Módulo 12 - Risk Management Processes

Question 1

What is the primary goal of risk management?

Answer 1

To identify, assess, and mitigate vulnerabilities and threats to mission essential functions while minimizing risk and disruption.

Question 2

What are the five phases of risk management?

Answer 2

1. Identify mission essential functions
2. Identify vulnerabilities
3. Identify threats
4. Analyze business impacts
5. Identify risk responses.

Question 3

What is Maximum Tolerable Downtime (MTD)?

Answer 3

The longest period a business function can be offline without causing irrecoverable failure.

Question 4

What is the formula for Recovery Time Objective (RTO) and Work Recovery Time (WRT)?

Answer 4

RTO + WRT must not exceed MTD.

Question 5

What is Recovery Point Objective (RPO)?

Answer 5

The maximum acceptable amount of data loss, measured in time, that a system can tolerate.

Question 6

What is Mean Time Between Failures (MTBF)?

Answer 6

The average operational time between system or equipment failures.

Question 7

What is Mean Time to Repair (MTTR)?

Answer 7

The average time required to repair and restore a system to full operation.

Question 8

What are the four risk response strategies?

Answer 8

1. Mitigate
2. Avoid
3. Transfer
4. Accept.

Question 9

What is risk transference?

Answer 9

Assigning risk to a third party, such as an insurance provider.

Question 10

What is risk acceptance?

Answer 10

Choosing not to implement countermeasures because the risk level is deemed acceptable.

Question 11

What is the difference between a risk exception and a risk exemption?

Answer 11

A risk exception is temporary and must be reviewed periodically.
A risk exemption is a strategic decision to allow risk to remain without mitigation.

Question 12

What is a Mission Essential Function (MEF)?

Answer 12

A function that cannot be deferred and must be performed continuously or restored first after a disruption.

Question 13

What is the purpose of a Business Process Analysis (BPA)?

Answer 13

To identify inputs, hardware, staff, outputs, and process flow for critical systems supporting mission essential functions.

Question 14

What is Business Impact Analysis (BIA)?

Answer 14

A process that assesses the effects of disruptions on operations and quantifies potential losses.

Question 15

What are common methods for identifying risks?

Answer 15

1. Vulnerability assessments
2. Penetration testing
3. Security audits
4. Threat intelligence.

Question 16

What is residual risk?

Answer 16

The remaining risk after applying mitigation, transference, or acceptance measures.

Question 17

What is risk appetite?

Answer 17

The organization-wide level of residual risk deemed acceptable based on strategic goals and compliance.

Question 18

Give an example of risk mitigation.

Answer 18

Implementing a sprinkler system to reduce the impact of a fire.

Question 19

Provide an example of risk avoidance.

Answer 19

Discontinuing a high-risk software project due to its vulnerabilities.

Question 20

Describe an example of risk transference.

Answer 20

Purchasing cybersecurity insurance to cover potential data breach liabilities.

Question 21

What are the two main variables used in risk assessment?

Answer 21

Likelihood and impact.

Question 22

How is likelihood expressed in qualitative and quantitative analysis?

Answer 22

Qualitative: ‘Low,’ ‘Medium,’ ‘High’ or 1-5 scale.
Quantitative: Numerical value (0-1) or percentage.

Question 23

What is impact in risk assessment?

Answer 23

The severity of a risk event if realized, determined by asset value and cost of disruption.

Question 24

What is an RCSA?

Answer 24

Risk and Control Self-Assessment—a process for identifying risks and evaluating control effectiveness.

Question 25

What is a risk register?

Answer 25

A document summarizing risks, their impact, likelihood, owners, and mitigation strategies.

Question 26

What is the purpose of a heat map in risk assessment?

Answer 26

To visually represent risk severity, likelihood, and priorities using a traffic light system.

Question 27

What are the four types of risk assessments?

Answer 27

1. Ad hoc
2. Recurring
3. One-time
4. Continuous.

Question 28

Define quantitative risk assessment.

Answer 28

A method assigning concrete values to risks using metrics like Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE).

Question 29

What is qualitative risk analysis?

Answer 29

A method using subjective judgment and qualitative factors to assess risks without numerical data.

Question 30

What is Single Loss Expectancy (SLE)?

Answer 30

The monetary loss from a single risk event, calculated as Asset Value × Exposure Factor.

Question 31

What is Annualized Loss Expectancy (ALE)?

Answer 31

The annual financial loss from a risk, calculated as SLE × Annualized Rate of Occurrence (ARO).

Question 32

How is exposure factor (EF) used in SLE calculation?

Answer 32

EF represents the percentage of the asset value lost during a risk event.

Question 33

What is inherent risk?

Answer 33

The risk level before applying any mitigation measures.

Question 34

What is residual risk?

Answer 34

The risk level remaining after implementing mitigation measures.

Question 35

How does risk posture differ from risk appetite?

Answer 35

Risk posture reflects the overall state of risk management, while risk appetite defines acceptable levels of risk.

Question 36

What are Key Risk Indicators (KRIs)?

Answer 36

Predictive metrics used to monitor and assess potential risks.

Question 37

What is the role of a risk owner?

Answer 37

To manage, monitor, and implement mitigation measures for a specific risk.

Question 38

What are the four risk response strategies?

Answer 38

1. Mitigate
2. Avoid
3. Transfer
4. Accept.

Question 39

What is risk transference?

Answer 39

Assigning risk to a third party, such as through insurance.

Question 40

What is risk acceptance?

Answer 40

Choosing not to mitigate a risk due to low likelihood or impact.

Question 41

What is the difference between MTBF and MTTR?

Answer 41

MTBF: Mean Time Between Failures (average operational time).
MTTR: Mean Time to Repair (average time to restore functionality).

Question 42

What are the levels of risk appetite?

Answer 42

1. Expansionary
2. Conservative
3. Neutral.

Question 43

What is risk reporting?

Answer 43

The communication of an organization’s risk profile and risk management effectiveness to stakeholders.

Question 44

What is the primary purpose of a Business Continuity Plan (BCP)?

Answer 44

To ensure critical business functions (CBFs) continue during disruptions and restore normal operations.

Question 45

What are the key phases of a BCP during a disaster?

Answer 45

1. Identify the disaster and ensure safety.
2. Implement short-term recovery.
3. Stabilize operations.
4. Restore all functions to normal.

Question 46

What is the role of succession planning in BCP?

Answer 46

To identify and develop internal candidates for future key roles, ensuring smooth leadership transitions.

Question 47

What is COOP, and how does it differ from BCP?

Answer 47

COOP ensures critical functions continue during a crisis, focusing on immediate response, while BCP covers broader organizational recovery.

Question 48

What are some COOP strategies for IT systems?

Answer 48

Redundant IT systems, off-site backups, failover systems, and alternative work arrangements.

Question 49

Why is regular COOP testing important?

Answer 49

To verify effectiveness, identify gaps, and ensure readiness for various disruptions.

Question 50

Why are backups critical in COOP?

Answer 50

They safeguard data, ensure recoverability, and minimize downtime during disruptions.

Question 51

What is the importance of testing backups?

Answer 51

To validate data integrity, recovery speed, and compliance with regulatory requirements.

Question 52

What is capacity planning?

Answer 52

A process to forecast and allocate resources (people, technology, infrastructure) for current and future needs.

Question 53

What are the methods of capacity planning?

Answer 53

Trend analysis, simulation modeling, and benchmarking.

Question 54

What risks can poor capacity planning introduce?

Answer 54

Overloaded systems, insufficient security, and resource underutilization.

Question 55

What are the three types of recovery sites?

Answer 55

1. Hot site: Immediate failover, fully operational.
2. Warm site: Requires data loading before use.
3. Cold site: Empty, requires setup.

Question 56

What is geographic dispersion in disaster recovery?

Answer 56

Distributing recovery sites across regions to mitigate the impact of localized disasters.

Question 57

What is failover, and why is it important?

Answer 57

Failover ensures seamless transfer of operations to redundant systems during a failure.

Question 58

What are the advantages of using cloud services for DR?

Answer 58

Cost efficiency, scalability, geographic diversity, fast deployment, and simplified management.

Question 59

What are the types of resiliency tests?

Answer 59

1. Tabletop exercises
2. Failover tests
3. Simulations
4. Parallel processing tests.

Question 60

Why is regular testing of resiliency plans critical?

Answer 60

To identify vulnerabilities, refine strategies, and improve preparedness.

Question 61

What are key components of continuity documentation?

Answer 61

Test plans, test scripts, results, and communication reports.

Question 62

What are examples of third-party assessments for BCP testing?

Answer 62

ISO 22301, PCI DSS, and SOC 2 evaluations.

Question 63

Why is destroying outdated BCP versions important?

Answer 63

To avoid confusion and ensure only current procedures are followed during crises.

Question 64

What are people risks in capacity planning?

Answer 64

Insufficient staffing, skill gaps, and reliance on specific individuals.

Question 65

How can cross-training help mitigate workforce risks?

Answer 65

By ensuring multiple employees can perform critical tasks, reducing dependency on single individuals.

Question 66

What technologies support remote work continuity?

Answer 66

VPNs, remote desktop software, cloud-based tools, video conferencing, and project management platforms

Question 67

What are the main components of third-party risk management processes?

Answer 67

Vendor due diligence, risk identification and assessment, ongoing monitoring, and incident response planning.

Question 68

Why is third-party vendor assessment critical?

Answer 68

To ensure vendors adhere to security standards, comply with regulations, and mitigate risks to the organization.

Question 69

What is vendor monitoring?

Answer 69

The continuous evaluation of vendors to ensure adherence to security standards, compliance, and contractual obligations.

Question 70

What factors are considered during vendor selection?

Answer 70

Security practices, financial stability, regulatory compliance, reputation, and risk profile.

Question 71

Name three types of third-party relationships in business

Answer 71

Vendor, supply chain partner, and business partner.

Question 72

How does vendor diversity benefit an organization?

Answer 72

It reduces cybersecurity risks, promotes resilience, fosters innovation, and mitigates vendor lock-in.

Question 73

What is the purpose of due diligence in vendor assessment?

Answer 73

To evaluate a vendor’s suitability, reliability, and risk profile based on predefined criteria.

Question 74

Name and describe a key contractual provision used in vendor assessments.

Answer 74

The right-to-audit clause: Allows organizations to audit vendor practices to ensure compliance and security.

Question 75

What is supply chain analysis in vendor risk management?

Answer 75

Evaluating risks and vulnerabilities in the supply chain to identify weak links and mitigate potential issues.

Question 76

What tools are used to gather vendor risk information?

Answer 76

Questionnaires, site visits, audits, and penetration testing.

Question 77

How do organizations validate responses to vendor questionnaires?

Answer 77

By requesting documentation, conducting audits, and using third-party verification services.

Question 78

What is a conflict of interest in vendor assessments?

Answer 78

A situation where competing interests may compromise the vendor’s ability to act impartially

Question 79

Name an example of a potential conflict of interest.

Answer 79

Financial incentives from partnerships that bias a vendor’s recommendations.

Question 80

What is the purpose of Rules of Engagement (RoE) with vendors?

Answer 80

To define responsibilities, security requirements, and communication protocols in vendor relationships.

Question 81

List three key elements in Rules of Engagement.

Answer 81

Roles and responsibilities, security requirements, and compliance obligations

Question 82

What is a Non-Disclosure Agreement (NDA)?

Answer 82

A binding agreement ensuring confidentiality of shared sensitive information.

Question 83

What is the difference between an MOU and an MOA?

Answer 83

An MOU is nonbinding and outlines intentions, while an MOA is binding and defines specific terms and responsibilities.

Question 84

What is the purpose of a Master Service Agreement (MSA)?

Answer 84

To define overarching terms for a specific contract, such as scope, pricing, and deliverables.

Question 85

What does a Service Level Agreement (SLA) define?

Answer 85

Performance metrics, quality standards, and service levels expected from a vendor.

Question 86

What is a Statement of Work (SOW)?

Answer 86

A document detailing a project’s scope, deliverables, timelines, and vendor responsibilities.

Question 87

What is the main purpose of audits in organizational operations?

Answer 87

To evaluate processes, controls, and compliance with standards and regulations, identifying gaps and recommending improvements.

Question 88

What do assessments focus on in an organization?

Answer 88

Evaluating the effectiveness of cybersecurity, risk management, and internal controls to identify vulnerabilities and risks

Question 89

How do audits and assessments support organizational goals

Answer 89

They maintain compliance, mitigate risks, and drive continuous improvement in security and operational performance

Question 90

What is the key difference between internal and external assessments?

Answer 90

Internal assessments are conducted by employees for continuous improvement, while external assessments are performed by third parties for impartial evaluations.

Question 91

Name two advantages of combining internal and external audits.

Answer 91

Enhanced risk management capabilities and improved stakeholder trust through transparency and accountability.

Question 92

Why are external assessments important?

Answer 92

They provide independent, objective evaluations against industry standards and identify areas for improvement missed by internal teams.

Question 93

What are the three main types of internal assessment methods?

Answer 93

Compliance assessments, audit committees, and self-assessments.

Question 94

What is the role of an audit committee?

Answer 94

To provide independent oversight of financial reporting, internal controls, and risk management practices.

Question 95

What is self-assessment, and who conducts it?

Answer 95

A process where internal personnel evaluate their performance against established metrics to identify strengths and weaknesses.

Question 96

What are common external assessment methods?

Answer 96

Regulatory assessments, external examinations, general assessments, and independent third-party audits.

Question 97

How do regulatory assessments support compliance?

Answer 97

By ensuring organizations adhere to laws, regulations, and standards through inspections, audits, and reviews.

Question 98

What is the benefit of independent third-party audits?

Answer 98

They provide unbiased assessments, demonstrating transparency, accountability, and adherence to regulations.

Question 99

What is attestation in the context of audits and assessments?

Answer 99

The process of verifying the accuracy and effectiveness of security controls, ensuring compliance with standards and best practices.

Question 100

Who typically conducts attestations?

Answer 100

Qualified and trusted external entities like auditors or assessors.

Question 101

How do internal and external assessments complement each other?

Answer 101

Internal assessments enable continuous improvement, while external assessments validate compliance and provide independent assurance.

Question 102

How does collaboration between internal and external auditors benefit organizations?

Answer 102

It facilitates knowledge sharing, improves assessment quality, and fosters professional development.

Question 103

Acronym:
BCP

Answer 103

Business Continuity Plan

Question 104

Acronym:
COOP

Answer 104

Continuity of Operations

Question 105

Acronym:
NIST RMF

Answer 105

National Institute of Standards and Technology Risk Management Framework

Question 106

Acronym:
PCI-DSS

Answer 106

Payment Card Industry Data Security Standard

Question 107

Acronym:
CPA

Answer 107

Certified Public Accountant

Question 108

Acronym:
SLA

Answer 108

Service Level Agreement

Question 109

Acronym:
SOW

Answer 109

Statement of Work

Question 110

Acronym:
MOU

Answer 110

Memorandum of Understanding

Question 111

Acronym:
MOA

Answer 111

Memorandum of Agreement

Question 112

Acronym:
BPA

Answer 112

Business Partnership Agreement

Question 113

Define:
Continuity of Operations (COOP)

Answer 113

A strategy to maintain or quickly resume critical functions during disasters or crises

Question 113

Acronym:
MSA

Answer 113

Master Service Agreement

Question 114

Define:
Master Service Agreement (MSA)

Answer 114

A contract outlining the general terms and conditions for a specific vendor relationship or engagement.