Midterm

Question 1

What is RPO?

Answer 1

Recovery Point Objective

Question 2

What is RTO?

Answer 2

Recovery Time Objective

Question 3

What is MTD?

Answer 3

Maximum Tolerable Downtime

Question 4

What are the three types of Control?

Answer 4

• Technical Control
• Administrative Control
• Physical Control

Question 5

What is a Risk Appetite?

Answer 5

The amount of risk a company is willing to accept depending depending on the objective

EXAMPLE
An organization might state that it has a “moderate” appetite for market expansion risks but a “low” appetite for compliance risks.
A tech company may have a high risk appetite for innovation and R&D investments but a low risk appetite for cybersecurity breaches.

Question 6

What is a Risk Tolerance?

Answer 6

Example
Financial Risk: “We will not tolerate quarterly losses exceeding $500,000.”
Operational Risk: “We will accept a system downtime of up to 2 hours per month.”
Compliance Risk: “We have zero tolerance for regulatory non-compliance.”

Question 7

What is CVSS?

Answer 7

Common vulnerability scoring system

• Low (0-3.9)
• Medium (4-6.9)
• High (7-8.9)
• Critical (9-10)

Question 8

What is CER?

Answer 8

Crossover Data Rate

Question 10

What is IT Risk?

Answer 10

Potential losses, Cybersecurity threats, data breaches, system failures etc.

Question 11

What are the Measurability of IT Risk?

Answer 11

Quantitative Metrics, Qualitative Assessments, Risk Scores and Continuous monitoring

Question 12

What is Quantitative Metrics?

Answer 12

Number of incidents, financial losses from breaches, downtime duration

Question 13

What is Risk Scores?

Answer 13

Combing qualitative and quantitative data which results in risk scores

Question 14

What is the FORMAL definition of risk?

Answer 14

Risk ($/year) = potential impact of an event on the business ($ amount of lost revenue) * estimates frequency of such events (# of events per year)

ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) * ARO (Annualized Rate of Occurrence)

Question 15

What is SLE?

Answer 15

Single Loss Expectancy - defined as a dollar amount that is assigned to a single event that represents the companies potential loss amount if a specific threat were to take place

Question 16

What is ARO?

Answer 16

Annualized Rate of Occurrence - value that represents the estimates frequency of a specific threat taking place within a 12- month period. For example, ARO = 2, means event takes place twice a year; ARO = 0.5, means event takes place once for every two years; ARO = 0, means event wont happen at all

Question 17

What is ERM (Enterprise Risk Management)?

Answer 17

• Process effected by an entitys board of directors, management and other personnel
• Risk appetite is defined by COSO as “the amount of risk, on a broad level that an organization is willing to accept in pursuit of its business objectives.

Question 18

What are key benefits following common framework for managing enterprise risks?

Answer 18

1. Adopt a common risk language
2. Conduct an enterprise risk assessment to identify and prioritize the organizations critical risks
3. Perform a gap analysis of the current and target capabilities around managing the critical risks
4. Make informed business decisions at all levels of an organization using a repeatable process
5. Align risk management effort with company’s vision, goals and objectives

Question 19

What are the KEY elements of an ERM (Enterprise Risk Management) framework?

Answer 19

Business Strategy <-> Risk Culture - > Risk Governance, Risk Universe, Risk Management Policies, Risk Appetite -> Identify, Measure, Manage, Monitor, Report

Question 20

What is a KRI?

Answer 20

Key Risk indicators - a metric used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise

Question 21

Leading indicators VS lagging indicators

Answer 21

Leading indicators (PROACTIVE) - leading indicators identify emerging trends for risks and enable management to take proactive steps to prevent events from occuring

Lagging indicators (DETECTIVE) - Lagging indicators may be considered “detective” in nature and provide information about events that have occurred in the past

Question 22

3 LOD ( Line of Defence) to manage IT risks?

Answer 22

1st Line of defence - business and IT functions
2nd Line of defence - Information and technology risk management functions
3rd Line of defence - Internal Audit

Question 23

What are some key challenges for the 3 lines of defense model?

Answer 23

1. May require change of exisiting business processes
2. Lack of awareness or education for the first line staff
3. Can be expensive to operate

Question 24

What can be considered when tasked with designing an IT risk management framework form scratch

Answer 24

1. Companys existing framework or processes for risk management
2. level of maturity for risk managing and the companys overall awareness about risk management
3. Competitive landscapeof the industry in which the company operates