Risk Management

Question 1

What is the payback method of calculation in Risk Management ?

Answer 1

A calculation that simply compares the Annual Loss Expectancy against the expected savings from implementing that control

Question 2

What is NPV calculation when determining the ROI ?

Answer 2

It considers the cost of the money spent today against the savings that we might see tomorrow.
It uses a discount rate to place a value on money tomorrow it takes into account inflation, opportunity costs etc and each resourcing department has its own discount rate.

Question 3

What is Risk Acceptance ?

Answer 3

This occurs when it is not financially viable to tackle the risk - This is usually when the control is more expensive than the actual risk. It is not to be viewed as deliberately not taking action.

Often their are exceptions where the risk is acknowledged and is accepted as an exception. An exemption is like an exception but will need a more formal sign off.

Question 4

What is Risk Avoidance ?

Answer 4

This is where we put in place controls to avoid an identified risks from occurring.

Question 5

What is Risk Mitigation ?

Answer 5

This is where we reduce risks to an acceptable level

Question 6

What is Risk Transference ?

Answer 6

This is where a third party accepts the risk for us - an example is insurance

Question 7

What is a risk exception ?

Answer 7

Any risk that is created due to an exemption being granted or a failure to comply with corporate policy.

Question 8

What is inherent risk ?

Answer 8

The inherent risk facing an organisation is the original level of risk that exists before implementing any controls.

Question 9

What is residual risk ?

Answer 9

Is the risk left after controls have been implemented.

Question 10

What are key risk indicators ?

Answer 10

Metrics to measure and provide early warning for increasing levels of risk.

Question 11

What should be recorded in a risk register ?

Answer 11

Risk Owner
Risk Threshold Information
Key Risk Indicators

Question 12

What is Risk Appetite ?

Answer 12

Is the level of risk that is willing to be accepted as the cost of doing business

Appetites can be expansionary, neutral or conservative and they are indicative of the approach the organisation has as a whole to risk. Risk tolerance is the same idea but applied to individual items so it is possible to have a low risk appetite generally but a high risk tolerance on a particularly important asset. Tolerance is a measure on individual items.

Question 13

What is Risk Tolerance ?

Answer 13

The ability to withstand risk and maintain operations.

Question 14

What is a risk threshold ?

Answer 14

It is the level at which a risk becomes unacceptable

Question 15

What is TCO ?

Answer 15

The TCO is a consideration not just of the sticker price but also the other parts of the cost ownership model such as training, support and operations etc

TCO doesnt instantly save you money its savings are realised over time.

Question 16

What is SLE ?

Answer 16

This is the monetary cost of an event to an organisation

Question 17

What is ARO ?

Answer 17

This is the number of times a year an event occurs

Question 18

What is ALE ?

Answer 18

SLE * ARO

This represents the actual cost to the company and can be used to determine if a compensating control (brain://CxAaMrsZn0mt9AUMSW5jQQ/CompensatingControls) is worth it.

Question 19

What are the six types of loss ?

Answer 19

Cost of Repairs, Data Compromise, Data Loss, Loss of Productivity, Loss of Reputation, Loss of Revenue

Question 20

What is MTTR and MTBR

Answer 20

Mean Time Between Failure - BIA metric about the reliability of a system. It is the expected amount of time between failures.
Mean Time to Repair - BIA metric is the average amount of time to restore the system to its normal operating state after failure.

Question 21

What is a business partner agreement ?

Answer 21

Some organisations have business partners or organisations who have a vested interest in the success of the other. In addition to the nature of the business, the BPA should outline the roles and responsibilities of each organisation in the partnership. This could include items such as the controls that are in place between the partners, which organisation manages which services.

Question 22

What is a interoperability agreement ?

Answer 22

Binding agreements that are used during normal operations.

Question 23

What is a standard operating procedure ?

Answer 23

Developed to make sure that day-to-day functions are carried out in a way that is consistent with the policies we have in place. SOPs can be produced as evidence by the auditors to demonstrate the organisation is meeting requirements.

Question 24

What is common criteria standard ?

Answer 24

A set of standards in which computer system users can specify their security, functional and assurance requirements in a given system.

EALs - Is an assurance level on how secure a system is so windows gets a 4 with 7 being the highest.

Question 25

What is the Capability Maturity Model Integration standard ?

Answer 25

Focuses on processes and behaviours used during the development of software products and services within the organisation.
Categorises your organisation maturity level from 1 - 5.

Question 26

What is cloud security alliance trust assurance and risk ?

Answer 26

A public registry that documents the security and privacy controls provided by popular cloud computing offerings.

Question 27

What is the timeline for conducting internal and external audits ?

Answer 27

Quarterly for internal and Annually for external

Question 28

What thee forms can an external audit take ?

Answer 28

On site, document exchange, policy review

Question 29

What does the term de perimiterisation mean ?

Answer 29

Indicates the shifting nature of todays security permiter and why it may not be good enough to just think that security at the network perimeter is enough