Risk Management

Question 1

IRM

Answer 1

Information Risk Management - process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level

Question 2

Risk assessment

Answer 2

Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls

Question 3

Cost / benefit Comparison

Answer 3

Compares the annualized cost of controls to the potential cost of loss

Question 4

Project Sizing

Answer 4

Understand what assets and threats should be evaluated

Question 5

Loss potential

Answer 5

What a company would lose if a threat agent actually exploited a vulnerability

Question 6

Delayed loss

Answer 6

Loss that occurs after the initial vulnerability is exploited

Question 7

NIST SP 800-30

Answer 7

Risk Management Guide for Information Technology Systems

Question 8

FRAP

Answer 8

Facilitated Risk Analysis Process - Focus on assessing one system at a time, only the most critical
- Based on experience and risk not quantified for expediency.

Question 9

OCTAVE

Answer 9

Operationally Critical Threat, Asset, and Vulnerability Evaluation - Carnegie Mellon methodology that allows people within an organization to make security evaluation decisions. Wider scope than FRAP.

Question 10

AS/NZS 4360

Answer 10

Broad approach to risk management encompassing financial, capital, human safety, and business decision risks. Business, not security, focused.

Question 11

ISO/IEC 27005

Answer 11

International standard for risk management in ISMS (Information Security Management System)

Question 12

FMEA

Answer 12

Failure Modes and Effect Analysis - method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process

Question 13

Fault tree analysis

Answer 13

Method used to identify possible failures that could occur in complex environments and systems

Question 14

CRAMM

Answer 14

Central Computing and Telecommunications Agency Risk Analysis and Management Method - risk analysis and management method developed in the UK and tools sold by Siemens

Question 15

Quantitative risk analysis

Answer 15

Assign monetary and numeric values to all elements of the risk analysis process

Question 16

Qualitative risk analysis

Answer 16

Softer approach to the data elements of risk analysis. Does not assign numerical values to risk elements.

Question 17

SLE

Answer 17

Single Loss Expectancy - dollar amount assigned to a single event that represents the company’s potential loss amount. SLE = Asset value x Exposure factor

Question 18

Exposure Factor

Answer 18

Represents the percentage of loss a threat could have on a certain asset.

Question 19

ALE

Answer 19

Annual Loss Expectancy

ALE = SLE x Annualized Rate of Occurrence (ARO)

Question 20

ARO

Answer 20

Annualized Rate of Occurrence

Value that estimates frequency of a specific threat taking place within a 12 month period.

Question 21

Uncertainty

Answer 21

Degree to which you lack confidence in an estimate

Question 22

Delphi Technique

Answer 22

A group decision method that uses anonymity to obtain a consensus.

Question 23

Cost / benefit analysis

Answer 23

“(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company”

Question 24

Residual Risk

Answer 24

Amount of risk left over when safeguards / countermeasures are implemented
(threats × vulnerability × asset value) × controls gap = residual risk
total risk – countermeasures = residual risk

Question 25

Total Risk

Answer 25

Risk a company faces if it chooses not to implement any safeguards
threats × vulnerability × asset value = total risk

Question 26

Transfer Risk

Answer 26

If total risk is too much for a company to deal with they may purchase insurance which transfers the risk

Question 27

Risk Avoidance

Answer 27

Remove risk by terminating the activity causing the risk

Question 28

Risk Mitigation

Answer 28

Risk reduced to level acceptable enough to continue doing business

Question 29

Accept Risk

Answer 29

Company understands level of risk and decides to live with it. Cost of countermeasure may outweigh potential loss value.

Question 30

Security Policy

Answer 30

Overall general statement by senior management that dictates role of security within organization

Question 31

Organizational Security Policy

Answer 31

Management establishes security program, goals, responsibilities, value, and enforcement.

Question 32

Issue-specific Policy

Answer 32

Functional Policy - Addresses specific security issues that need a more detailed explanation and approach

Question 33

System Specific Policy

Answer 33

Management’s policy decision regarding specific systems or machines, networks, applications, etc…

Question 34

Regulatory Policy

Answer 34

Policy ensures organization is following standards set by specific industry regulations

Question 35

Advisory Policy

Answer 35

Strongly advises employees as to which types of behaviors and activities should and should not take place within the organization

Question 36

Informative Policy

Answer 36

Informs employees on topics but not enforceable

Question 37

Standards

Answer 37

Mandatory activities, actions, or rules

Question 38

Baseline

Answer 38

Point in time that used as a comparison for future changes

Question 39

Guidelines

Answer 39

Recommended actions and operational guides to users / staff

Question 40

Procedure

Answer 40

Detailed step-by-step tasks that should be performed to achieve a certain goal

Question 41

Board of Directors

Answer 41

Group of individuals elected by shareholders of a corporation to oversee the fulfillment of the corporation’s charter

Question 42

Chief Executive Officer

Answer 42

Responsible for day-to-day management responsibilities of an organization

Question 43

Chief Financial Officer

Answer 43

Responsible for a corporation’s account and financial activities and the overall financial structure of the organization

Question 44

Chief Information Officer

Answer 44

Responsible for the strategic use and management of information systems and technology within organization

Question 45

Chief Privacy Officer

Answer 45

Responsible for ensuring that customer, company, and employee data are kept safe

Question 46

privacy impact analysis

Answer 46

Risk assessment from the perspective of protection of sensitive data

Question 47

Chief Security Officer

Answer 47

Responsible for understanding the risk a company faces and mitigating these risks to an acceptable level

Question 48

convergence

Answer 48

Formal cooperation between previously disjointed security functions

Question 49

security steering committee

Answer 49

Group responsible for making decisions on tactical and strategic security issues within the enterprise as a whole

Question 50

audit committee

Answer 50

Group appointed by the board of directors reviews and evaluates the company’s internal operations, internal audit system, and transparency and accuracy of financial reporting

Question 51

data owner

Answer 51

Usually a member of management who is ultimately responsible for the protection and use of a specific subset of information

Question 52

data custodian

Answer 52

responsible for maintaining and protecting the data

Question 53

system owner

Answer 53

responsible for one or more systems and the applicable security considerations

Question 54

security administrator

Answer 54

responsible for implementing and maintaining specific security network devices and software in the enterprise

Question 55

security analyst

Answer 55

works at a higher more strategic level than previous roles and helps develop policies, standards, and guidelines - design level

Question 56

application owner

Answer 56

typically business unit manager responsible for deciding access to their application, security, patching, change control

Question 57

change control analyst

Answer 57

responsible for approving or rejecting requests to make changes to the network, systems, or software

Question 58

data analyst

Answer 58

responsible for ensuring that data is stored in a way that makes the most sense for the company

Question 59

process owner

Answer 59

responsible for properly defining, improving upon, and monitoring a company’s business processes

Question 60

solution provider

Answer 60

vendor

Question 61

product line manager

Answer 61

evaluates different products in the market, works with vendors, understands different options a company can take, advises management on proper solutions needed to meet their goals

Question 62

auditor

Answer 62

ensures the organization complies with its own policies and the applicable laws and regulations

Question 63

separation of duties

Answer 63

makes sure that one individual cannot complete a critical task by themselves

Question 64

collusion

Answer 64

at least two people are working together to cause some type of destruction or fraud

Question 65

split knowledge

Answer 65

Type of separation of duty - no one person has the knowledge or the details to complete a task

Question 66

dual control

Answer 66

Type of separation of duty

Question 67

rotation of duties

Answer 67

rotate employees through a position to detect suspicious activity from the previous employee

Question 68

mandatory vacation

Answer 68

force employee to take a vacation to force rotation of duties

Question 69

security governance

Answer 69

framework that facilitates security implementation from senior management to communication to implementation to verification of results

Question 70

ISO / IEC 27004:2009

Answer 70

International standard used to assess the effectiveness of an ISMS

Question 71

NIST 800-55

Answer 71

publication covering performance measuring for information security

Question 72

Organizational tier

Answer 72

Risk concerned with the business as a whole

Question 73

Business Process Tier

Answer 73

Risk concerned with major functions of the organization

Question 74

Information Systems Tier

Answer 74

Risk concerned with information systems

Question 75

Risk Management Process

Answer 75

Frame risk, assess risk, respond to risk, monitor risk

Question 76

Threat modeling

Answer 76

Describing feasible adverse effects on our assets caused by threat sources