Risk And Response

Question 1

Cause and Effect Analysis

Answer 1

Wishbone or Ishikawa Analysis that explores root causes or factors that contribute to positive or negative outcomes.

Question 2

Fault Tree Analysis

Answer 2

Combination of human and technical failures or events that results in negative outcomes. Top level event.

Question 3

Sensitivity Analysis

Answer 3

Tornado Diagram that displays Quantitative technique that determines risk factors with the highest impact

Question 4

KPI

Answer 4

Key Performance Indicator - looking at Performance of OPERATIONAL EFFECTIVENESS.
Must be ATTAINABLE. Anything OUTSIDE THRESHOLD is bad.

Question 5

KRI

Answer 5

Key Risk Indicator - alerting enterprise when RISK APPROACHES UNACCEPTABLE LEVEL. Part of risk response development.
Lagging - indicating risk after risk event.
Leading - Controls in place to prevent risk event.
Best if balanced between lead and lag.
Think TOLERANCE

Question 6

KCI

Answer 6

Key Control Indicator - quantify how well a SPECIFIC CONTROL IS WORKING. Before creating, need to determine TOLERANCES. Secondary Indicator to KRI showing control failure.

Question 7

Total Cost of Ownership

Answer 7

Included in the cost-benefit-analysis because it establishes cost baseline that must be considered.

Question 8

Substantive Test

Answer 8

A test that evaluates the integrity of data or individual transactions.

Question 9

Compliance Test

Answer 9

A test that is needed to determine compliance rather than the integrity of data.

Question 10

System Owner

Answer 10

Specifies the information security controls for the system based on the requirements from the information owner.

Question 11

Risk Treatment Plan

Answer 11

Covers all risk identified on the Risk Register that exceeds the Risk Tolerance.

Question 12

Progressive and Regressive Testing

Answer 12

Progressive testing begins with expectations and looks for flaws whereas regressive testing works backwards to determine root causes.

Question 13

Types of Testing

Answer 13

Stress - Maximum users
Volume- Maximum records
Performance - compares to benchmark of other systems.

Question 14

Most Important Control

Answer 14

Preventive Controls are the most important controls: 2FA, Firewalls, access lists…

Question 15

Backward Risk Indicator

Answer 15

Provide insights into risks that have occurred already and enable management to be improved.

Question 16

Operational Controls

Answer 16

KCIs measure performance. Also called Key Effectiveness Indicators.

Question 17

System Owner

Answer 17

Selects and documents the security controls.

Question 18

Senior Management

Answer 18

Determines if risk is acceptable.
Reviews and approves the security plan. Not the System Owner.

Question 19

Control Monitoring

Answer 19

Best way to confirm if the control is addressing the risk and operating effectively.