Lesson 15: Explain Risk Management Processes Flashcards
1
Q
Define ‘risk management’
A
Identifying potential issues, assessing their potential impact on the organization, and implementing controls to mitigate them.
2
Q
What are key concepts of effective risk management?
A
Risk identification, risk assessment, mitigation, and monitoring.
3
Q
What is the purpose of audits?
A
To provide an independent and objective evaluation of processes, controls, and compliance, ensuring adherence to standards and identifying gaps that pose risks.
4
Q
What is the purpose of an assessment?
A
To evaluate the effectiveness of risk management strategies, identify potential vulnerabilities, and prioritize mitigation efforts.
5
Q
What is the importance of audits and assessments?
A
To understand risks, implement controls, and continuously monitor and adapt risk management strategies.
6
Q
Define ‘risk identification’
A
Process of listing sources of risk due to threats and vulnerabilities.
7
Q
What are common risk identification methods?
A
Vulnerability assessments, penetration testing, security audits, threat intelligence.
8
Q
Define a ‘risk assessment’
A
Process of identifying risks, analyzing them, developing a response strategy for them, and mitigating their future impact.
9
Q
What are the different risk assessment methods?
A
Ad hoc, recurring, one-time, or continuous.
10
Q
Define ‘risk analysis’ relative to risk assessment
A
The distinct process of identifying and evaluating potential risks and the nature and scope of risks by examining their causes, consequences, and concerns.
11
Q
Define ‘risk assessment’ relative to risk analysis
A
Risk assessment considers the likelihood of an event occurring and the severity of its consequences by interpreting data collected during risk analysis.
12
Q
Define ‘Quantitative risk analysis’
A
A numerical method that is used to assess the probability and impact of risk and measure the impact.
13
Q
Define ‘Single Loss Expectancy (SLE)’
A
The amount that would be lost in a single occurrence of a particular risk factor.
14
Q
Define an ‘exposure factor (EF)’
A
The percentage of an assets value that would be lost in an event.
15
Q
How is Single Loss Expectancy (SLE) calculated?
A
By multiplying the value of the asset by the exposure factor (EF).
16
Q
Define ‘Annualized Loss Expectancy (ALE)’
A
The total cost of a risk to an organization on an annual basis.
17
Q
Define an ‘annualized rate of occurrence (ARO)’
A
The number of times an event could occur in a year in terms of probability/likelihood.
18
Q
How is Annualized Loss Expectancy (ALE) calculated?
A
By multiplying the SLE by the annual rate of occurrence (ARO).
19
Q
Define ‘Qualitative risk analysis’
A
Assess risks based on subjective judgment and logic rather than precise numerical data.
20
Q
How is qualitative risk analysis performed?
A
Qualitative risk analysis frames risks by considering their causes, consequences, and potential interdependencies.
21
Q
Define ‘inherent risk’
A
Risk that an event will pose if no controls are put in place to mitigate it; The level of risk before any type of mitigation has been attempted.
22
Q
Is it possible to eliminate risk?
A
It is not possible to eliminate risk.
23
Q
What is the ultimate goal of risk management?
A
To mitigate risk factors to the point where the organization is exposed only to a level of risk that it can tolerate.
24
Q
What term is used to describe an organizations overall status of risk management?
A
Risk/security posture.
25
Define 'risk mitigation'
Overall process of reducing exposure to or the effects of risk factors.
26
Define 'risk deterrence/reduction'
The response to risk identification/analysis by deploying security controls to reduce the likelihood and/or impact of a threat scenario.
27
Define 'risk avoidance'
The practice of ceasing activity that presents risk.
28
Define 'risk transference/sharing'
Moving or sharing the responsibility of risk to another entity; typically cyber insurance.
29
Define 'risk acceptance'
Risk tolerance; Determining that a risk is within the organization's appetite and no countermeasures other than ongoing monitoring is needed.
30
Define 'risk exception'
Describes a situation where a risk cannot be mitigated using standard risk management practices or within a specified time frame due to financial, technical, or operational conditions.
31
Define 'risk exemption'
A condition where risk can remain without mitigation, usually due to a strategic business decision.
32
Define 'residual risk'
Risk that remains even after controls (mitigation/transference/exemption/exception) are put into place.
33
Define 'risk appetite'
How much risk and what types of risk an organization is willing to take to fulfill its organizational goals and objectives.
34
In order, list the 5 phases of risk management
1. Identify Mission Essential Functions
2. Identify Vulnerabilities
3. Identify Threats
4. Analyze Business Impacts
5. Identify Risk Response
35
What are the two main variables when calculating risk?
Likelihood and Impact.
36
Define 'risk likelihood'
Qualitative analysis used to describe the chance of a risk event happening; Low/Med/High or on some form of a numeric scale.
37
Define 'risk impact'
The severity of the risk if realized as a security incident.
38
Define 'risk probability'
Quantitative measure typically expressed as a numerical value to precisely measure the chance of a risk event occurring based on statistical methods.
39
What are NIST's Risk Management Framework (RMF) or ISO 31K?
They are enterprise risk management (ERM) policies and procedures.
40
Define a 'risk register'
A document showing the results of risk assessments that includes information regarding risks, their severity, the associated owner of the risk, and all identified mitigation strategies.
41
Define a 'risk threshold'
Determines risk acceptance; defines the limits or levels of acceptable risk an organization is willing to tolerate.
42
What are factors that define a risk threshold?
Regulatory requirements, organizational objectives, stakeholder expectations, and the organization's risk appetite.
43
Define 'Key Risk Indicators (KRIs)'
Metrics that provide an early indication of increasing risk exposures in different areas of the organization.
44
Define a 'risk owner'
An individual who is accountable for developing and implementing a risk response strategy for a risk documented in a risk register.
45
Define 'risk tolerance'
The maximum risk the organization is willing to take for a risk.
46
What is the difference between risk tolerance and risk appetite?
Risk appetite is what drives the willingness of the company to take risks. Risk tolerance then defines the boundaries and standards for assessing and responding to those risks.
47
What are the 3 levels of risk appetite?
1. Expansionary
2. Conservative
3. Neutral
48
Define an expansionary risk appetite
Willingness to take on higher levels of risk in the pursuit of high returns or aggressive growth.
49
Define a conservative risk appetite
Prioritizes risk avoidance.
50
Define a neutral risk appetite
Balances expansionary and conservative approaches and is willing to take on risks if they align with strategic objectives and can be managed effectively.
51
Define 'risk reporting'
A summarized overview of known risks, realized risks, and their impact on the organization.
52
What is the purpose of risk reporting?
Supports decision-making, highlights concerns, and ensures stakeholders understand the organization's risks.
53
When assessing mission critical functions, what is an important component of advancing operatoins?
By reducing the number of dependencies between components.
54
How are dependencies between mission critical functions identified?
By performing a business process analysis (BPA) for each function.
55
What are the 5 factors to identify when performing a business process analysis (BPA) for a function/process?
1. Inputs
2. Outputs
3. Process Flow
4. Hardware
5. Staff
56
What are business process inputs?
Sources of information for performing the function (including the impact if these are delayed or out of sequence).
57
What are business process outputs?
Data or resources produced by the function.
58
What are business process 'process flows'?
A step-by-step description of how the function is performed.
59
What defines business process hardware?
Server(s) or data center that performs the processing.
60
How does an organization's staff impact business processes
Needing sufficient staff and resources to support the function.
61
Define 'Business impact analysis (BIA)'
A process that helps businesses understand the potential effects of disruptions on their operations.
62
How is business impact analysis (BIA) performed?
Identifying and assessing the impact of various unplanned threat scenarios on the business, such as accidents, emergencies, and disasters.
63
What is the outcome of performing business impact analysis (BIA)?
To proactively create recovery strategies to minimize the impact of disruptions and ensure operational resilience.
64
What four metrics help determine mission critical functions?
1. Maximum tolerable downtime (MTD)
2. Recovery time objective (RTO)
3. Work Recovery Time (WRT)
4. Recovery point objective (RPO)
65
Define the 'Maximum tolerable downtime (MTD)' metric
The longest period that a process can be inoperable without causing irrevocable business failure; Max amount of recovery time that system and asset owners have to resume operations.
66
What is a typical maximum tolerable downtime (MTD) for a mission critical process?
Could be 24hrs or less.
67
Define the 'Recovery time objective (RTO)' metric
Represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch to an alternative system, for instance).
68
Define the 'Work Recovery Time (WRT)' metric
In disaster recovery, time additional to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event.
69
When considering the Recovery time objective (RTO) and the Work Recovery Time (WRT), what must be kept in mind determining Maximum tolerable downtime (MTD)?
RTO+WRT must not exceed MTD.
70
Define the 'Recovery point objective (RPO)' metric
The amount of data loss that a system can sustain, measured in time.
71
What does determining Recovery point objective (RPO) impact?
Impacts the frequency of data backups, data replication requirements, recovery site selection, and technologies that support failover and high availability.
72
How does Recovery point objective (RPO) impact data backups/replication or failover/high availability mechanisms?
The RPO can determines backup frequency or replication for applicaitons/services or a recovery sites/high availability based on RPO.
73
Define 'key performance indicators (KPIs)'
Metrics used to measure the reliability and efficiency of systems, processes, and equipment.
74
What are the two key performance indicators (KPIs)?
1. Mean time between failures (MTBF)
2. Mean time to repair (MTTR)
75
What do key performance indicators (KPIs) help make decisions in?
Risk management processes, providing measurable insights into potential risks and supporting risk mitigation strategies.
76
Define 'Mean time between failures (MTBF)'
Represents the expected lifetime of a device/component; Predicts the expected time between failures.
77
How is Mean time between failures (MTBF) calculated?
The number of devices/components multiplied by the lifetime of the device before failure, and the sum of that divided by the number of failures; (n*t)/f
78
Define 'Mean time to repair (MTTR)'
Represents the average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.
79
How is Mean time to repair (MTTR) calculated?
The total number of hours of unplanned maintenance divided by the number of failure incidents.
80
What does a low Mean time to repair (MTTR) indicate?
Indicates quicker restoration of functionality, reducing downtime and potential disruptions to operations.
81
What is the purpose of calculating Mean time between failures (MTBF)?
To identify the average time between system or equipment failures.
82
What does a high Mean time between failures (MTBF) indicate?
Suggests greater reliability and longer intervals between failures.
83
What metric(s) could be used to make a quantitative calculation of risk due to a specific threat to a specific function or asset?
Single Loss Expectancy (SLE) or Annual Loss Expectancy (ALE).
84
What are the components of '3rd party risk assesments'
Vendor due diligence, risk identification and assessment, ongoing monitoring, and incident response planning.
85
Define 'vendor due diligence'
Involves evaluating and selecting vendors based on their security practices, financial stability, regulatory compliance, and reputation.
86
Define a 'right-to-audit clause'
A contractual provision that grants an organization the authority to conduct audits or assessments of vendor operational practices, information systems, and security controls.
87
Define a 'Memorandum of Understanding (MOU)'
A preliminary, nonbinding agreement that outlines the intentions, shared goals, and general terms of cooperation between parties.
88
Define a 'Memorandum of Agreement (MOA)'
A formal, legally blinding, agreement that defines the parties' specific terms, conditions, and responsibilities.
89
Define a 'Business Partnership Agreement (BPA)'
Agreement by two companies to work together closely for governing collaborative and mutually beneficial relationships.
90
Define a 'Master Service Agreement (MSA)'
Outlines the overall terms and conditions of a specific contract.
91
Define a 'Statement of Work (SOW)/Work Order (WO)'
Details a vendor project or engagement's scope, deliverables, timelines, and responsibilities.
92
Define 'Rules of Engagement (RoE)'
Rules defining what vendors must adhere to.
93
What are important elements of a Rules of Engagement (RoE)?
Roles and Responsibilities; Security Requirements; Compliance Obligations; Reporting and Communication; Change Management; Contractual Provisions (liability, insurance, and termination).
94
Define an 'attestation'
Formal declaration that an organization's security controls and practices comply with specific standards, regulations, or best practices.
95
What is the purpose of an attestation?
Provides assurance to stakeholders that an organization's security measures are adequate.
96
What is the function of internal audits?
To enable continuous monitoring, early detection of issues, and timely remediation.
97
What is the function of external audits?
To validate the organization's controls, compliance, and risk mitigation efforts.
98
What are likely procedures in a pen test?
Verify a Threat Exists; Bypass Security Controls; Actively Test Security Controls; Exploit Vulnerabilities.
99
Define 'Active reconnaissance'
Penetration testing techniques involving actively probing and interacting with target systems and networks to gather information.
100
What are forms of active reconnaissance?
Port scanning; service enumeration; OS fingerprinting; DNS enumeration; Web application crawling.
101
Define 'Service enumeration'
Interacting with identified services to gather information about their versions, configurations, and potential vulnerabilities.
102
Define 'DNS enumeration'
Gathering information about the target's DNS infrastructure, such as domain names, subdomains, and IP addresses.
103
Define 'web application crawling'
Exploring web applications to identify pages, directories, and potential vulnerabilities.
104
Define 'passive reconnaissance'
Gathering information about target systems and networks without directly interacting with them by focusing on collecting publicly available data and passively observing network traffic.
105
What are forms of passive reconnaissance?
Open-Source Intelligence (OSINT) Gathering; Network Traffic Analysis; Social Engineering.
106
Define 'Open-Source Intelligence (OSINT) Gathering'
Collecting publicly available information from various sources like search engines, social media, public databases, and websites.
107
Define 'Offensive penetration testing/red team'
Identify vulnerabilities, weaknesses, and potential attack vectors that malicious actors could exploit.
108
Define 'Defensive penetration testing/blue team'
Evaluates an organization's defensive security measures, detection capabilities, incident response procedures, and overall resilience against cyber threats.
109
Define 'Physical penetration testing'
Assessments of an organization's physical security practices and controls by simulating real-world attack scenarios to identify vulnerabilities and weaknesses in physical security systems.
110
What is the point of the string "../../../../../../" used in an injection attack?
To use directory traversal to reach the root directory.
111
Injecting a web shell can be accomplished by taking advantage of what discovered vulnerability?
File upload.
