Risk Management

Question 1

Threat

Answer 1

is a potentially harmful occurrence, such as an earthquake, a power outage, or a network-based worm such as the Conficker worm

Question 2

Risk =

Answer 2

Threat x vulnerability x impact

A synonym for impact is consequences.

• defined as the likelihood of occurrence of threat and the corresponding loss potential.
• Risk is the probability of a threat agent to exploit vulnerability.

Question 3

The goal of the Analysis Matrix is

Answer 3

to identify high-likelihood/high-consequence risks.

an example of Qualitative Risk Analysis

Question 4

Exposure Factor (EF)

Answer 4

is the percentage of value an asset lost due to an incident.

Question 5

Single Loss Expectancy (SLE) is

Answer 5

SLE = Asset Value x Exposure Factor

Question 6

Total Cost of Ownership (TCO) is

Answer 6

the total cost of a mitigating safeguard.

combines upfront costs (often a one-time capital expense) plus annual cost of maintenance,
including staff hours, vendor maintenance fees, software subscriptions, etc.

Question 7

Annualized Loss Expectancy (ALE)

Answer 7

SLE x ARO Cost of losses per tear

Question 8

Return on Investment (ROI)

Answer 8

is the amount of money saved by implementing a safeguard.

Question 9

All policy should contain these basic components:

Answer 9

• Purpose - describes the need for the policy, typically to protect the C.I.A.
• Scope - describes what systems, people, facilities, and organizations are covered by the policy.
• Responsibilities - responsibilities of information security staff, policy and management teams, and all members of the organization.
• Compliance - how to judge the effectiveness of the
policies (how well they are working) and what happens when policy is violated (the sanction).

Question 10

A progressive discipline for employee termination

Answer 10

• Coaching
• Formal discussion
• Verbal warning meeting, with Human Resources attendance (perhaps multiple warnings)
• Written warning meeting, with Human Resources attendance (perhaps multiple warnings)
• Termination

Question 11

Quantitative is more

Answer 11

objective

Question 12

qualitative is more

Answer 12

subjective

Question 13

Which methodology name is the stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation, a risk management framework

Answer 13

OCTAVE
o Phase 1 identifies staff knowledge, assets, and threats.
o Phase 2 identifies vulnerabilities and evaluates safeguards.
o Phase 3 conducts the Risk Analysis and develops the risk mitigation strategy.

Question 14

What is the name of the methodology which focuses on the standardization and certification of an organization’s information security management system (ISMS).

Answer 14

ISO 27001

Question 15

Who describes information security best practices (Techniques or code of practices).

Answer 15

ISO27002

Question 16

Who is an international standard for how Risk Management should be carried out in the framework of an ISMS (Information Security Management standard).

Answer 16

27005

Question 17

Who is the control framework for employing information security governance best practices and focuses more on operational goals.

Answer 17

COBIT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.

Control Objectives for Information and related

There are 34 IT processes across these four domains.

Question 18

COSO framework

Committee of Sponsoring Organizations of the Treadway Commission)

Answer 18

providing leadership with frameworks and guidance on enterprise risk management, internal control and fraud deterrence

It acts as a model for corporate governance and focuses more on strategic goals.

Question 19

Explores qualitative risk assessment, which makes a base assumption that a slight risk assessment is the most efficient way to determine risk in a system, business segment, application or process.

Answer 19

Facilitated Risk Analysis Process (FRAP)

It allows organizations to prescreen applications, systems, or other subjects to determine if a risk analysis is needed to concentrate on subjects that truly need a formal risk analysis.

Question 20

A method for determining failures, identifying functional failures and assessing the causes of failure and their effects through structured process.

Answer 20

Failure Mode and Effect Analysis (FMEA)

It helps to determine where exactly failure is most likely to occur.

Question 21

Spanning tree analysis

Answer 21

“creates a ‘tree’ of all possible threats to or faults of the system.

Question 22

A theoretically based, quantitative measure of information security risk.

Answer 22

VAR (Value at Risk)

By using VAR the best possible balance between risk and cost of implementing security controls can be achieved.

Question 23

identifies the importance of choosing the best methodology based on the goals of the organization.

Answer 23

Security Officers Management and Analysis Project (SOMAP)

Question 24

Risk analysis has three main goals

Answer 24

identify risks,
quantify the impact of potential threats, and
provide an economic balance between the impact of the risk and the cost of the associated countermeasure.

Choosing the best countermeasure is not part of the risk analysis.

Question 25

Which security framework acts as a model for corporate governance and focuses more on strategic goals?

Answer 25

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Question 26

What is an exposure?

Answer 26

an instance of being exposed to losses from a threat

Question 27

What is the primary concern of procedural security?

Answer 27

to ensure the integrity of business information

Question 28

Which security framework acts as a model for IT governance and focuses more on operational goals?

Answer 28

Control Objectives for Information and related Technology (CobiT)

Question 29

Who has the final responsibility for the preservation of the organization’s information?

Answer 29

senior management

Question 30

What is the responsibility of the information security officer?

Answer 30

to oversee the day-to-day security administration

Question 31

For which functions are security administrators responsible?

Answer 31

user account creation, initial password creation, security configuration, permission configuration, security software implementation, security patches, and components testing

Question 32

What is the term for the process of identifying information assets and their associated threats, vulnerabilities, and potential risks?

Answer 32

risk analysis

Question 33

Which component of a computer use policy indicates that data stored on a company computer is not guaranteed to remain confidential?

Answer 33

a no expectation of privacy policy

Question 34

Which formula is used to calculate total risk?

Answer 34

total risk = threats x vulnerabilities x asset value

Residual risk: (Threats × vulnerability × asset value) × controls gap

Question 35

Which risk response strategy involves modifying the security plan to eliminate the risk or its impact?

Answer 35

avoidance

Question 36

What are the four steps in information classification?

Answer 36

1) Specify the classification criteria.
2) Classify the data.
3) Specify the controls.
4) Publicize awareness of the classification controls.

Question 37

Which security control type includes rotation of duties?

Answer 37

detective administrative controls

Question 38

What is retention time?

Answer 38

the amount of time a tape is stored before its data is overwritten

Question 39

Enterprise security architecture

Answer 39

a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment.

Question 40

used to identify defects in processes so that the processes can be improved upon.

Answer 40

Six sigma

Question 41

Delphi technique

Answer 41

a group decision method where each group member can communicate anonymously.

Question 42

When choosing the right safeguard to reduce a specific risk. you need to consider the following?

Answer 42

cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.

Question 43

Split knowledge and dual control are two aspects of

Answer 43

separation of duties.

Question 44

Need-to-know is NOT part of

Answer 44

NOT part of the rule of integrity. It is part of confidentiality requirements.

Question 45

Compartmentalization completes

Answer 45

the least privilege picture, which is the process of separating groups of people and information such that each group is isolated from the others and information does not flow between groups.

“Compartmentalization, a method for enforcing need to know.”

Question 46

Rotation of duties helps mitigate

Answer 46

collusion, where two or more people work to subvert the security of a system.

can also mitigate fraud

Question 47

Mandatory leave is what type of control control

Answer 47

detection and deterrence of fraud. Closely related to rotation of duties.

Question 48

Separation reduces what?

Answer 48

separation reduces the “chances of errors or fraudulent acts

Question 49

ISO17799 was renamed to

Answer 49

ISO27000

Question 50

Job rotation can help to mitigate

Answer 50

Collusion

Question 51

Which one acts as a deterent for possible fraud?

Answer 51

job rotation

Question 52

what type of control Nondisclosure agreement (NDA) is considered?

Answer 52

directive control