Risk Flashcards

1
Q

Impact combined with likelihood give rise to______

A

Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Threats and vulnerabilities help determine the likelihood of what?

A

An impact occuring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Allows organisations to discover and share threat and vulnerability information

A

Threat intelligence and sharing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is WARPS

A

Warning, Advice & Reporting Points

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is CERTs

A

Computer Emergency Response Teams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are WARPs and CERTs?

A

Freely available sources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is threat categorisation?

A

Understanding the difference between different types of threats, such as accidental, deliberate, internal and external threats and to anticipate that threats may arise from unexpected sources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are accidental threats?

A

Hazards, which are generally environmental in nature eg pandemics, human errors, simple failures of systems and software; fire, floods and power failures. Accidental threats are frequently things that the organisation cannot avoid, it must anticipate and be prepared to deal with

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are deliberate threats?

A

Hacking; malicious software, sabotage, eg DDoS attacks and cyber terrorism, whether by individual groups or nation states; high-tech crime, either by individuals, corporations or criminal gangs. Again, anticipation is the key factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are some other sources of threats?

A

Threats from the Dark Web, vulnerabilities of Big Data and the Internet of Things

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are sources of unintentional threat?

A

Internal employees and contractors, trusted partners; poor software design, weak procedures and processes, managed services and social media. Unintentional threats are frequently the result of failing to follow procedures or cutting corners in order to save time and effort

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are sources of deliberate threat?

A

Internal(possibly disgruntled) employees and contractors, random attackers, targeting attackers, especially where there is a strong motive. Part of the art of risk management is understanding the likely motivations of attackers, which leads to improved risk assessment and the introduction of more appropriate controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Vulnerability categorisation?

A

Weaknesses or design failures in both software and hardware, location of or poor design of buildings and facilities, people who may be susceptible to coercion and undocumented, poorly written or unenforced procedures. As with threats, it is important to think outside the box to identify possible vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are some examples of specific vulnerabilities?

A

personal computers, laptops, hand held devices such as tablets and smartphones, uncontrolled ‘Bring Your Own Device’ usage, system servers, network devices, wireless systems, web servers and email systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What contributes to overall risk?

A

Threat, Vulnerabilities & Asset Values

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What risks should an organisation do detailed examination and treatment proposals on?

A

Higher or Critical Risks

17
Q

Threats should be impact assessed in terms of what?

A

Loss of confidentiality, integrity or availability leading to service failures, financial loss, brand damage or loss of
customer confidence

18
Q

Who should impact assessments be conducted with and why?

Impact assessments should be conducted with the information owner to ensure that
the true impacts are identified, not what another person thinks they may be.

A

They should be conducted with the information owner to ensure that the true impacts are identified, not what another person thinks they might be

19
Q

What are the steps in the risk management process?

A
⎻ Define the context in which the organisation
operates.
⎻ Identify the risks.
⎻ Analyse them for level of risk.
⎻ Evaluate them for criticality.
⎻ Treat them.
20
Q

Who must you communicate with throughout?

A

Stakeholders

21
Q

What needs to be done regularly with impact assessment?

A

Monitor & Review

22
Q

What are the four options for dealing with risk?

A
  • Avoid or terminate the risk
  • Share or transfer the risk
  • Reduce or Modify the risk
  • Accept the risk
23
Q

What is avoiding or terminating the risk?

A

Don’t do it or stop doing it – but this may introduce additional risks

24
Q

What is sharing or transferring the risk?

A

Share or transfer the risk to a third party e.g. insurance, but retain overall ownership

25
Q

How do you reduce or modify a risk?

A

Use controls to change the impact or likelihood

26
Q

What is accepting the risk and when do you do it?

A

Accept the risk If none of the other options is workable or if they cannot reduce the risk further. Review the risk periodically, but never ignore the risk

27
Q

What are detective controls?

A

TACTICAL

Discovering what has happened or is happening, such as antivirus software, CCTV

28
Q

What are preventative controls?

A

TACTICAL
Measures to prevent something from happening,
such as barriers, guards

29
Q

What are directive controls?

A

TACTICAL
Issuing instructions to prevent or respond, such
as policies and procedures

30
Q

What are corrective controls?

A

TACTICAL

Measures to fix a problem, such as installing a software patch

31
Q

What are examples of physical controls?

A

OPERATIONAL

Security barriers and access control systems

32
Q

What are examples of procedural/personal controls?

A

OPERATIONAL

Enforced password updates, firewall rule sets

33
Q

What are examples of technical controls?

A

OPERATIONAL

Intrusion detection/prevention systems, file or disk level encryption

34
Q
A

The organisation needs to understand the impact of damage to or loss of assets in order to assess the risks it faces and decide whether to accept the risk, or to treat it in some way