Risk Assessment

Question 1

Define Risk Assessment

Answer 1

• An evaluation of how much risk you and your organization are willing to take on.
• Must be performed before any other action, such as how much to spend on security and manpower.

Question 2

Vulnerability

Answer 2

A weakness that could be exploited by a threat.

Question 3

Key Components of Risk Assessent

Answer 3

1. Risks to Which the Organization is exposed.
   
   • Develop scenarios that can help you evaluate how to deal with risks.
2. Risks that need addressing.
   
   • Determine which risks need addressing and which ones are unlikely. Allows you to focus resources.
3. Coordination with BIA (Business Impact Analysis)
   
   • Provides the organization with an accurate picture of the situation facing it.

Question 4

ALE

Answer 4

• Annual Loss Expectancy value.
• Risk Calcualation
• The MONETARY measure of how much loss you could expect in a year.

Question 5

SLE

Answer 5

1. Single Loss Expectancy
2. MONETARY measure of how much loss you could expect in a year.
3. Two Components
   
   • AV - Asset Value
   • EF - Exposure Factor

Question 6

ARO

Answer 6

1. Annualized Rate of Occurrence
2. Likelihood, often drawn from historical data, of an event occuring within one year.

Question 7

Comput Risk Assessment Formula

Answer 7

SLE * ARO = ALE

Question 8

Quantitative Risk Assessement

Answer 8

1. Cost-based.
2. Objective.
3. Focused on dollar amounts.

Question 9

Qualitative

Answer 9

1. Opinion-based.
2. Subjective

Question 10

Likelihood

Answer 10

1. NIST recomments viewing Likelihood as a score representing the possibility of threat initiation.
2. Can be expressed in either quantitative or qualitative terms.

Question 11

Threat Vectors

Answer 11

1. The WAY in which an attacker poses a threat.
   
   • Tool used.
   • Path used.
2. Examples
   
   • Fake email that lures you into clicking a link (Phishing).
   • Unsecured wifi hotspot.

Question 12

Mean Time Between Failures

Answer 12

1. MTBF
2. Meaures of the anticipated incidence of failure for a system or component.
3. Determines the component’s anticipated lifetime.
4. Helpful in evaluating a system’s reliability and life expectancy.

Question 13

Mean Time to Failure

Answer 13

1. MTTF
2. Average time to failure for a NON-REPAIRABLE system.
3. Only use if system cannot be repaired.
   
   • If the system can be repaired, use Mean Time Between Failures (MTBF).

Question 14

Mean Time to Restore

Answer 14

1. MTTR
2. Measure of how long it takes to repair a system or component once a failure occurs.

Question 15

Recovery Tome Objective

Answer 15

1. RTO
2. Maximum amount of time the process or service is allowed to be down and the consequences still be considered acceptable.
3. Agreed on during BIA creation.

Question 16

Recovery Point Objective

Answer 16

1. RPO
2. The point at which the system needs to be restored.
3. Ex: Restore to the point two days before the crash.
4. General rule: The closer the RPO is to the time of the crash, the more expensive it is to obtain.

Question 17

Acting on your Risk Assessement

Risk Avoidance

Answer 17

1. Identify a risk, and make a decision to longer engage in activities associated with that risk.

Example: Decide that email attachements are too risky, and block all email attachements.

Question 18

Acting on your Risk Assessement

Risk Transference

Answer 18

1. Does NOT mean you shift the risk completely to another entity.
2. You SHARE the risk with someone else, such as an insurance company.

Question 19

Acting on your Risk Assessement

Risk Mitigation

Answer 19

1. Any time you take steps to reduce risk.
2. Confront it.
   
   • Audits that address user rights.
   • Permission reviews.
   • Change Management - Structured approach followed to secure a company’s assets.
   • Incident Management - Steps followed when an event occurs.

Question 20

Risk Mitigation - Change Management

Answer 20

A structured approach that is followed to secure a company’s assets.

Question 21

Risk Mitigation - Incident Management

Answer 21

Steps followed when an incident occurs.

Question 22

Risk Mitigation

Data Loss Prevention

Answer 22

1. Monitor the content of systems to make sure that key content is not deleted or removed.

Question 23

Acting on your Risk Assessement

Risk Deterrence

Answer 23

1. Understanding something about the enemy, and letting them know the harm that can come their way if they cause harm to you.

Question 24

Acting on your Risk Assessement

Risk Acceptance

Answer 24

1. When the cost of implementing any of the other risk assessment options exceeds the value of the harm.
2. Administrator or manager must be aware of the existence of the risk.
3. Identified risk for which those involved understand the potential cost or damage and aggre to accept it.