Risk Management Flashcards
Which of the following risk assessment formulas represents the total potential loss a company may experience within a single year due to a specific risk to an asset?
SLE
ARO
ALE
ALE
The annualized loss expectancy (ALE) represents the total potential loss a company may experience within a single year due to a specific risk to an asset. EF is the percentage of asset value loss that would occur if a risk was realized. SLE is the potential dollar value loss from a single risk-realization incident. ARO is the statistical probability that a specific risk may be realized a certain number of times in a year
Which of the following is more formal than a handshake agreement but not a legal binding contract?
SLA
DLP
MOU
MOU
A memorandum of understanding (MOU) is an expression of agreement or aligned intent, will, or purpose between two entities. An MOU is not typically a legal agreement or commitment, but rather a more formal form of a reciprocal agreement or gentleman’s handshake (neither of which is typically written down). An SLA is a formal control. BIA is business impact assessment. DLP is data loss prevention
When a user signs a(n) ________, it’s a form of consent to the monitoring and auditing processes used by the organization.
Acceptable use policy
Privacy policy
Separation of duties policy
Acceptable use policy
When a user signs an acceptable use policy, it’s a form of consent to the monitoring and auditing processes used by the organization. A privacy policy usually explains that there is no privacy on company systems. A separation of duties policy indicates that administrative functions are divided among several people. The code of ethics policy describes decision-making processes to use when faced with ethical dilemmas
When is business continuity needed?
When business processes are interrupted
When a user steals company data
When business processes are threatened
When business processes are threatened
Business continuity is used when business processes are threatened. Security policy is used when new software is distributed. Disaster recovery is used when business processes are interrupted. Incident response is used when a user steals company data
You run a full backup every Monday. You also run a differential backup every other day of the week. You experience a drive failure on Friday. Which of the following restoration procedures should you use to restore data to the replacement drive?
Restore the full backup and then each differential backup.
Restore the full backup and then the last differential backup.
Restore the differential backup.
Restore the full backup and then the last differential backup.
The proper procedure is to restore the full backup and then the last differential backup. The other three options are incorrect or incomplete
Which of the following is a security control type that is not usually associated with or assigned to a security guard?
Preventive
Detective
Administrative
Administrative
A security guard is not an administrative control. A security guard can be considered a preventive, detective, and/or corrective control
You are the security manager for a brokerage firm. New company policy requires that all administrators be evaluated for compliance or violations in regard to adherence to the security policy and ethics agreement. Which of the following is a technique that can be used to accomplish this task?
Separation of duties
Clean desk
Mandatory vacations
Mandatory vacations
Mandatory vacations are a form of user peer auditing. The process works by requiring each employee to be on vacation (or just away from the office and without remote access) for a minimal amount of time each year (typically one to two weeks). While the employee is away, another worker sits at their desk and performs their work tasks using the original employee’s privileged account. This process is used to detect fraud, abuse, or incompetence. The technique is often employed in financial environments or where high-value assets are managed
Separation of duties has recently been implemented at your organization. Due to the size of the company, a single person has been assigned to each compartmented management area. There is some concern that over time the company will be at risk of being unable to perform critical tasks if one or more administrators are unavailable due to illness, vacation, retirement, or termination. What tool can be used to reduce this risk?
Job rotation
Principle of least privilege
Exit interviews
Job rotation
Job rotation, cross-training, or rotation of duties is a counterbalance to the application of separation of duties. If all high-level tasks are performed by individual administrators, what happens if one person leaves the organization? If no one else has the knowledge or skill to perform the tasks, the organization suffers. Job rotation is the periodic shifting of assigned work tasks or job descriptions among a small collection of workers, sometimes known as a rotation group
Downtime is a violation of availability. Avoiding downtime is an essential tenet of your organization’s mission and security policy. What element of system management and maintenance needs to be monitored and tracked in order to avoid device failure resulting in unplanned downtime?
RTO
MTTF
ALE
MTTF
Aging hardware should be scheduled for replacement and/or repair. The schedule for such operations should be based on the mean time to failure (MTTF), mean time between failures (MTBF), and mean time to repair/restore (MTTR) estimates established for each device or on prevailing best organizational practices for managing the hardware life cycle. MTTF is the expected typical functional lifetime of the device, given a specific operating environment. MTBF is the expected typical time frame between failures, such as between the first failure and the second failure. If the MTTF and MTBF are the same values (or nearly so), some manufacturers only list the MTBF rating and use it to address both concepts. MTTR is the average length of time required to perform a repair on the device. A device can often undergo numerous repairs before a catastrophic failure is expected. Be sure to schedule all devices to be replaced before their MTTFs expire
You are the network manager for a large organization. Over the weekend a storm caused a power surge, which damaged the main router between the company network and the Internet service. On Monday morning you realize that the entire intranet is unable to connect to any outside resource and mission-critical tasks are not functioning. What is the problem that the organization is experiencing?
Sustained redundancy
Maintaining of availability
A single point of failure
A single point of failure
A single point of failure is any individual or sole device, connection, or pathway that is of moderate to mission-critical importance to the organization. If that one item fails, the whole organization suffers loss. Infrastructures should be designed with redundancies of all moderately or highly important elements in order to avoid single points of failure. Removing single points of failure involves adding redundancy, recovery options, or alternative means to perform business tasks and processes. Avoiding or resolving single points of failure will improve stability, uptime, and availability
What form of risk analysis can involve the Delphi technique, interviews, and focus groups?
Quantitative
Residual
Qualitative
Qualitative
Qualitative risk analysis is more scenario, based than calculator, based. Rather than assign exact dollar figures to possible losses, you rank threats on a scale to evaluate their risks, costs, and effects. The process of performing qualitative risk analysis involves judgment, intuition, and experience. You can use many techniques to perform qualitative risk analysis, including brainstorming, the Delphi technique, storyboarding, focus groups, surveys, checklists, questionnaires, one-on-one meetings, and interviews
You are the security manager for a large organization. During the yearly risk management reassessment, a specific risk is being left as is. You thoroughly document the information regarding the risk, the related assets, and the potential consequences. What is this method of addressing risk known as?
Mitigation
Tolerance
Assignment
Tolerance
Accepting risk, or tolerating risk, is the valuation by management of the cost-benefit analysis of possible safeguards and the determination that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk. It also means management has agreed to accept the consequences and the loss if the risk is realized. In most cases, accepting risk requires a clearly written statement that indicates why a safeguard was not implemented, who is responsible for the decision, and who will be responsible for the loss if the risk is realized, usually in the form of a “sign-off” letter. An organization’s decision to accept risk is based on its risk tolerance
What type of security policy or plan has the following main phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned?
IRP
BCP
DRP
IRP
An incident response plan (IRP) consists of Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned
In what phase of an incident response plan does the organization return to normal operations after handling a violating event?
Containment
Lessons Learned
Recovery
Recovery
Recovery is the process of removing any damaged elements from the environment and replacing them. This can apply to corrupted data being restored from backup and to malfunctioning hardware or software being replaced with updated or new versions. In some cases, entire computer systems need to be reconstituted (rebuilt from new parts) in order to eradicate all elements of compromise and return into production a functioning and trustworthy system. The recovery and reconstitution procedures can also include alterations of configuration settings and adding new security features or components. This is especially important if a vulnerability remains that could be exploited to cause the incident to reoccur. The environment is returned to normal operations by the end of the recovery phase
When an organization is sent a lawyer’s letter demanding that they retain specific records, logs, and other files pertaining to suspected illegal activity, what is this known as?
Forensics
Investigation
Legal hold
Legal hold
A legal hold is an early step in the evidence collection or e-discovery process. It is a legal notice to a data custodian that that specific data or information must be preserved and that good-faith efforts must be engaged to preserve the indicated evidence. The custodian must maintain and preserve the data until they are notified that the obligation is no longer necessary