Personnel Security and Risk Management Concepts Flashcards

1
Q

What does the Exposure Factor (EF) represent?

A

The percentage of loss that an organization would expect to experience if a specific asset were violated by a realized risk. Expressed in a %

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does the Single Loss Expectancy (SLE) represent?

A

The amount of loss an organization would experience if an asset were harmed by a specific threat occurring. It is a SINGLE event of loss.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do you calculate the Single Loss Expectancy (SLE)?

A

SLE= AV (Asset Value) * EF (Exposure Factor) SLE= AV x EF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the ARO (Annualized Rate of Occurrence)?

A

The expected frequency with which a specific threat or risk will occur in ONE year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How do you calculate the ARO?

A

It can be derived by historical records . Multiply the likelihood of an occurrence by the number of users who could initiate the threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the ALE (Annualized Loss Expectancy)?

A

The possible yearly costs of all instances of a specific realized threat against a specific asset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you calculate the ALE (Annualized Loss Expectancy)?

A

SLE (Single Loss Expectancy) * ARO = SLE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does a Safeguard do?

A

Reduces the ARO (Annual Rate of Occurrence) but does not affect the Exposure Factor (EF). Reduces the likelihood of the event occuring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What type of calculations should you do when looking to apply a safeguard?

A

You should do a Cost/Benefit analysis of applying the safeguard. If safeguard costs more than the asset you are protecting, why do it?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How do you calculate Safeguard benefit?

A

(ALE1 - ALE2) -ACS = Safeguard Value

(ALE Before Safeguard - ALE After Implementing Safeguard) - Annual Cost of Safeguard ACS = Value of Safeguard to the company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How do you calculate the Annual Cost of a Safeguard (ACS)?

A

Cost of Safeguard/ # Years

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How do you calculate Residual Risk?

A

Total Risk - Controls Gap = Residual Risk

It is the RISK that remains AFTER countermeausrres are in place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Define a Control Gap?

A

The difference between the Total Risk and the Residual Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Name the 7 different types of CONTROLS?

A
  1. Deterrent
  2. Peventative
  3. Detective
  4. Compensating
  5. Corrective
  6. Recovery
  7. Directive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a Deterrent control used to prevent?

A
  1. Discourage viloation of security policies.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a Preventative control used to prevent?

A

Stop unwanted or unauthorized activity from occuring.

17
Q

What is a Detective control used for?

A

To discover or detect unwanted or unauthorized activity.

18
Q

What is a Compensating control used for?

A

They are controls used in addtion to, or in place of. Aids in enforcement and support of security policies.

19
Q

What is a Corrective access control used for?

A

Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occured.

20
Q

What are Recovery controls used for?

A

Extension of Corrective access controls but usually will restore things back to prior state. i.e. system imaging, server clustering, anti-virus software, database or VM shadowing.

21
Q

What are Directive access control?

A

It is deployed to direct, confine, or control the actions of subjects to force or encourage complaince with security policies. e.g., security policy requirements or criteria, posted notifcations, escape route signs, montioring, supervision, etc.

22
Q

What are the steps in the Risk Management Framework (RMF)?

A
  1. Categorize- Information- stroed, processed, transmitted
  2. Select - Intial set of baseline controls
  3. Implement - security controls
  4. Assess - security controls
  5. Authorize - Information system operation
  6. Monitor - the security control in the information system
23
Q

Which of the follwing is not an element of the risk analysis process?

A

a. Analysing an environment for risks
b. Creating a cost/benefit report for safeguards to present to upper management

c. Selecting appropriate safeguards and implementing them

d. Evaluating each threat event as to its likelihood of occuring and cost of the resulting damage

24
Q

When a safeguard or countermeasure is not present or sufficient _______ remains.

A

Vulnerability

25
Q

When evaluating safeguards __________

A

The annual cost of safeguards should not exceed the expected annual cost of assett loss.

26
Q
A