Risk Management

Question 1

Risk Categories (3)

Answer 1

Damage
Disclosure
Losses

Question 2

5 Risk Factors

Answer 2

Physical Damage
Malfunction
Attacks
Human Error
Application Error

Question 3

Security Policy Development
( 4 Steps)

Answer 3

1. Security Procedures
2. Security Guidelines
3. Security Baselines
4. Acceptance Use Policy

Question 4

Risk Planning
(In Organizational mgt level / number of years)

Answer 4

Strategic 5 yr
Tactical 1 yr
Operating MQ

Question 5

Response to Risk (6)

Answer 5

Acceptance
Mitigation
Assignment
Avoidance
Deterrence
Rejection

Question 6

Primary Risk Management Framework

Answer 6

NIST 800-37

Question 7

NIST 800-37 Steps

Answer 7

1. Prepare
2. Categorize
3. Security Control
4. Implement Security Control
5. Assess the Controls
6. Authorize the system
7. Monitor Security Control

Question 8

Types of Risk (3)

Answer 8

Residual
Inherent
Total

Question 9

Total Risk
Formula

Answer 9

Threats * Vulnerabilities * Asset Value

Question 10

Risk
Formula

Answer 10

Threat * Vulnerability

Question 11

Methodology of Risk Assessment - Examples such as NIST….,

Answer 11

NIST SP 800-30
OCTAVE
FRAP
FMEA
Fault Tree Analysis

Question 12

Risk Analysis Approach (2)

Answer 12

Quantitative Risk Analysis
Qualitative Risk Analysis

Question 13

Risk Management Process (4) Steps
(FARM)

Answer 13

Frame Risk
Assess Risk
Respond to Risk
Monitor

Question 14

Information Exhibits Vulnerabilities ( Data x 3)

Answer 14

Data at rest
Data in transit
Data in use

Question 15

TOC/TOU

Answer 15

Time-of-check to Time-of-use

Question 16

The Delphi Technique

Answer 16

Used in Qualitative Risk Analysis
Individual opinions taken in rounds

Question 17

Residual Risk

Answer 17

(Threats * vulnerability * asset value) * control gap

Residual risk = Total Risk - Countermeasures

Question 18

Value of safeguard to the organization
(Control Selection)
Formula

Answer 18

(ALE before implementing the safeguard) - (ALE after implementing the safeguard) - (Annual Cost of Safeguard)

Question 19

NIST SP 800-39
(Holistic Risk Management)

Answer 19

Managing Information Security Risk
Define 3 Tiers to Risk:
Tier 1 - Organization View
Tier 2 - Mission/ Business Process view
Tier 3 - Information system view

Question 20

Risk Analysis 4 Main Goals

Answer 20

• Identify assets and their value to the organization
• Determine the likelihood that a threat exploits a vulnerability
• Determine the business impact of these potential threats
• Provide an economic balance between the impact of the threat and the cost of the countermeasure

Question 21

Risk Management methodology

NIST SP 800-30

Answer 21

-Focus: Computer systems and IT issues.
- Does not cover large organizational threats
- Focus on operational component of an enterprise

Question 22

Risk Management Methodology
OCTAVE

Answer 22

• Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology.
• 7 Processes
• Created by Carnegie Mellon University
• People manage and direct the risk evaluation for information security within an organization.
• Idea: People who work here knows and best understand the risks
  Facilitated workshops
• All systems, apps and processes within an organization

Question 23

Risk Management Methodology
FRAP

Answer 23

Facilitated Risk Analysis Process
By Thomas Peltier
Crux of this qualitative method focus only on the system that really need assessment to reduce cost
1 App 1 System at a time
Based on experience not numbers

Question 24

Risk Management Methodology
FMEA

Answer 24

• Failure Modes and Effect Analysis
• (Block diagrams)
• Function identifying functional failures assessing the cause of failure
• And the cause of the failure through structured process
• Mainly used in product development and operational environments
• Identifying single point of failure
• 5-steps

Question 25

Risk Management Methodology
Fault Tree Analysis

Answer 25

Accessing the Failure in most complex systems

Question 26

Quantitative Risk Analysis
Single Loss Expectancy (SLE) -Definition

Answer 26

SLE is a monetary value is assigned to single event that represents the organization’s potential loss amount

Question 27

Quantitative Risk Analysis
Annualized Loss Expectancy (ALE)

Answer 27

Annual effective amount that an organization should spend

Question 28

Quantitative Risk Analysis
Exposure Factor (EF)

Answer 28

Exposure Factor represents the percentage of a loss a realized threat could have on a certain asset

Question 29

Quantitative Risk Analysis
Annualized Rate of Occurrence (ARO)

Answer 29

ARO is a value represents the estimated frequency of a specific threat taking place within 12- month timeframe

Question 30

Quantitative Risk Analysis
SLE (Single Loss Expectancy) Formula

Answer 30

Asset Value x Exposure Factor (EF) = Single Loss Expectancy

Question 31

Quantitative Risk Analysis
ALE (Annualized Loss Expectancy) Formula

Answer 31

SLE x Annualized Rate of Occurrence (ARO) = ALE

Question 32

Three main categories of control

Answer 32

Administrative
Technical
Physical

Question 33

Administrative Control commonly Referred

Answer 33

Soft Controls

Question 34

Technical Control also called as

Answer 34

Logical Control

Question 35

Examples of Administrative Controls

Answer 35

Security Documentation
Risk management
Personnel Security
And Training

Question 36

Examples of Technical Controls

Answer 36

Software or
Hardware Components
(Firewalls, IDS, and identification and authentication mechanisms)

Question 37

Examples of Physical Controls

Answer 37

Security Guards
Locks
Fencing
Lightning

Question 38

Defence-in-depth

Answer 38

Which is the coordinated use of multiple security controls in a layered approach

Question 39

(6) Different types of Security Controls

Answer 39

Preventative
Detective
Corrective
Deterrent
Recovery
Compensating

Question 40

Preventative Control Type
(Definition)

Answer 40

Intended to avoid an incident from occurring

Question 41

Detective Control Type
(Definition)

Answer 41

Helps identify an incident’s activities and potentially an intruder

Question 42

Corrective Control Type
(Definition)

Answer 42

Fixes components or systems after an incident has occurred

Question 43

Deterrent Control Type
(Definition)

Answer 43

Intended to discourage a potential attacker

Question 44

Recovery Control Type
(Definition)

Answer 44

Intended to bring the environment back to regular operations

Question 45

Compensating Control Type
(Definition)

Answer 45

Provides an alternative measure of control

Question 46

Preventative: Administrative

Answer 46

Policies and procedures
Effective hiring practices
Pre-employment background checks
Controlled termination processes
Data classification and labeling
Security awareness

Question 47

Preventative:Physical

Answer 47

Badges, Swipe cards
Guard, dogs
Fences, locks, mantraps

Question 48

Preventative:Technical
Examples

Answer 48

Passwords, biometrics, smart cards
Encryption, secure protocols, call-back systems, database views, constrained user interfaces
Administrative software, access control lists, firewalls, IPS

Question 49

What is a Control Assessment?

Answer 49

A Control Assessment is an evaluation of one or more controls to determine the extent to which they are:
- implemented correctly,
- operating as intended,
- and producing the desired outcome.

Question 50

Verification vs. Validation

Answer 50

Verification: did we implement the control right?
Validation: did we implement the right control

Question 51

Risk Monitoring is (3 things)

Answer 51

The ongoing process of
- adding new risks,
- reevaluating existing ones,
- removing moot ones,
- and continuously assessing the effectiveness of our controls at mitigating all risks to tolerable levels.

Question 52

Risk Monitoring should focus on 3 key areas

Answer 52

Effectiveness
Change
Compliance

Question 53

EDR stands for

Answer 53

Endpoint Detection and Response

Question 54

Threat Working Group (TWG)
Part of Risk monitoring

Answer 54

Which consists of members of all major part of organization, meeting regularly to review the list of risks (risk registry)

Question 55

Two (2) major sources of change impact your overall risk:

Answer 55

• Information Systems
• Business

Question 56

Change Advisory Board (CAB) monitors (4)

Answer 56

• Number of unauthorized changes
• Average time to implement a change
• Number of failed changes
• Number of security incidents attributable to changes

Question 57

General Data Protection Regulation (GDPR) came into effect in May 2018

Answer 57

Any organization that stores or processes data belonging to a person from the European Union (EU)

Question 58

Risk Reporting
(3) Target Groups (People)

Answer 58

• Executives (and board members)
• Managers
• Risk owners

Question 59

Typical Risk Maturity Model

Answer 59

Initial
Repeatable
Defined
Managed
Optimizing

Question 60

NIST SP 800 - 161

Answer 60

Supply Chain Risk Management Practices for Federal information systems and Organizations.

Question 61

3 Critical classes of requirements that should be included in a contractual agreement are

Answer 61

• Data Protection - Proactive
• Incident Response - Reactive
• Verification means

Question 62

Suppliers ability to comply with is Contractual obligation.
External Evaluation (Standards like ISO )

Answer 62

• ISO 27001 Certification
• U.S. Department of Defence CyberSecurity maturity model certification (CMMC)
• Payment Card Industry Digital Security Standard (PCI DSS) Certification
• Service Organization Control 1 (SOC1) or 2 (SOC2) report
• U.S. Federal Risk and Authorization Management Program (FedRAMP)

Question 63

CIA Triad

Answer 63

Confidentiality
Integrity
Availability

Question 64

Due Diligence

Answer 64

Can be defined as doing everything within one’s power to prevent a bad thing from happening.

Prior Planning - Actions in Advance (Write Policies, Create Procedures, develop playbooks)

Means that company properly investigated all of its possibly weaknesses and vulnerabilities AKA understanding the threats

Question 65

Due Care

Answer 65

A Prudent person or reasonable person would do.

• Tactically and in the moment
• any reasonable security person would do in the moment

Question 66

Business Continuity (BCP)

Answer 66

Business Continuity is an organization’s ability maintain business functions or quickly resume them in the event that risks are realized and result in disruption.

Question 67

Disaster Recovery (DR) is..

Answer 67

• Disaster Recovery is the process of minimizing the effects of a disaster or major disruption.
• DR is part of BC

Question 68

NIST 800-34

Answer 68

Contingency planning guide for Federal Information Systems

Question 69

BCP and BCM

Answer 69

Business Continuity Planning and Business Continuity Management

Question 70

BCP and BCM Steps

Answer 70

• Continuity Policy
• BIA
• Identify Preventative Controls
• Create Contingency Strategies
• Develop BCP
• Exercise, test, and drill
• Maintain BCP

Question 71

BCM is Critical
Other standards-based organizations

Answer 71

• ISO/IEC 27031:2011
• ISO/IEC 22301:2019
• Business Continuity institute’s Good Practice Guidelines (GPG)
• DRI International Institute’s Professional Practices for BCM

Question 72

BCP Should belong not to ___ but to ___

Answer 72

• Not to BCP Team or its Leader
• but to high-Level Executive Manager, Preferably member of executive board

Question 73

BCP Committee must identify the threats to the organization and map to the following 5 items

Answer 73

• Maximum tolerable downtime and disruption for activities
• Operational disruption and Productivity
• Financial Considerations
• Regulatory Responsibilities
• Reputation

Question 74

Group that developed “Ten Commandments of Computer Ethics”

Answer 74

Computer Ethics Institute