Principles & Practices 1 Flashcards
What is Enterprise Security Risk Management (ESRM)?
ESRM is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally accepted and established risk management principles
What are the three primary components of Enterprise Security Risk Management (ESRM)?
- The content
- The foundation
- the ESRM cycle
This component of Enterprise Security Risk Management (ESRM) includes organizational aspects that security professionals must understand to successfully adopt ESRM.
The content
This component of Enterprise Security Risk Management (ESRM) includes organizational concepts that support the ESRM approach and maximize its impact.
The foundation
This component ofEnterprise Security Risk Management (ESRM) is the actual process of security risk management that emphasizes the importance of understanding assets.
The ESRM cycle
What organizational aspects are included in the context of Enterprise Security Risk Management (ESRM)?
- Mission and vision
- Core values
- Operating Environment
- Stakeholders
What three things comprise the operating environment of an organization?
- Physical
- Nonphysical
- Logic
This operating environment includes much of what influences traditional security factors, such as the type and location of buildings, industrial control systems, and products on hand.
Physical
These factors are sources of risk, and include things such as the geopolitical environment, intensity of competition, and speed required for decision making.
Nonphysical factors
These factors focus on information types such as servers, workstations, and network infrastructure.
Logical factors
What are the four processes in the Enterprise Security Risk Management (ESRM) cycle?
- Identify and prioritize assets
- Identify and prioritize risks
- Mitigate prioritized risks
- Continuous improvement
What is an asset owner?
The person most directly responsible for successful operation of the asset. InE nterprise Security Risk Management (ESRM), the asset owner is assigned responsibility for the risk to an asset.
What four concepts comprise the foundation of Enterprise Security Risk Management (ESRM)?
- Holistic risk management
- Partnership with stakeholders
- Transparency
- Governance
What are two types of assets?
- Tangible
- Intangible
What are four ways to manage risk?
- Eliminate
- Reduce
- Transfer
- Accept
This risk mitigation strategy involves removing the risk entirely.
Eliminate
This risk mitigation strategy attempts to minimize risk through protective measures.
Reduce
This risk mitigation strategy is typically achieved when another entity takes the risk on the organization’s behalf.
Transfer
This risk mitigation strategy allows risk if the costs of reducing, eliminating, or transferring the risk outweigh the potential losses associated with it.
Accept
What is a risk assessment?
Risk assessment is the identification, analysis, and evaluation of uncertainties to objectives and outcomes
It provides a comparison between the desired/undesired outcomes and expected rewards/losses of organizational objectives
The risk assessment analyzes whether the uncertainty is within acceptable boundaries and within the organization’s capacity to manage risk.
What do the results of a risk assessment inform?
The choices available to effectively manage risk to achieve the organization’s outcomes.
What are the deciding factors between a qualitative or quantitative approach to a risk assessment?
The reliability and validity of the available data
The nature of the risk factors and if they are quantifiable
The target audience for the outputs
What is risk appetite?
The total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one of more desired and expected outcomes.
What is risk tolerance?
The amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unity, a particular risk category, or for a specific initiative.
What tasks take place at the start of the risk assessment?
- Setting objectives
- Identification of stakeholders
- Identification of internal context and variables
- Documenting assumptions
- Defining scope and statement of work
- Policy and management commitment
- Commitment of resources
What is a gap analysis?
A technique to determine what steps might need to be taken to improve from a current state to a desired, future state.
A gap analysis consists of what three steps?
- Noting currently available factors
- Listing success factors needed to achieve future, desired objectives
- Highlighting the gaps that exist and what gaps may need to be filled to be successful
What four components should be in any risk identification process, regardless of risk discipline?
- Asset and service identification, valuation, and characterization
- Threat and opportunity analysis
- Vulnerability and capability analysis
- Criticality and impact analysis
What comprises assessor competence?
- Personal traits and interpersonal skills
- Assessment skills
- Communication skills
- Education, training, and knowledge
- Work experience
Documented criteria of an assessor’s knowledge and skills provide the basis for what three things?
- Selection of assessment team members
- Ascertain competence enhancement required for continuous improvement
- Determine performance indicators for assessors
What are two types of interactions between a risk assessment team and an organization?
- Human interaction
- Minimal human interactions
This type of interaction includes activities such as conducting interviews, document reviews with stakeholders, exercises, and undercover investigations.
Human interaction
This type of interaction includes activities such as conducting a document review, physical examination, observation, and sampling
Minimal human interaction
What are two examples of assessment paths?
- Tracing
- Process method
This assessment path tracks a process or risk event chronologically, following a path forward or backward through a process or sequence.
Tracing
This assessment path tests a sequence of steps and evaluates process controls, interactions, effectiveness, and opportunities for improvement.
Process method
What are some examples of the process method?
- Objectives method
- Risk source method
- Department method
- Requirement method
- Discovery method
What is sampling?
The process or technique of selecting a representative part of a population for the purpose.
When is it beneficial to use a sampling method?
When it is not practical in time or cost terms to evaluate all available information.
What are two types of sampling methods?
- Non-statistical
- Statistical
This sampling method includes judgmental sampling, convenience sampling, and haphazard sampling.
Non-statistical
This sampling method includes random sampling, systematic sampling, stratified sampling, and cluster/block sampling.
Statistical sampling
What is terrorism?
An act of violence designed to achieve a political end
What is domestic terrorism?
Violent, criminal acts committed by individuals and/or groups to further ideological goals stemming from domestic influences, such as those of a political, religious, social, racial, or environmental nature.