Lecture 4

Question 1

?

process of identifying and controlling risks facing an organization

Risk Management

Answer 1

Risk Management

Question 2

?

process of examining an organization’s current information technology security situation

Risk Management

Answer 2

Risk Identification

Question 3

?

applying controls to reduce risks to an organizations data and information systems

Risk Management

Answer 3

Risk Control

Question 4

?

Began as a advantage

Competitiveness

Risk Management

Answer 4

Information Technology Role

Question 5

?

Now falling behind is a disadvantage

Competitiveness

Risk Management

Answer 5

Information Technology Role

Question 6

?

is a necessity

Competitiveness

Risk Management

Answer 6

Availability

Question 7

?

Understand the technology and systems in your organization

An Overview of Risk Management

Risk Management

Answer 7

Know yourself

Question 8

?

Identify, examine, understand threats

An Overview of Risk Management

Risk Management

Answer 8

Know the enemy

Question 9

(3) Role of Communities of Interest

An Overview of Risk Management | Enumerate

Risk Management

Answer 9

• Information Security
• Management and Users
• Information Technology

Question 10

Verify ? of asset inventory

The Roles of Communities of Interest - Management Review

Risk Management

Answer 10

completeness/accuracy

Question 11

Review and verify threats as well as ? strategies

The Roles of Communities of Interest - Management Review

Risk Management

Answer 11

controls and mitigation

Question 12

Review ? of each control

The Roles of Communities of Interest - Management Review

Risk Management

Answer 12

cost effectiveness

Question 13

? of controls deployed

The Roles of Communities of Interest - Management Review

Risk Management

Answer 13

Verify effectiveness

Question 14

Risk management involves identifying ? and identifying ??

Risk Identification

Risk Management

Answer 14

• organization’s assets
• threats/vulnerabilities

Question 15

?

begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking)

Asset Identification and Valuation

Risk Management

Answer 15

Iterative Process

Question 16

?

are then classified and categorized

Asset Identification and Valuation

Risk Management

Answer 16

Assets

Question 17

Human resources, documentation, and data information assets are more difficult to ?

People, Procedures, and Data Asset Identification

Risk Management

Answer 17

identify

Question 18

People with knowledge, experience, and good judgment should be assigned this ?

People, Procedures, and Data Asset Identification

Risk Management

Answer 18

task

Question 19

These assets should be recorded using reliable ? process

People, Procedures, and Data Asset Identification

Risk Management

Answer 19

data-handling

Question 20

Asset attributes for ?: position name/number/ID; supervisor; security clearance level; special skills
* Try to avoid names

People, Procedures, and Data Asset Identification

Risk Management

Answer 20

people

Question 21

Asset attributes for ?
* Intended purpose
* Relationship to software, hardware, network elements
* Storage location

People, Procedures, and Data Asset Identification

Risk Management

Answer 21

procedures

Question 22

Asset attributes for ?
* classification; owner/creator/manager; data structure size; data structure used; online/offline; location; backup procedures employed

People, Procedures, and Data Asset Identification

Risk Management

Answer 22

data

Question 23

(4) Asset attributes to be considered are:

Hardware, Software, and Network Asset Identification

Risk Management

Answer 23

• Name (device or program name)
• IP address
• Media access control (MAC) address
• Element type – server, desktop, etc. Device Class, Device OS, Device Capacity

Question 24

Where on network

Hardware, Software, and Network Asset Identification

Risk Management

Answer 24

Logical Location

Question 25

Organization unit to which it belongs

Hardware, Software, and Network Asset Identification

Risk Management

Answer 25

Controlling entity

Question 26

Many organizations have ? schemes (e.g., confidential, internal, public data)

Information Asset Classification

Risk Management

Answer 26

data classification

Question 27

?

must be specific enough to allow determination
of priority

Information Asset Classification

Risk Management

Answer 27

Classification

Question 28

?

all info fits in list somewhere

Information Asset Classification

Risk Management

Answer 28

Comprehensive

Question 29

?

fits in one place

Information Asset Classification

Risk Management

Answer 29

Mutually exclusive

Question 30

?

help develop criteria for asset valuation: which information asset

Information Asset Valuation

Risk Management

Answer 30

Questions

Question 31

?

(4) Questions help develop criteria for asset valuation: which information asset

Information Asset Valuation | Enumerate Example

Risk Management

Answer 31

• is most critical to organization’s success?
• generates the most revenue?
• generates the most profit?
• would be most expensive to replace?

Question 32

?

help develop criteria for asset valuation: which information asset

Information Asset Valuation

Risk Management

Answer 32

Questions

Question 33

?

(2) Questions help develop criteria for asset valuation: which information asset

Information Asset Valuation | Enumerate Example

Risk Management

Answer 33

• would be most expensive to protect?
• would be most embarrassing or cause the greatest liability is revealed?

Question 34

?

Calculate the relative importance of each asset

Listing Assets in Order of Importance

Risk Management

Answer 34

Weighted factor analysis

Question 35

(3) Each info asset assigned score for each critical factor (0.1 to
1.0)

Listing Assets in Order of Importance | Enumerate

Risk Management

Answer 35

• Impact to revenue
• Impact to profitability
• Impact to public image

Question 36

Each critical factor is assigned a weight ?

Listing Assets in Order of Importance | Enumerate

Risk Management

Answer 36

(1-100)

Question 37

(2) Variety of classification schemes used by corporate and military organizations

Data Classification and Management | Enumerate

Risk Management

Answer 37

• Georgia-Pacific Corporation (G-P) scheme
• U.S. military classification scheme

Question 38

?

Confidential, sensitive or proprietary

Data Classification and Management

Risk Management

Answer 38

Georgia-Pacific Corporation (G-P) scheme

Question 39

?

Internal, G-P employee, authorized contractors

Data Classification and Management

Risk Management

Answer 39

Georgia-Pacific Corporation (G-P) scheme

Question 40

?

External, public

Data Classification and Management

Risk Management

Answer 40

Georgia-Pacific Corporation (G-P) scheme

Question 41

(5) U.S. military classification scheme

Data Classification and Management | Enumerate Example

Risk Management

Answer 41

• Unclassified Data
• Sensitive by unclassified data
• Confidential data
• Secret data
• Top secret data

Question 42

?

responsible for classifying their information assets

Data Classification and Management

Risk Management

Answer 42

Information owners

Question 43

?

must be reviewed periodically

Data Classification and Management

Risk Management

Answer 43

Information classifications

Question 44

Most organizations do not need detailed level of classification used by ? or ?? agencies.

Data Classification and Management

Risk Management

Answer 44

• military
• federal

Question 45

(4) Organizations may need to classify data to provide protection

Data Classification and Management | Enumerate

Risk Management

Answer 45

• Public
• For official use only
• Sensitive
• classified

Question 46

Assign classification to all ?

Data Classification and Management

Risk Management

Answer 46

data

Question 47

Grant access to data based on ?

Data Classification and Management

Risk Management

Answer 47

classification and need

Question 48

Devise some method of managing data relative to ?

Data Classification and Management

Risk Management

Answer 48

classification

Question 49

?

: each data user assigned a single level of authorization indicating classification level

Security Clearances

Risk Management

Answer 49

Security clearance structure

Question 50

Before accessing specific set of data, employee must meet ? requirement

Security Clearances

Risk Management

Answer 50

need-to-know

Question 51

Extra level of protection ensures information confidentiality is ?

Security Clearances

Risk Management

Answer 51

maintained

Question 52

Storage, distribution, portability, and destruction of ?

Management of Classified Data

Risk Management

Answer 52

classified data

Question 53

Information not unclassified or public must be clearly ? as such

Management of Classified Data

Risk Management

Answer 53

marked

Question 54

?

requires all information be stored in appropriate storage container daily; unneeded copies of classified information are destroyed

Management of Classified Data

Risk Management

Answer 54

Clean desk policy

Question 55

?

can compromise information security

Management of Classified Data

Risk Management

Answer 55

Dumpster diving

Question 56

?

need investigation; unimportant threats are set aside

Threat Assessment

Risk Management

Answer 56

Realistic threats

Question 57

Each of the treats must be ? to assess potential
damage

Threat Assessment

Risk Management

Answer 57

examined

Question 58

(4) (Questions)

Threat Assessment

Risk Management

Answer 58

• Which threats present a danger to an organization’s assets?
• Which threats represent the most danger -probability of attack
• How much would it cost to recover
• Which treat requires the greatest expenditure to prevent?

Question 59

Identify each ? and each ?? it faces

Vulnerability Identification

Risk Management

Answer 59

• asset
• threat

Question 60

Create a list of ?

Vulnerability Identification

Risk Management

Answer 60

vulnerabilities

Question 61

Examine how each of the threats are likely to be ?

Vulnerability Identification

Risk Management

Answer 61

perpetrated

Question 62

? evaluates the relative risk for each vulnerability

Risk Assessment

Risk Management

Answer 62

Risk assessment

Question 63

Assigns a ? to each ??

Risk Assessment

Risk Management

Answer 63

• risk rating or score
• information asset

Question 64

Final summary comprised in ?

Documenting Results of Risk Assessment

Risk Management

Answer 64

ranked vulnerability risk worksheet

Question 65

(5) Worksheet details ?, ??, ???, ????, and ?????.

Documenting Results of Risk Assessment | Enumerate

Risk Management

Answer 65

• asset
• asset impact
• vulnerability
• vulnerability likelihood
• risk-rating factor

Question 66

Order by ? factor

Documenting Results of Risk Assessment

Risk Management

Answer 66

risk-rating

Question 67

?

is initial working document for next step in risk management process: assessing and controlling risk

Documenting Results of Risk Assessment

Risk Management

Answer 67

Ranked vulnerability risk worksheet

Question 68

Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk:

Risk Control Strategies | Enumerate

Risk Management

Answer 68

• avoidance
• transference
• mitigation
• acceptance

Question 69

Apply safeguards that eliminate or reduce residual risks (?)

Risk Control Strategies - 4 Strategies

Risk Management

Answer 69

avoidance

Question 70

Transfer the risk to other areas or outside entities (?)

Risk Control Strategies - 4 Strategies

Risk Management

Answer 70

transference

Question 71

Reduce the impact should the vulnerability be exploited (?)

Risk Control Strategies - 4 Strategies

Risk Management

Answer 71

mitigation

Question 72

Understand the consequences and accept the risk without control or mitigation (?)

Risk Control Strategies - 4 Strategies

Risk Management

Answer 72

acceptance

Question 73

?

Attempts to prevent exploitation of the vulnerability

Risk Management

Answer 73

Avoidance

Question 74

?

accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards

Avoidance

Risk Management

Answer 74

Preferred approach

Question 75

(3) Three common methods of risk avoidance:

Avoidance | Enumerate

Risk Management

Answer 75

• Application of policy
• Training and education
• Applying technology

Question 76

?

Control approach that attempts to shift risk to other assets, processes, or organizations

Risk Management

Answer 76

Transference

Question 77

(5) Examples (of Transference I think)

Transference | Enumerate Example

Risk Management

Answer 77

• Rethinking how services are offered
• Revising deployment models
• Outsourcing
• Purchasing insurance
• Implementing service contracts

Question 78

?

Concentrate on what you do best

Transference

Risk Management

Answer 78

In Search of Excellence

Question 79

?

Attempts to reduce impact of vulnerability exploitation through planning and preparation

Risk Management

Answer 79

Mitigation

Question 80

Approach includes three types of plans:

Mitigation | Enumerate

Risk Management

Answer 80

• Incident response plan (IRP)
• Disaster recovery plan (DRP)
• Business continuity plan (BCP)

Question 81

?

is most common mitigation procedure

Mitigation | 3 types of plans

Risk Management

Answer 81

Disaster recovery plan (DRP)

Question 82

The actions to take while incident is in progress is defined in ?

Mitigation | 3 types of plans

Risk Management

Answer 82

Incident response plan (IRP)

Question 83

?

encompasses continuation of business activities if catastrophic event occurs

Mitigation | 3 types of plans

Risk Management

Answer 83

Business continuity plan (BCP)

Question 84

?

Doing nothing to protect a vulnerability and accepting the outcome of its exploitation

Risk Management

Answer 84

Acceptance

Question 85

?

Valid only when the particular function, service, information, or asset does not justify cost of protection

Risk Management

Answer 85

Acceptance

Question 86

?

describes the degree to which organization is willing to accept risk as trade-off to the expense of applying controls

Acceptance

Risk Management

Answer 86

Risk appetite

Question 87

Level of threat and value of asset play major role in ?

Selecting a Risk Control Strategy

Risk Management

Answer 87

selection of strategy

Question 88

?

implement security control to reduce likelihood

Selecting a Risk Control Strategy

Risk Management

Answer 88

When a vulnerability exists

Question 89

?

apply layered protections, architectural designs, and administrative controls

Selecting a Risk Control Strategy

Risk Management

Answer 89

When a vulnerability can be exploited

Question 90

?

apply protection to increase attackers costs

Selecting a Risk Control Strategy

Risk Management

Answer 90

When attacker’s cost is less than potential gain

Question 91

?

redesign, new architecture, controls

Selecting a Risk Control Strategy

Risk Management

Answer 91

When potential loss is substantial

Question 92

(4) Categories of Controls

Categories of Controls | Enumerate

Risk Management

Answer 92

• Control Function
• Architectural Layer
• Strategy Layer
• Information Security Principle

Question 93

?

Preventive & detective

Categories of Controls

Risk Management

Answer 93

Control Function

Question 94

?

Organizational policy, external networks, intranets, network devices, systems

Categories of Controls

Risk Management

Answer 94

Architectural layer

Question 95

?

Avoidance, mitigation, or transference

Categories of Controls

Risk Management

Answer 95

Strategy layer

Question 96

?

Classified by characteristics: Confidentiality, integrity, availability, authentication, authorization, accountability, privacy

Categories of Controls

Risk Management

Answer 96

Information security principle

Question 97

?

Compare cost to potential loss

Risk Management

Answer 97

Feasibility Studies

Question 98

?

is the process of avoiding the financial impact of an incident

Feasibility Studies

Risk Management

Answer 98

Cost avoidance

Question 99

?

Evaluate worth of asset

Risk Management

Answer 99

Cost Benefit Analysis

Question 100

Loss of value if asset ?

Cost Benefit Analysis

Risk Management

Answer 100

compromised

Question 101

(4) Items affecting cost of control

Cost Benefit Analysis | Enumerate Example

Risk Management

Answer 101

• Cost of development or acquisition
• Cost of implementation
• Services costs
• Cost of maintenance

Question 102

?

value gained by using controls

Cost Benefit Analysis

Risk Management

Answer 102

Benefits

Question 103

Calculate the single loss expectance
* ? = asset value * exposure factor
* ?? = % loss from exploitation

Cost Benefit Analysis - Assess worth of asset

Risk Management

Answer 103

• SLE
• Exposure factor

Question 104

Calculate Annualized loss expectancy
* ? = SLE * ARO (annualized rate of occurrence)

Cost Benefit Analysis - Assess worth of asset

Risk Management

Answer 104

ALE

Question 105

?

determines whether or not control alternative being evaluated is worth cost incurred to control vulnerability

Cost Benefit Analysis Formula

Risk Management

Answer 105

ALE

Question 106

? = ALE (prior) – ALE (post) – ACS

Cost Benefit Analysis Formula

Risk Management

Answer 106

CBA

Question 107

?

is annualized loss expectancy of risk before implementation of control

Cost Benefit Analysis Formula

Risk Management

Answer 107

ALE(prior)

Question 108

?

is estimated ALE based on control being in place for a period of time

Cost Benefit Analysis Formula

Risk Management

Answer 108

ALE(post)

Question 109

?

is the annualized cost of the safeguard

Cost Benefit Analysis Formula

Risk Management

Answer 109

ACS

Question 110

?

An alternative approach to risk management

Risk Management

Answer 110

Benchmarking

Question 111

?

is process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate

Risk Management

Answer 111

Benchmarking

Question 112

(2) One of two measures typically used to compare practices:

Benchmarking

Risk Management

Answer 112

• Metrics-based measures
• Process-based measures

Question 113

(6) Metrics-based measures are comparisons based on numerical standards:

Benchmarking –Metrics-based measures

Risk Management

Answer 113

• Number of successful attacks,
• staff-hours spent of systems protection,
• dollars spent on protection,
• number of security personnel,
• estimated value of info lost in attacks,
• loss in productivity hours

Question 114

?

Less focus on numbers

Risk Management

Answer 114

Benchmarking – Process-based measures

Question 115

More strategic than ?

Benchmarking – Process-based measures

Risk Management

Answer 115

metrics-based measures

Question 116

Examine ? an individual company performs

Benchmarking – Process-based measures

Risk Management

Answer 116

activities

Question 117

?

when adopting levels of security for a legal defense, organization shows it has done what any prudent organization would do in similar circumstances

Benchmarking

Risk Management

Answer 117

Standard of due care

Question 118

?

demonstration that organization is diligent in ensuring that implemented standards continue to provide required level of protection

Benchmarking

Risk Management

Answer 118

Due diligence

Question 119

Failure to support standard of due care or due diligence can leave organization open to ?

Benchmarking

Risk Management

Answer 119

legal liability

Question 120

security efforts that provide a superior level protection of information

Benchmarking – Best Practices

Risk Management

Answer 120

Best business practices

Question 121

Organizations don’t talk to each other (?)

Problems with Applying Benchmarking and Best Practices

Risk Management

Answer 121

biggest problem

Question 122

No two organizations are ?

Problems with Applying Benchmarking and Best Practices

Risk Management

Answer 122

identical

Question 123

Knowing what was going on in information security industry in recent years through ? doesn’t necessarily prepare for what’s next

Problems with Applying Benchmarking and Best Practices

Risk Management

Answer 123

benchmarking

Question 124

Analysis of measures against established standards

Risk Management

Answer 124

Baselining

Question 125

In information security, ? is comparison of security activities and events against an organization’s future performance.

Risk Management

Answer 125

baselining

Question 126

The information gathered for an organization’s ? becomes the baseline for future comparison.

Baselining

Risk Management

Answer 126

first risk assessment

Question 127

“the goal of information security is not to bring ? to zero; it is to bring
residual risk into line with an organization’s comfort zone or ??

KEY

Risk Management

Answer 127

• residual risk
• risk appetite

Question 128

At minimum, each information ? should have documented control strategy clearly identifying any remaining residual risk, and feasibility studies to justify the findings.

Documenting Results

Risk Management

Answer 128

asset-threat pair

Question 130

?

document outcome of control strategy for each information asset-vulnerability pair as an action plan

Documenting Results

Risk Management

Answer 130

Another option