Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIH > Module 2: Risk Assessment > Flashcards

Module 2: Risk Assessment Flashcards

1
Q

What is Risk

A

It is defined as the probability of the occurrence of an incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Risk Policy

A

A set of ideas that are to be implemented in order to minimize and mitigate risks faced by an organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Risk Policy defines these steps in managing the risks

A
  1. Establishing a Context
  2. Risk Identification
  3. Risk Analysis
  4. Risk Evaluation
  5. Treating the risks
  6. Monitor and Review
  7. Communication and Consultation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Risk Assessment

A

A set of guidelines and procedures to identify and assess the risks that pose a threat to the business or project environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the NIST Risk Assessment Methodology

A
  1. System Characterization
  2. Threats Identification
  3. Identify Vulnerabilities
  4. Control Analysis
  5. Likelihood Determination
  6. Impact Analysis
  7. Risk Determination
  8. Control Recommendations
  9. Results Documentation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What happens in Step 1 System Characterization

A

The limits of an IT system are determined in order to set the scope of risk assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What happens in Step 2 Threats Identification

A

Different threats and threat sources are to be identified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the two threat sources

A

Human and Technical Threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the common human threats

A
  • False data entry or deletion of data
  • Eavesdropping
  • Impersonation
  • Theft
  • Espionage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the common technical threats

A
  • Breaking passwords for unauthorized access
  • Sniffing and scanning of network traffic
  • Malicious code infection
  • Spam and mail frauds
  • DDoS attacks
  • Session hijacking
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a threat source

A

It means any incident or occurrence with the potential to cause harm to the information system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What happens in Step 3 Identify Vulnerabilities

A

To prepare a list of information system vulnerabilities that could be exploited by the probable threat-sources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the best source for information gathering

A

Internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Vulnerability identification process methods

A
  • Vulnerability sources
  • System security testing
  • Development of security requirements checklist
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

System Security testing methods

A
  • Automated vulnerability scanning tool
  • Security test and evaluation (ST&E)
  • Pen Test
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What happens in Step 4 Control Analysis

A

The controls that are planned to implement or already implemented are analyzed by the organization in order to reduce the probability of a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What happens in Step 5 Likelihood Determination

A

This step determines the likelihood of occurrence of a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Factors for the overall likelihood

A
  • Motivation and the capability of threat-source
  • Nature of the vulnerability
  • Efficiency and existence of current controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What happens in Step 6 Impact Analysis

A

This step involved in risk assessment methodology determines the adverse impact resulting from a successful threat with the exercise of the vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What happens in Step 7 Risk Determination

A

To determine the level of risk to different organizational processes and assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Risk Determination involves what consideration

A
  • The probability of occurrence of an anticipated incident
  • The tangible and intangible impact of incident on organizations resources
  • The control measures to minimize the impact or totally avoid the incident
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What happens in Step 8 Control Recommendations

A

Risk assessment teams recommend the controls based on the likelihood, impact and criticality of risk for business operation

23
Q

What happens in Step 9 Results Documentation

A

An official, detailed, and clear risk assessment report helps the senior management in taking decisions on policies, procedures, system operational, and management changes.

24
Q

Steps involved in the risk assessment of the work place

A
  • Identify hazards
  • Determine who will be harmed and how
  • Analyze risks and check for precautions
  • Implement results of risk assessment
  • Review risk assessment
25
Q

What is a hazard

A

A hazard is anything that may cause harm

26
Q

What is a plan of action

A

It is a document that contains the implementation method of the risk assessment results

27
Q

What is Risk Analysis

A

The process that defines and analyzes the dangers

28
Q

How do you find Risk Analysis

A

Risk Assessment + Risk Management + Risk Communication

29
Q

What is Risk Management

A

A structured approach to manage risks due to any incident on information systems and its security

30
Q

What is Risk Communication

A

The correspondence between the client and the manager

31
Q

Risk Analysis helps to analyze what five elements

A
  1. Assets
  2. Disruptive events
  3. Vulnerabilities
  4. Losses
  5. Safeguards
32
Q

What are the two approaches for Risk Analysis

A

Quantitative Risk Analysis (numbers, dollars) & Qualitative Risk Analysis (Best guess)

33
Q

What is Risk Mitigation

A

The process of minimizing the risk

34
Q

What Risk Mitigation Strategies are used

A
  • Risk Assumption
  • Risk Avoidance
  • Risk Limitation
  • Risk Planning
  • Research and Acknowledgement
  • Risk Transference
35
Q

What is Risk Assumption

A

Executes controls to bring risk factor to an acceptable level or accepts the potential risk

36
Q

What is Risk Avoidance

A

It refers to preventing the risks by curbing the cause of the risk and/or consequence

37
Q

What is Risk Limitation

A

This procedure implements controls to diminish the level of controls which in turn condenses the impact of a threat’s exercising vulnerability

Example: Use of supporting, preventive, and detective controls

38
Q

What is Risk Planning

A

A risk mitigation plan is to developed in order to prioritize, implement, and maintain the controls

39
Q

What is Research and Acknowledgment

A

Analyzing the vulnerability of flaw and determine what actions can be taken to lessen the risk

40
Q

What is Risk Transference

A

Transfer the risk with the help of other options.

41
Q

What is Cost-Benefit Analysis

A

The process of calculating return on investment

42
Q

What are NIST’s approach for Control Implementation

A
  1. Prioritize actions
  2. Evaluate recommended control options
  3. Conduct cost-benefit analysis
  4. Select control
  5. Assign responsibility
  6. Develop a safeguard implementation plan
  7. Implement selected controls
43
Q

How do you prioritize actions

A

By using the risk levels in the risk assessment report

44
Q

What is residual risk

A

The amount of risk remaining after implementation of all the possible controls

45
Q

How do you calculate residual risk

A

Residual risk = Inherent Risk * Control risk

46
Q

How do you calculate inherent risk

A

Inherent risk = threats * vulnerability

47
Q

The numerical determination of the probability of an adverse event, and the extent of the losses due to the event, refers to which approach of risk determination

A

Quantitative risk analysis

48
Q

How many primary steps does NIST’s risk assessment methodology involve

A

Nine

49
Q

In which of the steps of NIST’s risk assessment methodology are the boundaries of the IT system, along with the resources and the information that constitute the system, identified?

A

System Characterization

50
Q

In a qualitative risk analysis, risk is calculated in terms

A

(Attack Success + Criticality) - (Countermeasures) = Risk

51
Q

In a quantitative risk analysis, risk is calculated in terms

A

Risk = Probability of Loss * Loss

52
Q

What is the Risk formula

A

Risk = (events) * (probability of occurrence) * (consequences)

53
Q

A measure of possible inability to achieve a goal, objective, or target within a defined security, cost, plan, and technical limitations that adversely affects the organization’s operations and revenues

A

Risk

54
Q

In step 4 Control Analysis of the NIST’s risk assessment methodology, technical and nontechnical control methods are classified into two categories. What are the two control categories

A

Preventive and Detective controls

CIH (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions