Lesson 19 Risk Management

Question 1

Phases of Risk Management

Answer 1

Identify:
1. Mission essential functions

2. Vulnerabilities and Weakness for each function or workflow
3. Threats for each function or workflow which attackers may exploit
4. Analyze business impacts of vulnerability being activated
5. Risk response, countermeasures, and cost for mitigation of the risk
   - Safety is number one
   - cost/money is second

Question 2

Likelihood of occurrence

Answer 2

The probability of the threat being realized

Question 3

Impact of realized security incident

Answer 3

Impact is the severity of the risk

Question 4

MTBF - Mean Time Between Failures

Answer 4

Mean Time Between Failures (MTBF)

How often failures are expected to happen

total time / number of failures

Calculation:
( 10 devices)(50 hours)/(2 failures) = 250 hours/failure

Question 5

MTTR - Mean Time To Repair/Replace/Recover

Answer 5

Mean Time to Repair (MTTR)
the average amount of time to repair/replace/recover the product or to correct a fault

important for determining RTO

Question 6

SPoF - Single Point of Failure

Answer 6

Single Point of Failure (SPoF)
a component or system that would cause a complete interruption of a service if it failed

Mitigate by provisioning redundant components

Question 7

RTO - recovery Time Objective

Answer 7

Recovery Time to Objective (RTO)

Time taken to get system up again
or
The planned max amount of recovery and restoration time

RTO+WRT must not exceed MTD

Question 8

WRT - work recovery time

Answer 8

Work Recovery Time
Following system recovery, how long to get system working again

RTO+WRT must not exceed MTD

Question 9

RPO - Recovery Point Objective

Answer 9

Recovery Point Objective (RPO)

maximum time an organization can tolerate lost data being unrecoverable
aka which backups to use during recovery

Question 10

MEF - Mission Essential Function

Answer 10

Mission Essential Function

a critical function of the mission which cannot be deferred for more than a few hours, if at all

Question 11

MTD - Maximum Tolerable Downtime

Answer 11

Maximum Tolerable Downtime (MTD)

longest period of time a business can be inoperable without causing irrecoverable business failure

RTO+WRT must not exceed MTD

Question 12

Risk Register

Answer 12

a document showing the results of a risk assessment in an easy to read format

Should be shared amongst all shareholders to help them understand the risk associated with the workflows they manage

Identify potential risks and their impact/likelihood
Display the company’s mitigation plan for each risk
Assign responsibility for the execution of those plans
Track the status of each plan (complete, in-progress, not started, etc)

Question 13

Quantitative Risk Analysis
Annualized Loss Expectancy calculations
know for test

Answer 13

SLE - Single Loss Expectancy
ARO - Annualized Rate of Occurrence
ALE - Annualized Loss Expectancy

SLE * ARO = ALE

know for test: ‘the incident costs X’ is the SLE

Question 14

SLE

Answer 14

Single Loss Expectancy

the amount which would be lost in a single occurrence of the risk factor

determine by Exposure Factor EF and Asset Value

SLE = EF * AV

Question 15

ARO

Answer 15

Annualized Rate of Occurrence

Question 16

ALE

know how to calculate this

Answer 16

Annualized Loss Expectancy

The amount which would be lost over the course of a year

ALE = SLE * ARO

Question 17

DRP - Disaster Recovery Plan

Answer 17

Disaster Recover Plan

a plan of how to recover the system or site to a working state following a disaster level event

Identify
- scenarios
- tasks
- resources
- responsibilities
Train staff

Question 18

FRP - functional recovery plans

Answer 18

Functional Recovery Plans

Due to rare occurrence of disasters, functional recovery plans determine how effective the recovery plan is
Perform:
- Training though walkthroughs workshops and seminars
- Tabletop exercises
- Functional exercises
- Full-scale exercises

Question 19

Risk types

Answer 19

External
Internal
Multiparty - arrises from supplier relationships
Intellectual Property Theft
SW Compliance/Licensing
Legacy Systems - not as secure due to lack of patching

Question 20

Risk Mitigation or remediation

Answer 20

process of reducing exposure to or the effects of risk factors
Risk Deterrence
Risk Reduction
Risk Avoidance
Risk Transference

Question 21

Risk Deterrence vs Risk Reduction

Answer 21

Risk deterrence is deploying a countermeasure to reduce exposure to a threat or vulnerability

Risk reduction are controls which make a risk incident less likely or less costly or both

Question 22

Risk Avoidance

Answer 22

means to stop doing the activity which is risk bearing

Question 23

Risk Transference

Answer 23

Assigning risk to a third party

Question 24

Inherent Risk

Answer 24

Risk before being mitigated

Question 25

Residual Risk

Answer 25

likelihood and impact after mitigation, transference, or acceptance measures have been applied

Question 26

Control Risk

Answer 26

risk that arises when a control does not provide the level of mitigation that was expected

could be a security control which was never effective in mitigating inherent risk