Risk Management

Question 1

What is the CIA of Security?

Answer 1

Confidentiality, Integrity, Availability

Question 2

Which element of the CIA of Security is the goal of keeping data secret from anyone who doesn’t have the need or the right to access that data?

Answer 2

Confidentiality

Question 3

Which element of CIA of Security ensures the data and systems stays in an unaltered state when being transferred, received?

Answer 3

Integrity

Question 4

Which element of CIA of Security ensures that systems and data are available to users when needed?

Answer 4

Availability

Question 5

What is the act of keeping track of things that on such as who has been logging in, who has made changes to something, etc?

Answer 5

Auditing and Accountability

Question 6

A user can’t deny that they have performed a particular action

Answer 6

Non-Repudiation

Question 7

What are the people and organizations that actually do the attacks called?

Answer 7

Threat Actors

Question 8

Which threat actor is known for trivial attacks due to lack of knowledge?

Answer 8

Script Kiddies

Question 9

Which threat actor is motivated by intent to make a public social statement?

Answer 9

Hacktivist

Question 10

What is the motivation of Nation states and advanced persistent threat (APT) threat actors?

Answer 10

Intelligence

Question 11

Who is someone inside the company that has information to gain access that can be used as an attack?

Answer 11

Insider

Question 12

the potential to harm organizations, people, IT equipment, etc.

Answer 12

Risk

Question 13

Provides benefits to the organizations; equipment or people

Answer 13

Assets

Question 14

Weakness that allows an asset to be exploited

Answer 14

vulnerabilities

Question 15

A discovered action that exploits a vulnerability’s potential to do harm to an asset

Answer 15

threat

Question 16

What defines the level of certainty that something is going to happen?

Answer 16

Likelihood

Question 17

What is the actual harm caused by a threat?

Answer 17

Impact

Question 18

an outside party looks for vulnerabilities and reports it

Answer 18

Penetration (pen) testing

Question 19

effort to reduce impact of a risk

Answer 19

mitigation

Question 20

offload some of the likelihood and risk on a third party

Answer 20

risk transference

Question 21

reach a point where the likelihood and impact is so high that i simply don’t want to do deal with it

Answer 21

risk acceptance

Question 22

What is the workflow or methodology process that helps security professionals deal with risk management?

Answer 22

Framework

Question 23

What are two examples of a Risk management framework

Answer 23

NIST Risk Management Framework, ISACA Risk IT Framework

Question 24

What is the threshold value to verify expected throughput or action?

Answer 24

Benchmark

Question 25

manufacturers’ security guides to setup and review configurations

Answer 25

platform or security guide

Question 26

What is a general purpose guide in terms of risk assessment?

Answer 26

a list of security controls

Question 27

What are the three types of security controls?

Answer 27

Administrative (management), Technical, Physical

Question 28

What are some examples of Administrative security control?

Answer 28

laws, policies, guidelines, best practices

Question 29

What are some examples of Technical security control?

Answer 29

computer stuff, firewalls, password links, authentication, encryption

Question 30

What are some examples of Physical security control?

Answer 30

gates, guards, keys, man traps

Question 31

In terms of security control functions, what is a deterrent?

Answer 31

deters the actor from attempting the threat

Question 32

In terms of security control functions, what is a preventative?

Answer 32

deters the actor from performing the threat

Question 33

In terms of security control functions, what is a detective?

Answer 33

recognizes an actor’s threat

Question 34

In terms of security control functions, what is a corrective

Answer 34

mitigates the impact of a manifested threat

Question 35

In terms of security control functions, what is compensating?

Answer 35

provides alternative (usually temporary) fix

Question 36

How is mandatory vacation used a security control

Answer 36

requires individuals to take vacation; used to detect fraud and unauthorized activity

Question 37

how is job rotation used as a security control

Answer 37

periodically switching jobs prevents fraud and unauthorized activity

Question 38

How is multi-person control used as a security control

Answer 38

more than one person is required to do a job; allows for checks and balances of critical functions

Question 39

How is separation of duties used as a security control?

Answer 39

one person is not allowed to perform all duties. this is to prevent unauthorized activity

Question 40

users are only granted the privilege needed to perform their job (need to know) This prevents unauthorized access to information

Answer 40

principle of least privileged

Question 41

In terms of defense, repeating the same controls at various intervals

Answer 41

redundancy

Question 42

In terms of defense , use of variety of controls in a random pattern

Answer 42

diversity

Question 43

What are the types of sources for IT Security Governance?

Answer 43

Laws and regulations, standards, best practices, common sense

Question 44

defines how we are going to be doing something; broad in nature, used as directives, defines roles and responsibilities

Answer 44

Governance policy

Question 45

What defines what a person can or cannot do on company assets?

Answer 45

Acceptable use Policy

Question 46

Which policies defines how to get access to data or resources and what type of data users have access to?

Answer 46

Access Control Policies

Question 47

Which policy defines how you deal with passwords, password recovery, bad login, retention, reuse, etc.

Answer 47

Password policy

Question 48

Which policy defines how to maintain company equipment?

Answer 48

Care and Use of Equipment

Question 49

What policy defines how your data or data usage will be shared with other resources?

Answer 49

Privacy policies

Question 50

Which policy defines the people that are dealing with our data

Answer 50

Personnel Polices

Question 51

What are the sources that frameworks come from?

Answer 51

regulatory, non-regulatory, national standards, international standards, industry-specific frameworks

Question 52

What is the first go-to for IT security professionals who want to be able to understand to perform a risk management framework?

Answer 52

NIST SP800-37

Question 53

What are the NIST risk management steps?

Answer 53

Categorize, Select, Implement, Assess, Authorization, Monitor

Question 54

What is asset value?

Answer 54

the value of an asset + the cost of fixing the asset

Question 55

What is exposure value?

Answer 55

percentage of an asset that is lost as a result of an incident

Question 56

What is the formula for Single Loss Expectancy?

Answer 56

Asset Value * Exposure Factor

Question 57

What is annualized Rate of occurrence (ARO)?

Answer 57

in a given year, what are the chances of this particular instance taking place

Question 58

What is the formula for Annualized Loss Expectancy (ALE)?

Answer 58

Single Loss Expectancy (SLE) * Annualized rate of occurrence (ARO)

Question 59

What is mean time to repair?

Answer 59

time it takes to repair

Question 60

What is mean time to failure?

Answer 60

time it takes to fail (how long is it working)

Question 61

What is the mean time between the two failures?

Answer 61

The time in between two failures (MTTR+MTTF)

Question 62

What estimates the cost of loss of personal privacy or proprietary data?

Answer 62

Privacy Impact Assessment (PIA)

Question 63

What is the min time necessary to restore a critical system to operation?

Answer 63

Recovery Time Object (RTO)

Question 64

What is the max data that can be lost without substantial impact?

Answer 64

Recovery Point Object (RPO)

Question 65

What allows recipients of the data to know if or how the data can be shared?

Answer 65

Data sensitivity/labeling

Question 66

What is the owner in terms of data roles?

Answer 66

legally responsible for the data

Question 67

What is the steward/custodian in terms of data roles?

Answer 67

maintain the accuracy and integrity of data

Question 68

What is the privacy officer in terms of data roles?

Answer 68

ensures data adheres to privacy policies and procedures

Question 69

Which Data (user) role is assigned standard permissions to complete task?

Answer 69

User

Question 70

Which Data (user) role has increased access and control relative to a user?

Answer 70

Privileged user

Question 71

Which Data (user) role sets policies on data and incident response actions?

Answer 71

Executive user

Question 72

Which Data (user) role has complete control over the data or system?

Answer 72

System administrator

Question 73

Which Data (user) role has legal ownership and responsibility of data or system?

Answer 73

data owner/system owner

Question 74

Manufacturer and vendor guides provide what?

Answer 74

Setup suggestions

Question 75

a self-directed combination of administrative, physical, and technical controls is an example of..

Answer 75

defense in depth

Question 76

What describes the set of overarching rules that defines how an organization and its employees conduct themselves?

Answer 76

Governance