Risk Management Flashcards

1
Q

Risk Categories (3)

A

Damage
Disclosure
Losses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

5 Risk Factors

A

Physical Damage
Malfunction
Attacks
Human Error
Application Error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Policy Development
( 4 Steps)

A
  1. Security Procedures
  2. Security Guidelines
  3. Security Baselines
  4. Acceptance Use Policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Risk Planning
(In Organizational mgt level / number of years)

A

Strategic 5 yr
Tactical 1 yr
Operating MQ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Response to Risk (6)

A

Acceptance
Mitigation
Assignment
Avoidance
Deterrence
Rejection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Primary Risk Management Framework

A

NIST 800-37

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NIST 800-37 Steps

A
  1. Prepare
  2. Categorize
  3. Security Control
  4. Implement Security Control
  5. Assess the Controls
  6. Authorize the system
  7. Monitor Security Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Types of Risk (3)

A

Residual
Inherent
Total

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Total Risk
Formula

A

Threats * Vulnerabilities * Asset Value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk
Formula

A

Threat * Vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Methodology of Risk Assessment - Examples such as NIST….,

A

NIST SP 800-30
OCTAVE
FRAP
FMEA
Fault Tree Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Risk Analysis Approach (2)

A

Quantitative Risk Analysis
Qualitative Risk Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Risk Management Process (4) Steps
(FARM)

A

Frame Risk
Assess Risk
Respond to Risk
Monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Information Exhibits Vulnerabilities ( Data x 3)

A

Data at rest
Data in transit
Data in use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

TOC/TOU

A

Time-of-check to Time-of-use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The Delphi Technique

A

Used in Qualitative Risk Analysis
Individual opinions taken in rounds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Residual Risk

A

(Threats * vulnerability * asset value) * control gap

Residual risk = Total Risk - Countermeasures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Value of safeguard to the organization
(Control Selection)
Formula

A

(ALE before implementing the safeguard) - (ALE after implementing the safeguard) - (Annual Cost of Safeguard)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

NIST SP 800-39
(Holistic Risk Management)

A

Managing Information Security Risk
Define 3 Tiers to Risk:
Tier 1 - Organization View
Tier 2 - Mission/ Business Process view
Tier 3 - Information system view

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk Analysis 4 Main Goals

A
  • Identify assets and their value to the organization
  • Determine the likelihood that a threat exploits a vulnerability
  • Determine the business impact of these potential threats
  • Provide an economic balance between the impact of the threat and the cost of the countermeasure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Risk Management methodology

NIST SP 800-30

A

-Focus: Computer systems and IT issues.
- Does not cover large organizational threats
- Focus on operational component of an enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Risk Management Methodology
OCTAVE

A
  • Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology.
  • 7 Processes
  • Created by Carnegie Mellon University
  • People manage and direct the risk evaluation for information security within an organization.
  • Idea: People who work here knows and best understand the risks
    Facilitated workshops
  • All systems, apps and processes within an organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Risk Management Methodology
FRAP

A

Facilitated Risk Analysis Process
By Thomas Peltier
Crux of this qualitative method focus only on the system that really need assessment to reduce cost
1 App 1 System at a time
Based on experience not numbers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Risk Management Methodology
FMEA

A
  • Failure Modes and Effect Analysis
  • (Block diagrams)
  • Function identifying functional failures assessing the cause of failure
  • And the cause of the failure through structured process
  • Mainly used in product development and operational environments
  • Identifying single point of failure
  • 5-steps
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Risk Management Methodology
Fault Tree Analysis

A

Accessing the Failure in most complex systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Quantitative Risk Analysis
Single Loss Expectancy (SLE) -Definition

A

SLE is a monetary value is assigned to single event that represents the organization’s potential loss amount

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Quantitative Risk Analysis
Annualized Loss Expectancy (ALE)

A

Annual effective amount that an organization should spend

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Quantitative Risk Analysis
Exposure Factor (EF)

A

Exposure Factor represents the percentage of a loss a realized threat could have on a certain asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Quantitative Risk Analysis
Annualized Rate of Occurrence (ARO)

A

ARO is a value represents the estimated frequency of a specific threat taking place within 12- month timeframe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Quantitative Risk Analysis
SLE (Single Loss Expectancy) Formula

A

Asset Value x Exposure Factor (EF) = Single Loss Expectancy

31
Q

Quantitative Risk Analysis
ALE (Annualized Loss Expectancy) Formula

A

SLE x Annualized Rate of Occurrence (ARO) = ALE

32
Q

Three main categories of control

A

Administrative
Technical
Physical

33
Q

Administrative Control commonly Referred

A

Soft Controls

34
Q

Technical Control also called as

A

Logical Control

35
Q

Examples of Administrative Controls

A

Security Documentation
Risk management
Personnel Security
And Training

36
Q

Examples of Technical Controls

A

Software or
Hardware Components
(Firewalls, IDS, and identification and authentication mechanisms)

37
Q

Examples of Physical Controls

A

Security Guards
Locks
Fencing
Lightning

38
Q

Defence-in-depth

A

Which is the coordinated use of multiple security controls in a layered approach

39
Q

(6) Different types of Security Controls

A

Preventative
Detective
Corrective
Deterrent
Recovery
Compensating

40
Q

Preventative Control Type
(Definition)

A

Intended to avoid an incident from occurring

41
Q

Detective Control Type
(Definition)

A

Helps identify an incident’s activities and potentially an intruder

42
Q

Corrective Control Type
(Definition)

A

Fixes components or systems after an incident has occurred

43
Q

Deterrent Control Type
(Definition)

A

Intended to discourage a potential attacker

44
Q

Recovery Control Type
(Definition)

A

Intended to bring the environment back to regular operations

45
Q

Compensating Control Type
(Definition)

A

Provides an alternative measure of control

46
Q

Preventative: Administrative

A

Policies and procedures
Effective hiring practices
Pre-employment background checks
Controlled termination processes
Data classification and labeling
Security awareness

47
Q

Preventative:Physical

A

Badges, Swipe cards
Guard, dogs
Fences, locks, mantraps

48
Q

Preventative:Technical
Examples

A

Passwords, biometrics, smart cards
Encryption, secure protocols, call-back systems, database views, constrained user interfaces
Administrative software, access control lists, firewalls, IPS

49
Q

What is a Control Assessment?

A

A Control Assessment is an evaluation of one or more controls to determine the extent to which they are:
- implemented correctly,
- operating as intended,
- and producing the desired outcome.

50
Q

Verification vs. Validation

A

Verification: did we implement the control right?
Validation: did we implement the right control

51
Q

Risk Monitoring is (3 things)

A

The ongoing process of
- adding new risks,
- reevaluating existing ones,
- removing moot ones,
- and continuously assessing the effectiveness of our controls at mitigating all risks to tolerable levels.

52
Q

Risk Monitoring should focus on 3 key areas

A

Effectiveness
Change
Compliance

53
Q

EDR stands for

A

Endpoint Detection and Response

54
Q

Threat Working Group (TWG)
Part of Risk monitoring

A

Which consists of members of all major part of organization, meeting regularly to review the list of risks (risk registry)

55
Q

Two (2) major sources of change impact your overall risk:

A
  • Information Systems
  • Business
56
Q

Change Advisory Board (CAB) monitors (4)

A
  • Number of unauthorized changes
  • Average time to implement a change
  • Number of failed changes
  • Number of security incidents attributable to changes
57
Q

General Data Protection Regulation (GDPR) came into effect in May 2018

A

Any organization that stores or processes data belonging to a person from the European Union (EU)

58
Q

Risk Reporting
(3) Target Groups (People)

A
  • Executives (and board members)
  • Managers
  • Risk owners
59
Q

Typical Risk Maturity Model

A

Initial
Repeatable
Defined
Managed
Optimizing

60
Q

NIST SP 800 - 161

A

Supply Chain Risk Management Practices for Federal information systems and Organizations.

61
Q

3 Critical classes of requirements that should be included in a contractual agreement are

A
  • Data Protection - Proactive
  • Incident Response - Reactive
  • Verification means
62
Q

Suppliers ability to comply with is Contractual obligation.
External Evaluation (Standards like ISO )

A
  • ISO 27001 Certification
  • U.S. Department of Defence CyberSecurity maturity model certification (CMMC)
  • Payment Card Industry Digital Security Standard (PCI DSS) Certification
  • Service Organization Control 1 (SOC1) or 2 (SOC2) report
  • U.S. Federal Risk and Authorization Management Program (FedRAMP)
63
Q

CIA Triad

A

Confidentiality
Integrity
Availability

64
Q

Due Diligence

A

Can be defined as doing everything within one’s power to prevent a bad thing from happening.

Prior Planning - Actions in Advance (Write Policies, Create Procedures, develop playbooks)

Means that company properly investigated all of its possibly weaknesses and vulnerabilities AKA understanding the threats

65
Q

Due Care

A

A Prudent person or reasonable person would do.

  • Tactically and in the moment
  • any reasonable security person would do in the moment
66
Q

Business Continuity (BCP)

A

Business Continuity is an organization’s ability maintain business functions or quickly resume them in the event that risks are realized and result in disruption.

67
Q

Disaster Recovery (DR) is..

A
  • Disaster Recovery is the process of minimizing the effects of a disaster or major disruption.
  • DR is part of BC
68
Q

NIST 800-34

A

Contingency planning guide for Federal Information Systems

69
Q

BCP and BCM

A

Business Continuity Planning and Business Continuity Management

70
Q

BCP and BCM Steps

A
  • Continuity Policy
  • BIA
  • Identify Preventative Controls
  • Create Contingency Strategies
  • Develop BCP
  • Exercise, test, and drill
  • Maintain BCP
71
Q

BCM is Critical
Other standards-based organizations

A
  • ISO/IEC 27031:2011
  • ISO/IEC 22301:2019
  • Business Continuity institute’s Good Practice Guidelines (GPG)
  • DRI International Institute’s Professional Practices for BCM
72
Q

BCP Should belong not to ___ but to ___

A
  • Not to BCP Team or its Leader
  • but to high-Level Executive Manager, Preferably member of executive board
73
Q

BCP Committee must identify the threats to the organization and map to the following 5 items

A
  • Maximum tolerable downtime and disruption for activities
  • Operational disruption and Productivity
  • Financial Considerations
  • Regulatory Responsibilities
  • Reputation
74
Q

Group that developed “Ten Commandments of Computer Ethics”

A

Computer Ethics Institute