the IT assessment report

Answer 48

indicates any gaps between the current risk environment and the desired state of IT risk, advise whether these gaps are within acceptable levels, and provide some basis on which to judge the severity of the identified issues. the report should also judge the process used as well as the result of the risk assessment.

Question 49

when would an enterprise project management department primarily use risk analysis?

Answer 49

• during a go/no go decisions

Question 50

the most effective method to conduct a risk assessment on an internal system in an organization is to start by understanding the

Answer 50

system and its subsystems

Question 51

what is reasonableness?

Answer 51

considers reliability, validity and duplicate transactions. it identifies values that are substantially different from the norm, and routes them for additional scrutiny