Risk Management

Question 1

What is risk management?

Answer 1

• systematic process of identifying, assessing, and managing risks to information assets and systems
• understanding potential threats, vulnerabilities, and the impact of potential incidents on an organization’s security posture

Question 2

Who decides how risks are handled?

Answer 2

management

Question 3

What is a risk category?

Answer 3

group of potential causes of a risk

Question 4

What are the different risk categories? Describe each.

Answer 4

• Damage
  
  • results in a physical loss of an asset or the inability to access the asset
• Loss
  
  • might be permanent or temporary, including altered data or inaccessible data
• Disclosure
  
  • disclosing critical information regardless of where or how it was disclosed

Question 5

What is a risk factor?

Answer 5

something that increases risk or susceptibility

Question 6

What are the risk factors?

Answer 6

• physical damage
  
  • natural disasters, vandalism, power loss
• malfunction
  
  • failure of systems, networks or peripherals
• attack
  
  • purposeful acts whether from the inside or outside
• human
  
  • usually considered accidental, whereas attacks are purposeful incidents
• application errors
  
  • failures of the application, including operating system

Acronym: Police Must Accept Happy Anarchists

Question 7

What are the different types of risk?

Answer 7

1. Residual Risk
2. Inherent Risk
3. Total Risk

Question 8

What is Residual Risk?

Answer 8

• risk that remains even with all conceivable safeguards are in place
• exists AFTER security controls are implemented

Question 9

What is Inherent Risk?

Answer 9

• newly identified risk not yet addressed with risk management strategies
• the amount of risk that exists in the absence of controls
• inherent risk is the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed
• exists BEFORE security controls are implemented

Question 10

What is Total Risk?

Answer 10

• amount of risk that an organization would face if no safeguards are implemented
• exists WITHOUT security controls

Question 11

What is risk identification?

Answer 11

• systematically identifying and documenting potential risks that could negatively impact the confidentiality, integrity, or availability of information assets
• identifying internal and external threats and potential impacts

Question 12

What techniques are used to identify risks?

Answer 12

• risk assessments
• threat modeling
• vulnerability assessments
• asset inventories

Question 13

What is risk assessment?

Answer 13

• analyzing and evaluating identified risks to determine their likelihood of occurrence and potential impact
• helps prioritize risks based on their severity and the likelihood of occurrence

Question 14

What parameters does risk assessment consider?

Answer 14

• value of the assets at risk
• the potential impact on the organization’s operations
• financials, reputation, and compliance requirements

Question 15

What is a risk response?

Answer 15

• developing and implementing strategies to address identified risks
• includes determining the most effective and efficient controls and countermeasures to reduce the risk to an acceptable level

Question 16

What are the possible ways of risk response?

Answer 16

• Risk Avoidance
• Risk Rejection
• Risk Mitigation
• Risk Assignment/Transfer
• Risk Acceptance
• Risk Deterrence

Acronym: All Romans Must Attack All Docks

Question 17

What is risk avoidance?

Answer 17

• avoiding the risk altogether by ceasing the activity or not engaging in the vulnerable process
• e.g. opening a private cloud facility in Utah instead of Texas to avoid hurricanes

Question 18

What is risk rejection?

Answer 18

unacceptable possible response to risk by rejecting or ignoring the risk

Question 19

What is risk mitigation?

Answer 19

• implementing controls and countermeasures to reduce the likelihood or impact of the risk
• can include implementing security controls, applying patches and updates, or enhancing employee training
• accepts the residual risk

Question 20

What is risk assignment/transfer?

Answer 20

• transferring the risk to a third party, such as through insurance or outsourcing
• shifts the financial burden or responsibility for managing the risk to another entity

Question 21

What is risk acceptance?

Answer 21

• accepting the risk and consciously deciding to tolerate the potential consequences
• typically done for risks with a low likelihood or impact, or when the cost of mitigation outweighs the potential harm

Question 22

What is risk deterrence?

Answer 22

• implementing deterrents to would-be violators of security and policy
• includes things like security cameras or security guards

Question 23

Describe Risk Monitoring and Review

Answer 23

• risk management is an ongoing process, and organizations need to continuously monitor, review, and reassess risks
• periodic risk assessments and reviews ensure that risk management practices remain up to date and aligned with the evolving security needs of the organization

Question 24

Describe Risk Communication

Answer 24

• effective risk management includes clear and concise communication of risks, their potential impacts, and recommended mitigation strategies to stakeholders
• enables stakeholders to understand the potential impacts, make informed decisions, and participate in risk management activities

Question 25

What does risk management documentation include?

Answer 25

risk management process, risk assessments, risk treatment decisions, and the implementation and effectiveness of security controls

Question 26

What is Risk Appetite (Risk Tolerance)?

Answer 26

• level of risk that an organization or individual is willing to accept or tolerate in pursuit of its objectives
• involves finding the right balance between risk-taking and risk avoidance

Question 27

What business needs to consider, so that risk management efforts are in line with the overall organizational strategy?

Answer 27

business priorities, strategic goals, and risk appetite

Question 28

What should risk management consider as one of the top priorities?

Answer 28

• legal and regulatory requirements applicable to the organization’s industry and jurisdiction
• compliance with laws, regulations, and industry standards is an integral part of risk management, ensuring that the organization operates within legal boundaries and meets its obligations to protect sensitive information

Question 29

What are the two different ways to evaluate risk to assets?

Answer 29

1. quantitative
2. qualitative

Question 30

What is quantitative risk analysis?

Answer 30

• assigns a dollar value to evaluate the effectiveness of countermeasures
• labor intensive - employs data collection and analysis
• objective - involves hard data

Question 31

What is qualitative risk analysis?

Answer 31

• uses a scoring system to rank threats and effectiveness of countermeasures relative to the system or the environment
• subjective - involves opinion

Question 32

What does business need to consider when doing risk analysis?

Answer 32

• Loss Potential
  
  • what would be lost, if the threat agent is successful at exploiting vulnerability
• Delayed Loss
  
  • amount of loss that can occur over time
• Threat Agents
  
  • entities that cause the threats by exploiting vulnerabilities

Question 33

What are the key steps in risk analysis?

Answer 33

1. Risk Identification
2. Risk Assessment
3. Risk Evaluation
4. Risk Treatment
5. Risk Communication
6. Ongoing Monitoring and Review

Acronym: I Am Evaluating The Current Offensive

Question 34

What is the Delphi Technique?

Answer 34

• anonymous feedback-and-response process used to arrive at consensus
• used in qualitative risk analysis

Question 35

What is a Risk Management Framework?

Answer 35

• provides organizations with structured approaches and guidelines for identifying, assessing, and managing risks across various domains
• the frameworks and standards offer methodologies, processes, and best practices to help organizations establish effective risk management practices

Question 36

What are the steps in risk management framework NIST 800-37?

Answer 36

• 1. Prepare
     * evaluation phase before the entire process of RMF is triggered
• 2. Categorize
     * categorize the information system based on the impact that a potential compromise or loss of confidentiality, integrity, or availability would have on the organization
• 3. Select
     * organization selects appropriate security controls based on the system’s security categorization
• 4. Implement
     * once the security controls are selected, they need to be implemented within the system
• 5. Assess
     * implemented security controls are then assessed to ensure they are operating effectively and providing the intended security before the systems are put in production
• 6. Authorize
     * organization makes a risk-based decision regarding the system’s readiness for operation
• 7. Monitor
     * once the system is operational, ongoing monitoring and continuous assessment of security controls are necessary to ensure they remain effective

Question 37

What does NIST 800-37 emphasize?

Answer 37

the need for organizations to tailor the risk management framework to their specific needs

Question 38

What is OCTAVE and what does the acronym mean?

Answer 38

• risk management framwork
• Operationally Critical Threat, Asset, and Vulnerability Evaluation

Question 39

What are the 3 basic characteristics of OCTAVE?

Answer 39

1. Risk-Based Approach
   
   • takes a risk-based approach, focusing on identifying and mitigating risks that are critical to an organization’s operations and objectives
2. Asset-Centric
   
   • centers around understanding and protecting an organization’s critical assets, such as data, systems, processes, or physical infrastructure
3. Team Collaboration
   
   • involves cross-functional teams that include stakeholders from different areas of the organization, such as business units, IT, and security

Question 40

What are the three main phases of OCTAVE?

Answer 40

1. Phase 1: Build Asset-Based Threat Profile
2. Phase 2: Identify Risks
3. Phase 3: Develop Risk Mitigation Strategies

Question 41

Describe OCTAVE phase 1 and its steps

Answer 41

1. Identify and Categorize Assets
2. Identify Threats
3. Assess Vulnerabilities
4. Build Asset-Based Threat Profiles

Question 42

Describe OCTAVE phase 2 and its steps

Answer 42

1. Identify Risks
2. Prioritize Risks

Question 43

Describe OCTAVE phase 3 and its steps

Answer 43

1. Develop Strategies
2. Implement and Monitor

Question 44

What are the benefits of OCTAVE?

Answer 44

• Holistic Risk Assessment
• Stakeholder Engagement
• Risk Prioritization
• Actionable Risk Mitigation

Question 45

What are the limitations of OCTAVE?

Answer 45

• Resource Intensive
• Expertise Required
• Scalability

Question 46

What is TARA and what does the acronym mean?

Answer 46

• risk management framework that focuses on assessing risks posed by threat agents or adversaries
• Threat Agent Risk Assessment

Question 47

What are the key aspects of TARA?

Answer 47

• Threat Agent Identification
  
  • the first step is to identify and characterize potential threat agents or adversaries that could pose risks to the organization
• Risk Assessment
  
  • involves evaluating the threats identified in the previous step
  • each threat agent is analyzed based on their capabilities, intentions, and likelihood of exploiting vulnerabilities or causing harm
• Vulnerability Assessment
  
  • vulnerabilities within the organization’s systems, processes, and infrastructure are identified and evaluated
• Impact Analysis
  
  • assesses the potential consequences or impacts of successful attacks or incidents caused by threat agents
• Risk Mitigation Strategies
  
  • once the threats, vulnerabilities, and impacts have been identified, organizations can develop risk mitigation strategies
• Risk Treatment and Monitoring
  
  • involves implementing the selected risk mitigation strategies and continuously monitoring the effectiveness of the controls

Question 48

What is FAIR and what does the acronym mean?

Answer 48

• risk management framework that provides a structured and quantitative approach to assessing and analyzing information and cybersecurity risks
• Factor Analysis of Information Risk

Question 49

What are the steps of the FAIR framework?

Answer 49

1. Identify Scope and Context
2. Define Risk Factors
3. Assess Frequency
4. Assess Magnitude
5. Calculate Risk
6. Evaluate and Prioritize Risks
7. Implement Risk Mitigation
8. Monitor and Review

Question 50

What should be done when a risk is accepted?

Answer 50

maintain detailed documentation of the risk acceptance process to satisfy auditors in the future - should happen before implementing security controls, etc.

Question 51

What’s the most effective assessment approach for risk assessment for analyzinig tangible and intangible assets?

Answer 51

combining of quantitative and qualitative risk assessment

Question 52

What’s Risk Maturity Model (RMM) used for?

Answer 52

designed for the purpose of assessing enterprise risk management programs

Question 53

When conducting quantitative business impact assessment to collect data to determine dollar cost of downtime, what information is needed from outages during the previous year to calculate cost of those outages to business?

Answer 53

• total amount of time business was down
• number of presonnel hours worked to recover from the outage
• business lost during the outage per hour in dollars
• average employee wage per hour

Question 54

Use of a probability/impact matrix is the hallmark of which risk assessment?

Answer 54

qualitative

Question 55

What are the valid uses for key risk indicators (KRIs)?

Answer 55

• provide warnings before issue occur
• provide historical views of past incidents
• provide insight into risk tolerance for the organization

Question 56

What is the most important element of a qualitative risk assessment?

Answer 56

determining the probability and impact of each risk upon the organization

Question 57

What are these:
* RMF
* COSO’s ERM
* ISACA’s Risk IT
* OCTAVE
* FAIR
* TARA

Answer 57

risk management frameworks

Question 58

What does risk reporting involve?

Answer 58

production of a risk report and a presentation of that report to the interested/relevant parties

Question 59

What is a risk register or risk log?

Answer 59

document that inventories all of the identified risks to an organization or system or within an individual project

Question 60

What is a risk matrix or risk heat map?

Answer 60

form of risk assessment that is performed on a basic graph or chart

Question 61

What covers the evaluation of countermeasures, safeguards, and security controls using a cost/benefit analysis; adjusting findings based on other conditions, concerns, priorities, and resources; and providing a proposal of response options in a report to senior management?

Answer 61

Risk response

Question 62

What is the effort to increase the knowledge of risks within an organization called?

Answer 62

risk awarness

Question 63

What is risk management is composed of?

Answer 63

risk assessment and risk response

Question 63

What’s the name for the examination of an environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damage it would cause if it did occur, and assessing the cost of various countermeasures for each risk?

Answer 63

Risk assessment or risk analysis

Question 64

What’s exposure?

Answer 64

the presence of a vulnerability when a related threat exists

Question 65

Is risk every instance of an exposure?

Answer 65

yes

Question 66

What is Exposure?

Answer 66

being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited

Question 67

When controls are not cost effective, they are not worth implementing. What is the appropriate risk response in this case?

Answer 67

risk acceptance

Question 68

Does risk acceptance documentation include risk mitigation controls to address acceptable risks?

Answer 68

no

Question 69

What should risk acceptance documentation include?

Answer 69

• thorough review of the risks facing the organization, including the determination as to which risks should be considered acceptable and unacceptable
• for acceptable risks, the documentation should include a rationale for that decision and a list of potential future events that might warrant a reconsideration of that determination
• documentation should include a list of controls used to mitigate unacceptable risks, but it would not include controls used to mitigate acceptable risks, since acceptable risks do not require mitigation

Question 70

What term best describes a review of the risk management program in an organization and developing an analysis of all of the risks facing the organization and their quantitative impact

Answer 70

• risk profile
• quantitative analysis of all of the risks facing an organization and their potential impact

Question 71

What does ISO 31000 have in common with NIST 800-37?

Answer 71

they are risk management frameworks, that help companies to run a risk management program

Question 72

Cost of the risk management program, the number of risks identified, the number of risks that have occurred are all examples of what?

Answer 72

risk management metric

Question 73

What is the difference between safeguard and countermeasures?

Answer 73

• safeguards: proactive (reduce likelihood)
• countermeasures (reduce the impact after occurance)

Question 74

What are the risk management frameworks that are relevant to cloud computing?

Answer 74

• ISO 31000:2018 guidance standard
• ENISA’s cloud computing risk assessment
• NIST 800-37, Risk Management Framework

Question 75

What is the purpose of NIST Special Publication 800-146 “Cloud Computing Synopsis and Recommendations”?

Answer 75

provide definitions of various cloud computing terms

Question 76

What does ENISA provide to address risk management?

Answer 76

guide that identifies various categories of risk and recommendations for organizations to consider when evaluating cloud computing

Question 77

What are some of the key cybersecurity metrics that companies can track to present a measurable data to company stakeholders?

Answer 77

• patching levels
  
  • how many devices are fully patched and up-to-date
  • unpatched devices contain exploitable vuls
• time to deploy patches
  
  • how many devices receive required patches in defined time frames
  • useful measure of how effective a match management is at reducing the risk of known vuls
• intrusion attempts
  
  • how many times have unknown actors tried to breach cloud systems
  • increased intrusion attempts can be an indicator of increased risk likelihood
• MTTD (Detect), MTTC (Contain), MTTR (Resolve)
  
  • how long does it take for security teams to become aware of a potential security incident, contain the damage and resolve the incident
  • inadequate tools or resources for reactive risk mitigation can increase the impact of risk occurring