Risk Management Flashcards
Threat
is a potentially harmful occurrence, such as an earthquake, a power outage, or a network-based worm such as the Conficker worm
Risk =
Threat x vulnerability x impact
A synonym for impact is consequences.
- defined as the likelihood of occurrence of threat and the corresponding loss potential.
- Risk is the probability of a threat agent to exploit vulnerability.
The goal of the Analysis Matrix is
to identify high-likelihood/high-consequence risks.
an example of Qualitative Risk Analysis
Exposure Factor (EF)
is the percentage of value an asset lost due to an incident.
Single Loss Expectancy (SLE) is
SLE = Asset Value x Exposure Factor
Total Cost of Ownership (TCO) is
the total cost of a mitigating safeguard.
combines upfront costs (often a one-time capital expense) plus annual cost of maintenance,
including staff hours, vendor maintenance fees, software subscriptions, etc.
Annualized Loss Expectancy (ALE)
SLE x ARO Cost of losses per tear
Return on Investment (ROI)
is the amount of money saved by implementing a safeguard.
All policy should contain these basic components:
• Purpose - describes the need for the policy, typically to protect the C.I.A.
• Scope - describes what systems, people, facilities, and organizations are covered by the policy.
• Responsibilities - responsibilities of information security staff, policy and management teams, and all members of the organization.
• Compliance - how to judge the effectiveness of the
policies (how well they are working) and what happens when policy is violated (the sanction).
A progressive discipline for employee termination
- Coaching
- Formal discussion
- Verbal warning meeting, with Human Resources attendance (perhaps multiple warnings)
- Written warning meeting, with Human Resources attendance (perhaps multiple warnings)
- Termination
Quantitative is more
objective
qualitative is more
subjective
Which methodology name is the stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation, a risk management framework
OCTAVE
o Phase 1 identifies staff knowledge, assets, and threats.
o Phase 2 identifies vulnerabilities and evaluates safeguards.
o Phase 3 conducts the Risk Analysis and develops the risk mitigation strategy.
What is the name of the methodology which focuses on the standardization and certification of an organization’s information security management system (ISMS).
ISO 27001
Who describes information security best practices (Techniques or code of practices).
ISO27002
Who is an international standard for how Risk Management should be carried out in the framework of an ISMS (Information Security Management standard).
27005
Who is the control framework for employing information security governance best practices and focuses more on operational goals.
COBIT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
Control Objectives for Information and related
There are 34 IT processes across these four domains.
COSO framework
Committee of Sponsoring Organizations of the Treadway Commission)
providing leadership with frameworks and guidance on enterprise risk management, internal control and fraud deterrence
It acts as a model for corporate governance and focuses more on strategic goals.
Explores qualitative risk assessment, which makes a base assumption that a slight risk assessment is the most efficient way to determine risk in a system, business segment, application or process.
Facilitated Risk Analysis Process (FRAP)
It allows organizations to prescreen applications, systems, or other subjects to determine if a risk analysis is needed to concentrate on subjects that truly need a formal risk analysis.
A method for determining failures, identifying functional failures and assessing the causes of failure and their effects through structured process.
Failure Mode and Effect Analysis (FMEA)
It helps to determine where exactly failure is most likely to occur.
Spanning tree analysis
“creates a ‘tree’ of all possible threats to or faults of the system.
A theoretically based, quantitative measure of information security risk.
VAR (Value at Risk)
By using VAR the best possible balance between risk and cost of implementing security controls can be achieved.
identifies the importance of choosing the best methodology based on the goals of the organization.
Security Officers Management and Analysis Project (SOMAP)
Risk analysis has three main goals
identify risks,
quantify the impact of potential threats, and
provide an economic balance between the impact of the risk and the cost of the associated countermeasure.
Choosing the best countermeasure is not part of the risk analysis.
Which security framework acts as a model for corporate governance and focuses more on strategic goals?
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
What is an exposure?
an instance of being exposed to losses from a threat
What is the primary concern of procedural security?
to ensure the integrity of business information
Which security framework acts as a model for IT governance and focuses more on operational goals?
Control Objectives for Information and related Technology (CobiT)
Who has the final responsibility for the preservation of the organization’s information?
senior management
What is the responsibility of the information security officer?
to oversee the day-to-day security administration
For which functions are security administrators responsible?
user account creation, initial password creation, security configuration, permission configuration, security software implementation, security patches, and components testing
What is the term for the process of identifying information assets and their associated threats, vulnerabilities, and potential risks?
risk analysis
Which component of a computer use policy indicates that data stored on a company computer is not guaranteed to remain confidential?
a no expectation of privacy policy
Which formula is used to calculate total risk?
total risk = threats x vulnerabilities x asset value
Residual risk: (Threats × vulnerability × asset value) × controls gap
Which risk response strategy involves modifying the security plan to eliminate the risk or its impact?
avoidance
What are the four steps in information classification?
1) Specify the classification criteria.
2) Classify the data.
3) Specify the controls.
4) Publicize awareness of the classification controls.
Which security control type includes rotation of duties?
detective administrative controls
What is retention time?
the amount of time a tape is stored before its data is overwritten
Enterprise security architecture
a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment.
used to identify defects in processes so that the processes can be improved upon.
Six sigma
Delphi technique
a group decision method where each group member can communicate anonymously.
When choosing the right safeguard to reduce a specific risk. you need to consider the following?
cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.
Split knowledge and dual control are two aspects of
separation of duties.
Need-to-know is NOT part of
NOT part of the rule of integrity. It is part of confidentiality requirements.
Compartmentalization completes
the least privilege picture, which is the process of separating groups of people and information such that each group is isolated from the others and information does not flow between groups.
“Compartmentalization, a method for enforcing need to know.”
Rotation of duties helps mitigate
collusion, where two or more people work to subvert the security of a system.
can also mitigate fraud
Mandatory leave is what type of control control
detection and deterrence of fraud. Closely related to rotation of duties.
Separation reduces what?
separation reduces the “chances of errors or fraudulent acts
ISO17799 was renamed to
ISO27000
Job rotation can help to mitigate
Collusion
Which one acts as a deterent for possible fraud?
job rotation
what type of control Nondisclosure agreement (NDA) is considered?
directive control