Module 4 - Risk Management

Question 1

The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

Answer 1

Risk management

Question 2

The recognition, enumeration, and documentation of risks to an organization’s information assets

Answer 2

Risk identification

Question 3

A determination of the extent to which an organization’s information assets are exposed to risk.

Answer 3

Risk assessment

Question 4

The application of safeguards or controls that reduce the risks to an organization’s information assets to an acceptable level.

Answer 4

Risk treatment (risk control)

Question 5

The overall structure of the strategic planning and design for the entirety of the organization’s RM efforts.

Answer 5

The RM framework

Question 6

The implementation of risk management, as specified in the framework

Answer 6

The RM process

Question 7

The RM framework consists of five key stages:

Answer 7

1. Executive governance and support
2. Framework design
3. Framework implementation
4. Framework monitoring and review
5. Continuous improvement

Question 8

Risk Management Policy

Answer 8

This policy converts the instructions and perspectives provided to the RM framework team by the governance group into cohesive guidance that structures and directs all subsequent risk management efforts within the organization.

Question 9

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility

Answer 9

Risk appetite

Question 10

The risk to information assets that remains even after current controls have been applied

Answer 10

Residual risk

Question 11

The assessment of the amount of risk an organization is willing to accept for a particular information asset.

Answer 11

Risk tolerance (risk threshold)

Question 12

Prepare for the risk process by performing the following tasks (5):

Answer 12

1. Identify the purpose of the assessment;
2. Identify the scope of the assessment;
3. Identify the assumptions and constraints associated with the assessment;
4. Identify the sources of information to be used as inputs to the assessment;
5. Identify the risk model and analytic approaches.

Question 13

The final step in the risk identification process is to:

Answer 13

prioritize, or rank-order, the assets.

Question 14

During the identification of risk, managers must(4):

Answer 14

1. Identify the organization’s information assets
2. Classify them
3. Categorize them into useful groups
4. Prioritize them by overall importance

Question 15

If a vulnerability is fully managed by an existing control:

Answer 15

it can be set aside

Question 16

Assesses the relative risk for each vulnerability and assigns a risk rating or score to each information asset.

Answer 16

Risk analysis

Question 17

The overall rating—a numerical value on a defined scale—of the probability that a specific vulnerability will be exploited or attacked, commonly referred to as a threat event.

Answer 17

Likelihood

Question 18

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability

Answer 18

The level of impact from a threat event

Question 19

likelihood of threat event (attack) x impact (or consequence), plus or minus an element of uncertainty

Answer 19

risk

Question 20

If residual risk is greater than risk, look for:

Answer 20

treatment strategies to further reduce the risk.

Question 21

Four basic risk treatment strategies:

Answer 21

1. Mitigation
2. Transference
3. Acceptance
4. Termination

Question 22

Attempts to prevent the exploitation of the vulnerability.

Answer 22

Risk mitigation

Question 23

Attempts to shift risk to another entity

Answer 23

Transference risk treatment strategy, AKA risk sharing or risk transfer

Question 24

The key to an effective transference risk treatment strategy is the implementation of an effective:

Answer 24

service level agreement (SLA)

Question 25

Risk acceptance

Answer 25

The decision to do nothing beyond the current level of protection to shield an information asset from risk and to accept the outcome from any resulting exploitation

Question 26

Based on the organization’s intentional choice not to protect an asset.

Answer 26

Risk avoidance or risk termination

Question 27

Involve requesting and providing information as direct feedback about issues that arise in the implementation and operation of each stage of the process

Answer 27

Process communications

Question 28

Involves establishing and collecting formal performance measures and assessment methods to determine the relative success of the RM program.

Answer 28

Process monitoring and review

Question 29

Expected loss per risk formulas:

Answer 29

Annualized loss expectancy (ALE) = single loss expectancy (SLE) × annualized rate of occurrence (ARO)‏

SLE = asset value × exposure factor (EF)‏

Question 30

Determines if an alternative being evaluated is worth the cost incurred to control the vulnerability

Answer 30

Cost benefit Analysis

Question 31

The two ISOs that focus on Risk management

Answer 31

ISO 27005 information technology — security techniques — information security risk management

ISO 31000 risk management – guidelines

Question 32

Two documents that describe the NIST RMF

Answer 32

SP 800-37, Rev. 2 Risk Management Framework for Information Systems and Organizations

SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View