Personnel Security and Risk Management Concepts

Question 1

What does the Exposure Factor (EF) represent?

Answer 1

The percentage of loss that an organization would expect to experience if a specific asset were violated by a realized risk. Expressed in a %

Question 2

What does the Single Loss Expectancy (SLE) represent?

Answer 2

The amount of loss an organization would experience if an asset were harmed by a specific threat occurring. It is a SINGLE event of loss.

Question 3

How do you calculate the Single Loss Expectancy (SLE)?

Answer 3

SLE= AV (Asset Value) * EF (Exposure Factor) SLE= AV x EF

Question 4

What is the ARO (Annualized Rate of Occurrence)?

Answer 4

The expected frequency with which a specific threat or risk will occur in ONE year.

Question 5

How do you calculate the ARO?

Answer 5

It can be derived by historical records . Multiply the likelihood of an occurrence by the number of users who could initiate the threat.

Question 6

What is the ALE (Annualized Loss Expectancy)?

Answer 6

The possible yearly costs of all instances of a specific realized threat against a specific asset.

Question 7

How do you calculate the ALE (Annualized Loss Expectancy)?

Answer 7

SLE (Single Loss Expectancy) * ARO = SLE

Question 8

What does a Safeguard do?

Answer 8

Reduces the ARO (Annual Rate of Occurrence) but does not affect the Exposure Factor (EF). Reduces the likelihood of the event occuring.

Question 9

What type of calculations should you do when looking to apply a safeguard?

Answer 9

You should do a Cost/Benefit analysis of applying the safeguard. If safeguard costs more than the asset you are protecting, why do it?

Question 10

How do you calculate Safeguard benefit?

Answer 10

(ALE1 - ALE2) -ACS = Safeguard Value

(ALE Before Safeguard - ALE After Implementing Safeguard) - Annual Cost of Safeguard ACS = Value of Safeguard to the company

Question 11

How do you calculate the Annual Cost of a Safeguard (ACS)?

Answer 11

Cost of Safeguard/ # Years

Question 12

How do you calculate Residual Risk?

Answer 12

Total Risk - Controls Gap = Residual Risk

It is the RISK that remains AFTER countermeausrres are in place

Question 13

Define a Control Gap?

Answer 13

The difference between the Total Risk and the Residual Risk

Question 14

Name the 7 different types of CONTROLS?

Answer 14

1. Deterrent
2. Peventative
3. Detective
4. Compensating
5. Corrective
6. Recovery
7. Directive

Question 15

What is a Deterrent control used to prevent?

Answer 15

1. Discourage viloation of security policies.

Question 16

What is a Preventative control used to prevent?

Answer 16

Stop unwanted or unauthorized activity from occuring.

Question 17

What is a Detective control used for?

Answer 17

To discover or detect unwanted or unauthorized activity.

Question 18

What is a Compensating control used for?

Answer 18

They are controls used in addtion to, or in place of. Aids in enforcement and support of security policies.

Question 19

What is a Corrective access control used for?

Answer 19

Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occured.

Question 20

What are Recovery controls used for?

Answer 20

Extension of Corrective access controls but usually will restore things back to prior state. i.e. system imaging, server clustering, anti-virus software, database or VM shadowing.

Question 21

What are Directive access control?

Answer 21

It is deployed to direct, confine, or control the actions of subjects to force or encourage complaince with security policies. e.g., security policy requirements or criteria, posted notifcations, escape route signs, montioring, supervision, etc.

Question 22

What are the steps in the Risk Management Framework (RMF)?

Answer 22

1. Categorize- Information- stroed, processed, transmitted
2. Select - Intial set of baseline controls
3. Implement - security controls
4. Assess - security controls
5. Authorize - Information system operation
6. Monitor - the security control in the information system

Question 23

Which of the follwing is not an element of the risk analysis process?

Answer 23

a. Analysing an environment for risks
b. Creating a cost/benefit report for safeguards to present to upper management

c. Selecting appropriate safeguards and implementing them

d. Evaluating each threat event as to its likelihood of occuring and cost of the resulting damage

Question 24

When a safeguard or countermeasure is not present or sufficient _______ remains.

Answer 24

Vulnerability

Question 25

When evaluating safeguards __________

Answer 25

The annual cost of safeguards should not exceed the expected annual cost of assett loss.