Risk Management Flashcards

1
Q

What is risk management?

A
  • systematic process of identifying, assessing, and managing risks to information assets and systems
  • understanding potential threats, vulnerabilities, and the impact of potential incidents on an organization’s security posture
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Who decides how risks are handled?

A

management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a risk category?

A

group of potential causes of a risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the different risk categories? Describe each.

A
  • Damage
    • results in a physical loss of an asset or the inability to access the asset
  • Loss
    • might be permanent or temporary, including altered data or inaccessible data
  • Disclosure
    • disclosing critical information regardless of where or how it was disclosed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a risk factor?

A

something that increases risk or susceptibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the risk factors?

A
  • physical damage
    • natural disasters, vandalism, power loss
  • malfunction
    • failure of systems, networks or peripherals
  • attack
    • purposeful acts whether from the inside or outside
  • human
    • usually considered accidental, whereas attacks are purposeful incidents
  • application errors
    • failures of the application, including operating system

Acronym: Police Must Accept Happy Anarchists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the different types of risk?

A
  1. Residual Risk
  2. Inherent Risk
  3. Total Risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Residual Risk?

A
  • risk that remains even with all conceivable safeguards are in place
  • exists AFTER security controls are implemented
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Inherent Risk?

A
  • newly identified risk not yet addressed with risk management strategies
  • the amount of risk that exists in the absence of controls
  • inherent risk is the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed
  • exists BEFORE security controls are implemented
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Total Risk?

A
  • amount of risk that an organization would face if no safeguards are implemented
  • exists WITHOUT security controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is risk identification?

A
  • systematically identifying and documenting potential risks that could negatively impact the confidentiality, integrity, or availability of information assets
  • identifying internal and external threats and potential impacts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What techniques are used to identify risks?

A
  • risk assessments
  • threat modeling
  • vulnerability assessments
  • asset inventories
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is risk assessment?

A
  • analyzing and evaluating identified risks to determine their likelihood of occurrence and potential impact
  • helps prioritize risks based on their severity and the likelihood of occurrence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What parameters does risk assessment consider?

A
  • value of the assets at risk
  • the potential impact on the organization’s operations
  • financials, reputation, and compliance requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a risk response?

A
  • developing and implementing strategies to address identified risks
  • includes determining the most effective and efficient controls and countermeasures to reduce the risk to an acceptable level
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the possible ways of risk response?

A
  • Risk Avoidance
  • Risk Rejection
  • Risk Mitigation
  • Risk Assignment/Transfer
  • Risk Acceptance
  • Risk Deterrence

Acronym: All Romans Must Attack All Docks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is risk avoidance?

A
  • avoiding the risk altogether by ceasing the activity or not engaging in the vulnerable process
  • e.g. opening a private cloud facility in Utah instead of Texas to avoid hurricanes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is risk rejection?

A

unacceptable possible response to risk by rejecting or ignoring the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is risk mitigation?

A
  • implementing controls and countermeasures to reduce the likelihood or impact of the risk
  • can include implementing security controls, applying patches and updates, or enhancing employee training
  • accepts the residual risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is risk assignment/transfer?

A
  • transferring the risk to a third party, such as through insurance or outsourcing
  • shifts the financial burden or responsibility for managing the risk to another entity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is risk acceptance?

A
  • accepting the risk and consciously deciding to tolerate the potential consequences
  • typically done for risks with a low likelihood or impact, or when the cost of mitigation outweighs the potential harm
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is risk deterrence?

A
  • implementing deterrents to would-be violators of security and policy
  • includes things like security cameras or security guards
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Describe Risk Monitoring and Review

A
  • risk management is an ongoing process, and organizations need to continuously monitor, review, and reassess risks
  • periodic risk assessments and reviews ensure that risk management practices remain up to date and aligned with the evolving security needs of the organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Describe Risk Communication

A
  • effective risk management includes clear and concise communication of risks, their potential impacts, and recommended mitigation strategies to stakeholders
  • enables stakeholders to understand the potential impacts, make informed decisions, and participate in risk management activities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What does risk management documentation include?

A

risk management process, risk assessments, risk treatment decisions, and the implementation and effectiveness of security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is Risk Appetite (Risk Tolerance)?

A
  • level of risk that an organization or individual is willing to accept or tolerate in pursuit of its objectives
  • involves finding the right balance between risk-taking and risk avoidance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What business needs to consider, so that risk management efforts are in line with the overall organizational strategy?

A

business priorities, strategic goals, and risk appetite

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What should risk management consider as one of the top priorities?

A
  • legal and regulatory requirements applicable to the organization’s industry and jurisdiction
  • compliance with laws, regulations, and industry standards is an integral part of risk management, ensuring that the organization operates within legal boundaries and meets its obligations to protect sensitive information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What are the two different ways to evaluate risk to assets?

A
  1. quantitative
  2. qualitative
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is quantitative risk analysis?

A
  • assigns a dollar value to evaluate the effectiveness of countermeasures
  • labor intensive - employs data collection and analysis
  • objective - involves hard data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is qualitative risk analysis?

A
  • uses a scoring system to rank threats and effectiveness of countermeasures relative to the system or the environment
  • subjective - involves opinion
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What does business need to consider when doing risk analysis?

A
  • Loss Potential
    • what would be lost, if the threat agent is successful at exploiting vulnerability
  • Delayed Loss
    • amount of loss that can occur over time
  • Threat Agents
    • entities that cause the threats by exploiting vulnerabilities
33
Q

What are the key steps in risk analysis?

A
  1. Risk Identification
  2. Risk Assessment
  3. Risk Evaluation
  4. Risk Treatment
  5. Risk Communication
  6. Ongoing Monitoring and Review

Acronym: I Am Evaluating The Current Offensive

34
Q

What is the Delphi Technique?

A
  • anonymous feedback-and-response process used to arrive at consensus
  • used in qualitative risk analysis
35
Q

What is a Risk Management Framework?

A
  • provides organizations with structured approaches and guidelines for identifying, assessing, and managing risks across various domains
  • the frameworks and standards offer methodologies, processes, and best practices to help organizations establish effective risk management practices
36
Q

What are the steps in risk management framework NIST 800-37?

A
    1. Prepare
      * evaluation phase before the entire process of RMF is triggered
    1. Categorize
      * categorize the information system based on the impact that a potential compromise or loss of confidentiality, integrity, or availability would have on the organization
    1. Select
      * organization selects appropriate security controls based on the system’s security categorization
    1. Implement
      * once the security controls are selected, they need to be implemented within the system
    1. Assess
      * implemented security controls are then assessed to ensure they are operating effectively and providing the intended security before the systems are put in production
    1. Authorize
      * organization makes a risk-based decision regarding the system’s readiness for operation
    1. Monitor
      * once the system is operational, ongoing monitoring and continuous assessment of security controls are necessary to ensure they remain effective
37
Q

What does NIST 800-37 emphasize?

A

the need for organizations to tailor the risk management framework to their specific needs

38
Q

What is OCTAVE and what does the acronym mean?

A
  • risk management framwork
  • Operationally Critical Threat, Asset, and Vulnerability Evaluation
39
Q

What are the 3 basic characteristics of OCTAVE?

A
  1. Risk-Based Approach
    • takes a risk-based approach, focusing on identifying and mitigating risks that are critical to an organization’s operations and objectives
  2. Asset-Centric
    • centers around understanding and protecting an organization’s critical assets, such as data, systems, processes, or physical infrastructure
  3. Team Collaboration
    • involves cross-functional teams that include stakeholders from different areas of the organization, such as business units, IT, and security
40
Q

What are the three main phases of OCTAVE?

A
  1. Phase 1: Build Asset-Based Threat Profile
  2. Phase 2: Identify Risks
  3. Phase 3: Develop Risk Mitigation Strategies
41
Q

Describe OCTAVE phase 1 and its steps

A
  1. Identify and Categorize Assets
  2. Identify Threats
  3. Assess Vulnerabilities
  4. Build Asset-Based Threat Profiles
42
Q

Describe OCTAVE phase 2 and its steps

A
  1. Identify Risks
  2. Prioritize Risks
43
Q

Describe OCTAVE phase 3 and its steps

A
  1. Develop Strategies
  2. Implement and Monitor
44
Q

What are the benefits of OCTAVE?

A
  • Holistic Risk Assessment
  • Stakeholder Engagement
  • Risk Prioritization
  • Actionable Risk Mitigation
45
Q

What are the limitations of OCTAVE?

A
  • Resource Intensive
  • Expertise Required
  • Scalability
46
Q

What is TARA and what does the acronym mean?

A
  • risk management framework that focuses on assessing risks posed by threat agents or adversaries
  • Threat Agent Risk Assessment
47
Q

What are the key aspects of TARA?

A
  • Threat Agent Identification
    • the first step is to identify and characterize potential threat agents or adversaries that could pose risks to the organization
  • Risk Assessment
    • involves evaluating the threats identified in the previous step
    • each threat agent is analyzed based on their capabilities, intentions, and likelihood of exploiting vulnerabilities or causing harm
  • Vulnerability Assessment
    • vulnerabilities within the organization’s systems, processes, and infrastructure are identified and evaluated
  • Impact Analysis
    • assesses the potential consequences or impacts of successful attacks or incidents caused by threat agents
  • Risk Mitigation Strategies
    • once the threats, vulnerabilities, and impacts have been identified, organizations can develop risk mitigation strategies
  • Risk Treatment and Monitoring
    • involves implementing the selected risk mitigation strategies and continuously monitoring the effectiveness of the controls
48
Q

What is FAIR and what does the acronym mean?

A
  • risk management framework that provides a structured and quantitative approach to assessing and analyzing information and cybersecurity risks
  • Factor Analysis of Information Risk
49
Q

What are the steps of the FAIR framework?

A
  1. Identify Scope and Context
  2. Define Risk Factors
  3. Assess Frequency
  4. Assess Magnitude
  5. Calculate Risk
  6. Evaluate and Prioritize Risks
  7. Implement Risk Mitigation
  8. Monitor and Review
50
Q

What should be done when a risk is accepted?

A

maintain detailed documentation of the risk acceptance process to satisfy auditors in the future - should happen before implementing security controls, etc.

51
Q

What’s the most effective assessment approach for risk assessment for analyzinig tangible and intangible assets?

A

combining of quantitative and qualitative risk assessment

52
Q

What’s Risk Maturity Model (RMM) used for?

A

designed for the purpose of assessing enterprise risk management programs

53
Q

When conducting quantitative business impact assessment to collect data to determine dollar cost of downtime, what information is needed from outages during the previous year to calculate cost of those outages to business?

A
  • total amount of time business was down
  • number of presonnel hours worked to recover from the outage
  • business lost during the outage per hour in dollars
  • average employee wage per hour
54
Q

Use of a probability/impact matrix is the hallmark of which risk assessment?

A

qualitative

55
Q

What are the valid uses for key risk indicators (KRIs)?

A
  • provide warnings before issue occur
  • provide historical views of past incidents
  • provide insight into risk tolerance for the organization
56
Q

What is the most important element of a qualitative risk assessment?

A

determining the probability and impact of each risk upon the organization

57
Q

What are these:
* RMF
* COSO’s ERM
* ISACA’s Risk IT
* OCTAVE
* FAIR
* TARA

A

risk management frameworks

58
Q

What does risk reporting involve?

A

production of a risk report and a presentation of that report to the interested/relevant parties

59
Q

What is a risk register or risk log?

A

document that inventories all of the identified risks to an organization or system or within an individual project

60
Q

What is a risk matrix or risk heat map?

A

form of risk assessment that is performed on a basic graph or chart

61
Q

What covers the evaluation of countermeasures, safeguards, and security controls using a cost/benefit analysis; adjusting findings based on other conditions, concerns, priorities, and resources; and providing a proposal of response options in a report to senior management?

A

Risk response

62
Q

What is the effort to increase the knowledge of risks within an organization called?

A

risk awarness

63
Q

What is risk management is composed of?

A

risk assessment and risk response

63
Q

What’s the name for the examination of an environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damage it would cause if it did occur, and assessing the cost of various countermeasures for each risk?

A

Risk assessment or risk analysis

64
Q

What’s exposure?

A

the presence of a vulnerability when a related threat exists

65
Q

Is risk every instance of an exposure?

A

yes

66
Q

What is Exposure?

A

being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited

67
Q

When controls are not cost effective, they are not worth implementing. What is the appropriate risk response in this case?

A

risk acceptance

68
Q

Does risk acceptance documentation include risk mitigation controls to address acceptable risks?

A

no

69
Q

What should risk acceptance documentation include?

A
  • thorough review of the risks facing the organization, including the determination as to which risks should be considered acceptable and unacceptable
  • for acceptable risks, the documentation should include a rationale for that decision and a list of potential future events that might warrant a reconsideration of that determination
  • documentation should include a list of controls used to mitigate unacceptable risks, but it would not include controls used to mitigate acceptable risks, since acceptable risks do not require mitigation
70
Q

What term best describes a review of the risk management program in an organization and developing an analysis of all of the risks facing the organization and their quantitative impact

A
  • risk profile
  • quantitative analysis of all of the risks facing an organization and their potential impact
71
Q

What does ISO 31000 have in common with NIST 800-37?

A

they are risk management frameworks, that help companies to run a risk management program

72
Q

Cost of the risk management program, the number of risks identified, the number of risks that have occurred are all examples of what?

A

risk management metric

73
Q

What is the difference between safeguard and countermeasures?

A
  • safeguards: proactive (reduce likelihood)
  • countermeasures (reduce the impact after occurance)
74
Q

What are the risk management frameworks that are relevant to cloud computing?

A
  • ISO 31000:2018 guidance standard
  • ENISA’s cloud computing risk assessment
  • NIST 800-37, Risk Management Framework
75
Q

What is the purpose of NIST Special Publication 800-146 “Cloud Computing Synopsis and Recommendations”?

A

provide definitions of various cloud computing terms

76
Q

What does ENISA provide to address risk management?

A

guide that identifies various categories of risk and recommendations for organizations to consider when evaluating cloud computing

77
Q

What are some of the key cybersecurity metrics that companies can track to present a measurable data to company stakeholders?

A
  • patching levels
    • how many devices are fully patched and up-to-date
    • unpatched devices contain exploitable vuls
  • time to deploy patches
    • how many devices receive required patches in defined time frames
    • useful measure of how effective a match management is at reducing the risk of known vuls
  • intrusion attempts
    • how many times have unknown actors tried to breach cloud systems
    • increased intrusion attempts can be an indicator of increased risk likelihood
  • MTTD (Detect), MTTC (Contain), MTTR (Resolve)
    • how long does it take for security teams to become aware of a potential security incident, contain the damage and resolve the incident
    • inadequate tools or resources for reactive risk mitigation can increase the impact of risk occurring