Perform Risk Management Activities Flashcards
A U.S. government agency has contracted a risk auditor to conduct a risk assessment. Which framework should the auditor use?
NIST RMF
The National Institute of Standards and Technology Risk Management Framework (NIST RMF) defines standards that US Federal Agencies must use to assess and manage cybersecurity risks.
A security manager is standing up a risk management program at a company. What should the security manager set up that might be considered the most recognized output?
Risk Register
The risk register can be the most recognized output of the risk management program. It includes metadata such as threat, impact, likelihood, plan, and risk level.
A vulnerability management lead for a major company is working with various teams to keep their company secure, but there are a significant amount of legacy systems the company worries about, so the management lead recommends purchasing an insurance policy. What type of risk strategy is this?
Risk transference
Risk transference (or sharing) refers to assigning risk to a third party. Purchasing an insurance policy most typically exemplifies risk transference.
A security engineer works for a mid-sized retail company on the systems administration team. One of the web servers went down, and customers were unable to purchase goods they provide, and the company suspects the customers purchased the same goods elsewhere. What is this considered?
SLE
Single Loss Expectancy (SLE) is the amount lost in a single occurrence of the risk factor, such as the cost during downtime.
A security project manager is considering transitioning to a cloud-based strategy for a company. The company currently operates with a minimal team in their data center services and aims to reduce their responsibilities while maintaining service quality. Which cloud solution would require the least amount of management and maintenance from this team?
SaaS
Software as a Service (SaaS) represents the lowest amount of responsibility for the customer as the facilities, utilities, physical security, platform, and applications are the provider’s responsibility.
Infrastructure as a Service (IaaS) provides hardware hosted at a provider facility, using the provider’s physical security controls and utilities, such as power.
Platform as a Service (PaaS) provides a selection of operating systems loaded and configured by the customer. The underlying infrastructure, facilities, utilities, and physical security are the provider’s responsibility.
What are the two major components of risk?
Impact and Likelihood
Impact is the severity of the risk when realized. Determining factors include the scope, the value of the asset, or the financial impacts of the event.
The likelihood of occurrence is the probability that a threat is taking place.
A security engineer is considering moving his organization’s IT services to the cloud but is concerned whether the vendor they are considering will be in business on an ongoing basis. What type of vendor assessment is this?
Vendor viability
Vendor viability considers whether a vendor will remain in business on an ongoing basis, that they have a viable and in-demand product, and the financial means to stay afloat.
A security architect for an organization is conducting an internal assessment on current policies, processes, and procedures to ensure protection for the businesses’ technology and financial operations. Which of the following would be best suited to support this assessment?
SOC
System and Organization Controls (SOC) uses standards established by the American Institute of Certified Public Accountants (AICPA) to evaluate policies, processes, and procedures to protect technology and financial operations.
A security architect is planning a Statement of Work to perform services at various levels of the Risk Management Lifecycle. The security architect should allocate the most hours to which phase?
Control
The control phase identifies effective ways to reduce identified risks. The effective identification and implementation of these controls represent a significant amount of the work effort undertaken by security practitioners.
A security engineer at a software company is currently analyzing its supply chain. What would the company’s supply chain most likely involve?
Source code repositories, Development language, and Third-party libraries
For a software company, the supply chain may include source-code repositories. For example, Java started charging licensing fees for using Java, so many companies have chosen to switch to OpenJDK as an alternative.
Software company supply chains may also include the development language. Code scanning is a major component of security.
Third-party libraries will also likely be a part of a software company’s supply chains. Supply chain attacks could slip shells in with third-party libraries.
