Risk

Question 1

Impact combined with likelihood give rise to______

Answer 1

Risk

Question 2

Threats and vulnerabilities help determine the likelihood of what?

Answer 2

An impact occuring

Question 3

Allows organisations to discover and share threat and vulnerability information

Answer 3

Threat intelligence and sharing

Question 4

What is WARPS

Answer 4

Warning, Advice & Reporting Points

Question 5

What is CERTs

Answer 5

Computer Emergency Response Teams

Question 6

What are WARPs and CERTs?

Answer 6

Freely available sources

Question 7

What is threat categorisation?

Answer 7

Understanding the difference between different types of threats, such as accidental, deliberate, internal and external threats and to anticipate that threats may arise from unexpected sources

Question 8

What are accidental threats?

Answer 8

Hazards, which are generally environmental in nature eg pandemics, human errors, simple failures of systems and software; fire, floods and power failures. Accidental threats are frequently things that the organisation cannot avoid, it must anticipate and be prepared to deal with

Question 9

What are deliberate threats?

Answer 9

Hacking; malicious software, sabotage, eg DDoS attacks and cyber terrorism, whether by individual groups or nation states; high-tech crime, either by individuals, corporations or criminal gangs. Again, anticipation is the key factor.

Question 10

What are some other sources of threats?

Answer 10

Threats from the Dark Web, vulnerabilities of Big Data and the Internet of Things

Question 11

What are sources of unintentional threat?

Answer 11

Internal employees and contractors, trusted partners; poor software design, weak procedures and processes, managed services and social media. Unintentional threats are frequently the result of failing to follow procedures or cutting corners in order to save time and effort

Question 12

What are sources of deliberate threat?

Answer 12

Internal(possibly disgruntled) employees and contractors, random attackers, targeting attackers, especially where there is a strong motive. Part of the art of risk management is understanding the likely motivations of attackers, which leads to improved risk assessment and the introduction of more appropriate controls

Question 13

What is Vulnerability categorisation?

Answer 13

Weaknesses or design failures in both software and hardware, location of or poor design of buildings and facilities, people who may be susceptible to coercion and undocumented, poorly written or unenforced procedures. As with threats, it is important to think outside the box to identify possible vulnerabilities

Question 14

What are some examples of specific vulnerabilities?

Answer 14

personal computers, laptops, hand held devices such as tablets and smartphones, uncontrolled ‘Bring Your Own Device’ usage, system servers, network devices, wireless systems, web servers and email systems

Question 15

What contributes to overall risk?

Answer 15

Threat, Vulnerabilities & Asset Values

Question 16

What risks should an organisation do detailed examination and treatment proposals on?

Answer 16

Higher or Critical Risks

Question 17

Threats should be impact assessed in terms of what?

Answer 17

Loss of confidentiality, integrity or availability leading to service failures, financial loss, brand damage or loss of
customer confidence

Question 18

Who should impact assessments be conducted with and why?

Impact assessments should be conducted with the information owner to ensure that
the true impacts are identified, not what another person thinks they may be.

Answer 18

They should be conducted with the information owner to ensure that the true impacts are identified, not what another person thinks they might be

Question 19

What are the steps in the risk management process?

Answer 19

⎻ Define the context in which the organisation
operates.
⎻ Identify the risks.
⎻ Analyse them for level of risk.
⎻ Evaluate them for criticality.
⎻ Treat them.

Question 20

Who must you communicate with throughout?

Answer 20

Stakeholders

Question 21

What needs to be done regularly with impact assessment?

Answer 21

Monitor & Review

Question 22

What are the four options for dealing with risk?

Answer 22

• Avoid or terminate the risk
• Share or transfer the risk
• Reduce or Modify the risk
• Accept the risk

Question 23

What is avoiding or terminating the risk?

Answer 23

Don’t do it or stop doing it – but this may introduce additional risks

Question 24

What is sharing or transferring the risk?

Answer 24

Share or transfer the risk to a third party e.g. insurance, but retain overall ownership

Question 25

How do you reduce or modify a risk?

Answer 25

Use controls to change the impact or likelihood

Question 26

What is accepting the risk and when do you do it?

Answer 26

Accept the risk If none of the other options is workable or if they cannot reduce the risk further. Review the risk periodically, but never ignore the risk

Question 27

What are detective controls?

Answer 27

TACTICAL

Discovering what has happened or is happening, such as antivirus software, CCTV

Question 28

What are preventative controls?

Answer 28

TACTICAL
Measures to prevent something from happening,
such as barriers, guards

Question 29

What are directive controls?

Answer 29

TACTICAL
Issuing instructions to prevent or respond, such
as policies and procedures

Question 30

What are corrective controls?

Answer 30

TACTICAL

Measures to fix a problem, such as installing a software patch

Question 31

What are examples of physical controls?

Answer 31

OPERATIONAL

Security barriers and access control systems

Question 32

What are examples of procedural/personal controls?

Answer 32

OPERATIONAL

Enforced password updates, firewall rule sets

Question 33

What are examples of technical controls?

Answer 33

OPERATIONAL

Intrusion detection/prevention systems, file or disk level encryption

Answer 34

The organisation needs to understand the impact of damage to or loss of assets in order to assess the risks it faces and decide whether to accept the risk, or to treat it in some way