Risk Management

Question 1

First Part of a risk assessment

Answer 1

Establishing the context - determine basic parameters and identity assets. Explores political and social enviroment in how the organisation operates. Provides baseline for organisations risk exposure. Senior management defines risk apetite and the acceptable level of risk. The last component of the first step is asset identification.

Question 2

Threat Identification

Answer 2

A threat is is anything that might hinder or prevent an asset from providing appropriate levels of the key security services

Question 3

Threat Sources

Answer 3

Natural acts of god, man made, accidental or deliberate.

Question 4

How do you evaluate human threat sources

Answer 4

Motivation, capability, resources, probability, deterence. Previous expierence of attacks needs to be considered.

Question 5

Vulnerability identification

Answer 5

Identify exploitable flaws in organisation. Determines applicability and significance of threat.
Need a combination of threat and vulnerability to create a risk. Outcome should be a list of threats and vulnerabilities with a brief description of how and why they might occur.

Question 6

Analyse risks

Answer 6

Specify liklihood of occurance of each identified threat . specify concequence should threat occur. Derive overall risk rating to each threat.

Question 7

Risk Formula

Answer 7

Risk = Probability threat occurs x Cost to Organisation

Question 8

Qualatative or Quantatative ratings?

Answer 8

Qualatative, as it is hard to determine accurate probabilities and realistic cost concequence

Question 9

Security Controls

Answer 9

Management, Operational, Technical

Question 10

Management

Answer 10

These are security methods and policies put in place to manage the user and the system’s behavior.

Question 11

Operational

Answer 11

These controls are implemented by people (as opposed to systems) and are designed to improve the security and integrity of information.

Question 12

Technical

Answer 12

Also known as logical controls, these are safeguards incorporated into computer hardware, software, and firmware that mitigate access to systems and information.

Question 13

Risk Liklihood

Answer 13

Rare (1), Unlikely (2), Possible (3), Likely (4), Almost Certain (5)

Question 14

Risk Concequences

Answer 14

Insignificant (1), Minor (2), Moderate (3), Major (4), Catastrophic (5), Doomsday (6)

Question 15

Risk Level

Answer 15

Extreme, High, Medium, Low

Question 16

Risk Register

Answer 16

Results of risk analysis should be documented. Risks are sorted in decreasing level of order.
Aim of documentation is to provide management with the info to make decisions. Provides evidence a formal risk assessment has been conducted.
Headings are the following: Asset, Threat/Vulnerability, Existing Controls, Liklihood, Concequence, Level of Risk, Risk Priority

Question 17

Judgement about risk treatment

Answer 17

Usually risks with higher ratings need action more urgently. however some risks are cheaper, easier and faster to address. Some risks with lower levels should be treated ahead of higher risks based on cost/technicality.

Question 18

Risk Treatment alternatives

Answer 18

Risk Acceptance
Risk Avoidance
Risk Transfer
Reduce Concequence
Reduce Liklihood

Question 19

Risk Acceptance

Answer 19

Choosing to accept risk levels greater than normal for business reasons

Question 20

Risk Avoidance

Answer 20

Not proceeding with an activity or system which creates risk at the cost of convinience or ability

Question 21

Risk Transfer

Answer 21

Sharing responsiblity of risk with a third party

Question 22

Reduce Concequence

Answer 22

Modifying structure or use of asset to reduce impact

Question 23

Reduce Liklihood

Answer 23

implement controls to reduce chance of vulernability being exploited.