Lesson 1: Risk Management Activities

Question 1

What are the 5 Phases of risk management?

Answer 1

1) Identification of mission critical functions –> Know your critical functions to prioritize risk management.
2) Identification of known vulnerabilities –> List all known vulnerabilities to your functions.
3) Identification of potential threats –> For each function, identify the threat sources and actors that may exploit or accidentally expose vulnerabilities.
4) Analysis of business impact –> use qualitative and quantitative methods to analyze likelihood and impact.
5) Identification of risk responses –> For each risk, identify possible countermeasures.

Question 2

What are the important variables considered when evaluating risk?

Answer 2

1) likelihood –> This is the probability of the threat being realized.
2) impact –> Is the severity of the risk if realized (e.g. value of the asset, financial impacts, etc.)

Question 3

What is quantitative risk analysis?

Answer 3

It involves the use of numbers (generally money) to evaluate impacts

Question 4

List and explain the variables used in quantitative risk analysis

Answer 4

1- Single Loss Expectancy (SLE) –> The amount that would be lost in a single occurrence of the risk factor.

2- Annual Rate of Occurrence (ARO) –> The number of times in a year that the single loss occurs

3- Annual Loss Expectancy (ALE) –> The amount that would be lost over the course of a year, or the sum total of all single loss events over the span of 12 months.

4- Asset Value –> The value of an asset

5- Exposure Factor (EF) –> The percentage of the asset value that would be lost.

Question 5

What is the formula used in calculating the SLE?

Answer 5

SLE =AV x EF

Question 6

What is the formula used in calculating the ALE?

Answer 6

ALE = SLE x ARO

Question 7

What are the additional quantitative measures used within an organization?

Answer 7

1- Total Cost of Ownership (TCO) –> This includes all associated costs of an asset (acquisition, maintenance, operations, etc..)

2- Return on Investment (ROI) –> A performance measure that compares the cost of an item to the benefit it provides.

3- Mean Time To Recover (MTTR) –> This is a measure of downtime duration, the time elapsed between when a service or device fails and when it’s functionality is restored.

4- Mean Time Between Failures (MTBF) –> The amount of time a service can be expected to run before it experiences an outage.

5- Gap Analysis –> A gap analysis measures the difference between current state and desired state.

Question 8

What is qualitative risk analysis?

Answer 8

Qualitative risk analysis describes the evaluation of risk through the use of words.

Question 9

List and explain the 4 risk responses

Answer 9

1- Avoidance –> means that you stop doing the activity that is risk-bearing.

2- Acceptance –> means that an identified risk area has been evaluated and this resulted in an agreement to continue operating the system.

3- Mitigate –> is the overall process of reducing exposure to, or the effects of, risk factors.

4- Transfer –> means assigning risk to a third party, which is most typically exemplified through the purchase of an insurance policy.

Question 10

what is the difference between inherent risk and residual risk?

Answer 10

Inherent risk is the level of risk that exists before any type of mitigation has been implemented.
Residual risk is the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied.

Question 11

What is risk appetite?

Answer 11

Risk appetite is a strategic assessment of what level of residual risk is tolerable for an organization.

Question 12

True or False
Residual an acceptable risk are always equivalent.

Answer 12

False
Certain identified risk area cannot be mitigated to an acceptable level.

Question 13

What is risk management?

Answer 13

Risk management describes the set of policies and processes used by an organization to help it locate, describe, prioritize, and mitigate risks in a consistent and repeatable way.

Question 14

List 5 risk frameworks

Answer 14

NIST CSF –> National Institute of Standards and Technology Cybersecurity Framework
ISO 31000 –> International Organization for Standardization 31000
NIST RMF –> National Institute of Standards and Technology Risk Management Framework
COBIT –> Control Objectives for Information ad Related Technologies
COSO –> Committee of Sponsoring Organizations of the Treadway Commission.

Question 15

What are the 5 core functions of NIST CSF?

Answer 15

Identify
Protect
Detect
Respond
Recover

Question 16

List the 7 risk management steps defined by NIST CSF

Answer 16

Prioritize and scope
Orient
Create a current profile
Conduct a risk assessment
Create a target profile
Determine, analyze, and prioritize gaps
Implement action plan

Question 17

List the 7 steps of NIST RMF

Answer 17

Prepare
Categorize
select
Implement
Assess
Authorize
Monitor

Question 18

What is ISO 31000 all about?

Answer 18

is a very comprehensive framework and considers risks outside of cybersecurity, including risks to financial, legal, competitive, and customer service functions.

Question 19

Which organization created COBIT?

Answer 19

ISACA –> Information Systems Audit and Controls Association

Question 20

What is COBIT all about?
What are the 5 components of COBIT?

Answer 20

COBIT: frames IT risk from the viewpoint of business leadership.

The 5 components of COBIT are:
Framework
Process descriptions
Control objectives
Management guidelines
Maturity models

Question 20

What is COSO?

Answer 20

COSO is an initiative of five private sector organizations collaborating on the development of risk management frameworks. The Enterprise Risk Management — Integrated Framework defines an approach to managing risk from a strategic leadership point of view.

Question 21

What are the 4 phases common to all risk management life cycles?

Answer 21

Identify –> This phase includes the identification of risk items.
Assess –> This phase analyzes identified risks to determine their associated level of risk.
Control –> This phase identifies effective means by which identified risks can be reduced.
Review –> Each risk item must be periodically re-evaluated to determine if the risk level has changed and/or if the identified controls are still effective.

Question 22

What are the 3 control categories?

Answer 22

People
Processes
Technology

Question 23

Explain the 5 capabilities outlined in NIST CSF

Answer 23

Identify –> This function involves the analysis and management of organizational risks. Risks can be realized in many areas, including people, data, systems and processes and this process works to help an organization locate, describe and analyze these risks in order to develop a prioritized approach to their management.

Protect –> This function describes the capabilities needed to ensure consistent operation of all critical business functions and limit the impacts of any adverse events.

Detect –> This function defines the capabilities needed for the timely discovery of security incidents.

Respond –> This function seeks to limit the impact of a cybersecurity incident by defining appropriate actions to be taken upon its discovery

Recover –> This function defines the necessary activities for restoring any disrupted service to their original, or intended state, following a cybersecurity incident.

Question 24

What is a risk register?

Answer 24

A risk register provides an effective visualization of identified risks and include descriptions and information about mitigating controls.

Question 25

What is a KPI?

Answer 25

A KPI is a formal mechanism designed to measure performance of a program against desired goals.

Question 26

What is a KRI?

Answer 26

A KRI is a metric that helps organizations identify and monitor potential risks that could negatively impact their operations, financial health, or overall performance.

Question 27

List 5 examples of KPIs

Answer 27

Patch status
Intrusion attempts
unidentified devices
security incidents
user awareness and training

Question 28

What is risk tolerance?

Answer 28

Risk tolerance defines the acceptable level of risk for individual risks within the broader risk appetite.

Question 29

What is tradeoff analysis?

Answer 29

It describes how decisions are made after reviewing risks and rewards, by comparing potential benefits to potential risks, and determining a course of action based on adjusting factors that contribute to each area.

Question 30

Which organization developed the Architecture Tradeoff Analysis Method (ATAM)?

Answer 30

The Software Engineering Institute (SEI) at the Carnegie Mellon University.

Question 31

What is ATAM used for?

Answer 31

ATAM allows formal evaluation of architectures based upon the analysis of risks and desired outcomes.

Question 32

True or False
Technology alone can guarantee a safe and secure environment.

Answer 32

False
Technology alone cannot guarantee a safe and secure environment, so it is absolutely essential for people to be trained in the safe and appropriate use of technology and that user activity within an information system can be reviewed for compliance and accountability.

Question 33

List and explain the strategies that can be used to reduce the likelihood of fraud and limit the impacts of insider threat

Answer 33

separation of duties –> is a means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.

Job rotation –> (or rotation of duties) means that no one person is permitted to remain in the same job for an extended period.

Mandatory vacation –> means that employees are forced to take their vacation time, during which someone else fulfills their duties. The typical mandatory vacation policy requires that employees take at least one vacation a year in a full-week increment so that they are away from work for at least five days in a row. During that time, the corporate audit and security employees have time to investigate and discover any discrepancies in employee activity

Least privilege –> means that a user is granted sufficient rights to perform his or her job and no more. This mitigates risk if the account should be compromised and fall under the control of a threat actor.

Question 34

What are the 3 cloud service types?

Answer 34

Software as a Service (SaaS) –> represents the lowest amount of responsibility for the customer as the facilities, utilities, physical security, platform, and applications are the responsibility of the provider.

Platform as a Service (PaaS) –> provides a selection of operating systems that can be loaded and configured by the customer, the underlying infrastructure, facilities, utilities, and physical security are the responsibility of the provider.

Infrastructure as a Service (IaaS) –> provides hardware hosted at a provider facility using the provider’s physical security controls and utilities, such as power.

Question 35

What is vendor lock-in?

Answer 35

Describes when a customer is completely dependent on a vendor for products or services because switching is either impossible or would result in substantial complexity and costs.

Question 36

What is vendor lockout?

Answer 36

Describes when a vendor’s product is developed in a way that makes it inoperable with other products, the ability to integrate it with other vendor products is not a feasible option, or does not exist.

Question 37

What is vendor viability?

Answer 37

Is an important measurement used to determine if a vendor will be in-business on an on-going basis.

Question 38

What is source code escrow?

Answer 38

Identifies that a copy of vendor-developed source code is provided to a trusted third party in case the vendor ceases to be in business.

Question 39

what is support availability?

Answer 39

Defines the steps taken to verify the type and level of support to be provided by the vendor in support of their product or service. It is common for support performance and maintenance fees to be defined via a service level agreement (SLA.)

Question 40

What process does the following statement define?
This describes the formal measures taken to validate that the vendor’s delivered service or product offering aligns to established requirements.

Answer 40

Meeting client requirements

Question 41

List 2 ongoing vendor assessment tools

Answer 41

Vendor policies
Ongoing assessment and compliance

Question 42

what is supply chain visibility (SCV)

Answer 42

It describes the capacity to understand how all vendor hardware, software, and services are produced and delivered as well as how they impact an organization’s operations or finished products.