Lesson 15: Explain Risk Management Processes Flashcards
What are the methods used for risk identification and assessment?
Recognize threats like malware, insider risks, equipment failures, and inadequate policies using vulnerability assessments, penetration testing, and audits.
How does risk analysis differ from risk assessment?
Risk Analysis: Identifies risks.
Risk Assessment: Evaluates likelihood and impact to prioritize management strategies.
What metrics are used in quantitative risk analysis?
Uses metrics like Single Loss Expectancy (SLE), Annualized Loss Expectancy (ALE), and Exposure Factor (EF) to assign monetary values to risk
What is qualitative risk analysis, and what does it focus on?
Frames risks using subjective judgments, focusing on causes and interdependencies.
How are heat maps and FIPS 199 categorizations used in risk management?
They visualize risks using severity levels like low, moderate, and high as the categories.
What are the primary risk management strategies?
Mitigation, Avoidance, Acceptance, and Transference (e.g., cybersecurity insurance).
What are residual risk and risk appetite?
Residual Risk is the remaining risk after mitigation.
Risk Appetite defines tolerance levels across the organization.
What are the phases of the risk management process?
Identify mission essential functions.
Recognize vulnerabilities.
Identify threats.
Assess business impacts.
Define appropriate risk responses.
What factors are considered in vendor due diligence and assessment?
Evaluate vendors based on financial stability, regulatory compliance, and security practices.
What are conflict-of-interest risks in vendor relationships?
Financial, personal, or competitive relationships that could affect integrity.
What techniques are used to evaluate the vendor?
Penetration Testing: Evaluate the vendor’s security resilience.
Right-to-Audit Clauses & Internal Audits: Ensure adherence to security and compliance measures.
Supply Chain Analysis: Assess risks across interconnected vendor networks.
What legal agreements manage vendor relationships?
MOUs (Memorandum of Understanding): Set preliminary intentions.
NDAs (Nondisclosure Agreements): Secure sensitive information.
SLAs (Service Level Agreements): Define performance metrics.
SOWs (Statements of Work): Detail deliverables, timelines, and scope.
How is ongoing vendor performance monitored?
Through performance reviews and risk evaluations.
What are the purposes of internal audits, external assessments, and self-assessments?
Internal Audits: Evaluate compliance and facilitate continuous improvement.
External Assessments: Provide independent, objective reviews.
Self-Assessments: Help individuals and teams proactively identify strengths and weaknesses.
What are the methods used during reconnaissance in penetration testing?
Active Methods: Port scanning.
Passive Methods: OSINT gathering.
What are the three penetration testing methods?
Known,
Partially Known,
Unknown Testing Methods.
You as the penetration tester tailor tests based on prior knowledge of the environment.
What distinguishes known, partially known, and unknown penetration testing methods?
Known Testing: Full knowledge of the environment is provided to testers.
Partially Known Testing: Limited information is given.
Unknown Testing: Testers have no prior knowledge of the environment.
What is offensive (Red Teaming) and defensive (Blue Teaming) testing?
Red Teaming: Simulates real-world attacks to identify vulnerabilities.
Blue Teaming: Evaluates detection and response capabilities.
What is Physical Penetration Testing?
Simulates real-world attacks to assess the effectiveness of an organization’s physical security measures, evaluating vulnerabilities like access control, perimeter security, and employee awareness.
What is integrated penetration testing?
It combines offensive, defensive, and physical testing for a holistic security evaluation.
