Risk Assessments

Question 1

Risk Assessments

Answer 1

A process used inside of risk management to identify how much risk exists in a given network or system

Question 2

Risk

Answer 2

The probability that a threat will be realized

Question 3

Vulnerabilities

Answer 3

Weaknesses in the design or implementation of a system

Question 4

Threat

Answer 4

§ Any condition that could cause harm, loss, damage, or compromise to our information technology systems
§ Threats are external and beyond your control

Question 5

Risk Avoidance

Answer 5

A strategy that requires stopping the activity that has risk or
choosing a less risky alternative

Question 6

Risk Transfer

Answer 6

A strategy that passes the risk to a third party

Question 7

Risk Mitigation

Answer 7

A strategy that seeks to minimize the risk to an acceptable level

Question 8

Risk Acceptance

Answer 8

A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized

Question 9

Residual Risk

Answer 9

The risk remaining after trying to avoid, transfer, or mitigate the risk

Question 10

Qualitative Risk Analysis

Answer 10

o Qualitative analysis uses intuition, experience, and other methods to assign a relative value to risk
o Experience is critical in qualitative analysis

Question 11

Quantitative Risk

Answer 11

o Quantitative analysis uses numerical and monetary values to calculate risk
o Quantitative analysis can calculate a direct cost for each risk

Question 12

Single Loss Expectancy (SLE)

Answer 12

Cost associated with the realization of each individualized threat that occurs

Asset Value x Exposure Factor

Question 13

Annualized Rate of Occurrence (ARO)

Answer 13

Number of times per year that a threat is realized

Question 14

Annualized Loss Expectancy (ALE)

Answer 14

Expected cost of a realized threat over a given year
ALE = SLE x ARO

Question 15

Security Assessments

Answer 15

§ Verify that the organization’s security posture is designed and configured properly to help thwart different types of attacks
§ Assessments might be required by contracts, regulations, or laws
§ Assessments may be active or passive

Question 16

Active Security Assessments

Answer 16

Utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilities

Question 17

Passive Assessments

Answer 17

o Utilize open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems
o Passive techniques are limited in the amount of detail they find

Question 18

Security controls are categorized as

Answer 18

Physical Controls
Technical Controls
Administrative Controls

Question 19

Physical Controls

Answer 19

Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it

Question 20

Technical Controls

Answer 20

Safeguards and countermeasures used to avoid, detect, counteract, or minimize security risks to our systems and information

Question 21

Administrative Controls

Answer 21

Focused on changing the behavior of people instead of removing the actual risk involved

Question 22

NIST Security Controls Categories

Answer 22

Management Controls
Operational Controls
Technical Controls

Question 23

Management Controls (NIST)

Answer 23

Security controls that are focused on decision-making and the management of risk

Question 24

Operational Controls (NIST)

Answer 24

Focused on the things done by people

Question 25

Technical Controls (NIST)

Answer 25

Logical controls that are put into a system to help secure it

Question 26

Preventative Controls

Answer 26

Security controls that are installed before an event happens and are designed to prevent something from occurring

Question 27

Detective Controls

Answer 27

Used during the event to find out whether something bad might be happening

Question 28

Corrective Controls

Answer 28

Used after an event occurs

Question 29

Compensating Control

Answer 29

§ Used whenever you can’t meet the requirement for a normal control
§ Residual risk not covered by a compensating control is an accepted risk

Question 30

Types of Risks

Answer 30

External Risk
Internal Risk
Legacy Systems
Multiparty
IP Theft
Software Compliance/Licensing

Question 31

External Risk

Answer 31

Risks that are produced by a non-human source and are beyond human control

Question 32

Internal Risk

Answer 32

Risks that are formed within the organization, arise during normal operations, and are often forecastable

Question 33

Legacy Systems

Answer 33

An old method, technology, computer system, or application program which includes an outdated computer system still in use

Question 34

Multiparty

Answer 34

A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent risks

Question 35

IP Theft

Answer 35

Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of a competitive edge, or a slowdown in business growth occurs

Question 36

Software Compliance/Licensing

Answer 36

Risk associated with a company not being aware of what software or components are installed within its network