Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP 2022 by Scott > Risk Management > Flashcards

Risk Management Flashcards

1
Q

Quantitative Risk Analysis

A

produces a report with concrete risks & dollar costs.

Steps:

  1. Inventory assets and assign a $ value
  2. R&D each asset, produce list of possible threats
  3. Perform threat analysis = ARO
  4. Derive loss potential per threat = ALE
  5. R&D countermeasures for each threat
  6. Perform cost/benefit analysis for each countermeasure. select most appropriate response to each threat.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How is SLE calculated?

A

SLE = AV * EF

cost of a single realized risk against a specific asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ALE

A

Annualized Loss Expectancy

ALE = SLE * ARO

possible yearly cost of all instances of a specific realized threat against a specific asset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Risk Management Framework

A

Risk Management Framework

NIST SP 800-37

  1. Categorize –> information systems and the data processed, stored and transmitted
  2. Select —> baseline security controls
  3. Implement –> security controls
  4. Asses –> security controls
  5. Authorize –> information systems operation
  6. Monitor –> security controls in the information system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk

A

Risk = Threat * Vulnerability

DEF: the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset.

Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Total Risk

A

threat * vulnerability * asset value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Residual Risk

A

total risk - countermeasures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Vulnerability

A

A vulnerability is the absence or weakness of a safeguard or countermeasure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Asset Valuation

A

the dollar value assigned to an asset based on actual cost and non-monetary expenses.

E.g., cost to develop, maintain, administer, advertise, support, repair etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Exposure

A

being susceptible to asset loss because of a threat = there is the possibility that a vulnerability can or will be exploited by a threat agent or event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

NIST 800-30

A

9-Step Risk Analysis

  1. System Characterization
  2. Threat Identification
  3. Vulnerability Analysis
  4. Control Analysis
  5. Likelihood?
  6. Impact?
  7. Risk? (compare 5-6)
  8. Control Recommendations
  9. Results Docs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following represents accidental or intentional exploitations of vulnerabilities?

A. Threat events
B. Risks
C. Threat agents
D. Breaches

A

A. Threat events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You’ve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change?

A. Exposure factor
B. Single loss expectancy
C. Asset value
D. Annualized rate of occurrence

A

D. Annualized rate of occurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Primary Risk Management Framework

A

NIST 800-37

People Can See I Am Always Monitoring

Prepare - execute the RMF
Categorize - information systems
Select - security controls
Implement - security controls
Assess - security controls
Authorize - information systems
Monitor - security controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the countermeasure cost/benefit equation?

A. SLE * ARO
B. EF * AV * ARO
C. (ALE1 – ALE2) – CM cost
D. Total risk + controls gap

A

To make the determination of whether the safeguard is financially equitable, use the following countermeasure cost/benefit equation: (ALE before countermeasure – ALE after implementing the countermeasure) – annual cost of countermeasure = value of the countermeasure to the company.

(ALE1 – ALE2) – CM cost

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You’ve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change?

A. Exposure factor
B. Single loss expectancy
C. Asset value
D. Annualized rate of occurrence

A

A countermeasure directly affects the annualized rate of occurrence, primarily because the counter-measure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.

17
Q

When a safeguard or a countermeasure is not present or is not sufficient, what remains?

A. Vulnerability
B. Exposure
C. Risk
D. Penetration

A

A vulnerability is the absence or weakness of a safeguard or countermeasure.

18
Q

Which step of the Risk Management Framework (RMF) identifies the initial set of baseline security controls?

A. Selection
B. Monitoring
C. Implementation
D. Assessment

A

A

CISSP 2022 by Scott (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions