Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

In2120 > Risk Management > Flashcards

Risk Management Flashcards

1
Q

What is the order of tasks in the risk assessment process according to ISO 27005?

A
  1. Risk identification
  2. Risk estimation
  3. Risk evaluation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which elements are identified in the process step of risk identification?

A

Vulnerabilities
Assets
Threats
Existing controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Basis for assessing risk

A

Know the assets: identify and understand the value of information assets and systems.
Know the threats: identify and understand relevant threat scenarios which can harm information assets and systems.
Know the vulnerabilities which can be exploited by threats.
Know the potential impacts of incidents.
Know which stakeholders in the organisation are responsible for managing the identified risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Roles involved in risk management

A
  • Management, users, and information technology must
    all work together
  • Asset owners must participate in developing asset inventory
  • Users and experts must assist in identifying threats and vulnerabilities, and in determining likelihoods of incidents
  • Risk management experts must guide stakeholders through the risk assessment process
  • Security experts must assist in selecting security controls
  • Management must review the risk management process and approve risk management strategy (security controls)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk Management

A

Risk management is an essential element of ISMS

  • Used to identify risks and their magnitude
  • Basis for selecting security controls
  • Tool for top management to understand organization’s risk exposure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Threat Modelling

A
  • Threat modelling is the process of identifying, analysing and describing relevant threat scenarios.
  • Unimportant/irrelevant threat scenarios can be ignored.
  • Examine how each relevant threat scenario can be executed against the organization’s assets.
  • The threat modelling process works best when people with diverse backgrounds within the organization work together in a series of brainstorming sessions.
  • Threat modelling is important during system development
  • Used to identify, remove and avoid vulnerabilities when developing software and systems.
  • Multiple approaches/methods for threat modelling
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Threat Modelling Methods

A

Attacker centric:
- Starts from attackers, evaluates their goals, and how they might achieve them through attack tree. Usually starts from entry points or attacker action.

System centric (aka. SW --, design --, architecture centric):
- Starts from model of system, and attempts to follow model dynamics and logic, looking for types of attacks against each element of the model. This approach is e.g. used for threat modeling in Microsoft's Security Development Lifecycle.

Asset centric:
- Starts from assets entrusted to a system, such as a collection of sensitive personal information, and attempts to identify how security breaches of CIA properties can happen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Vulnerability Identification

A

Vulnerabilities are specific opportunities that threat actors can exploit to attack systems and information assets.

Generic vulnerability identification:

  • To identify a vulnerability is the same as to determine how to block a specific threat scenario.
  • Removing a vulnerability is the same as blocking a threat.
  • A vulnerability is the absence of barriers against a threat.
  • Blocking a threat (i.e. removing a vulnerability) is done with a security control.
  • Tool based and checklist based vulnerability identification
  • Vulnerability scanners are automated tools to detect known vulnerabilities in networks and systems, e.g. Wireshark
  • Check lists of vulnerabilities are used by teams when doing risk assessment and removing vulnerabilities, e.g. OWASP Top 10.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Feilbetegnelsen ROS analyse

A
  • ROS analyse = «Risiko og sårbarhetsanalyse»
  • Begrepet «sårbarhet» som del av ROS analyse betyr «kombinasjonen av sannsynlighet for en hendelse og dens konsekvens», som egentlig er det samme som risiko.
  • Denne definisjonen av «sårbarhet» stammer fra rapportene til «Sårbarhetsutvalget» i 2000 og «Lysneutvalget» i 2015.
  • Med denne definisjonen er sårbarhet = risiko, og «sårbarhetsanalyse» blir det samme som risikoanalyse.
  • Begrepet ROS analyse brukes ofte på norsk, og er faktisk et særnorsk begrep.
  • Begrepet ROS analyse og dens definisjon på «sårbarhet» kan skape forvirring, og bør unngås.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Estimating Risk levels

A

Qualitative:
Uses descriptive scales. Example:
Impact level: Minor, moderate, major, catastrophic
Likelihood: Rare, unlikely, possible, likely, almost certain

Relative:
Relative numerical values assigned to qualitative scales
Gives relatively good distribution of risk levels

Quantitative:
Use numerical values for both consequence (e.g. and likelihood (e.g. probability)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Exposure Factor (EF)

A

Percentage of asset loss caused by threat occurrence

A quantitative risk estimation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Single loss expectancy (SLE)

A

SLE = AV(asset value) of EF (Percentage of asset loss caused by threat occurrence)

(A quantitative risk estimation)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Annualized Rate of Occurrence (ARO)

A

Estimated frequency a threat will occur within a year.

A quantitative risk estimation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Annualised Loss Expectancy (ALE)

A

ALE = SLE ARO

A quantitative risk estimation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Asset value (AV)

A

Estimated total value of asset

A quantitative risk estimation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Problems of measuring risk

A

Businesses normally wish to measure risk in money, but it is almost impossible to do this.

Valuation of assets:

  • Value of data, hard to assess
  • Value of goodwill and customer confidence, very vague

Likelihood of incidents:

  • Past events not always relevant for future probabilities
  • The nature of future attacks is unpredictable
  • The actions of future attackers are unpredictable
  • Measurement of benefit from security control
  • Problems with the difference of two approximate quantities
  • Estimation of past and present risk
17
Q

Risk control strategies

A

After completing the risk assessment, the security team must choose one of four strategies to control each risk:

  1. Reduce risk by implementing security controls
  2. Share/transfer risk (outsource activity that causes risk, or buy insurance)
  3. Retain risk (understand and tolerate potential consequences)
  4. Avoid risk (stop activity that causes risk)
18
Q

Business Continuity Management

A

Procedures for the recovery of an organization’s facilities in case of major incidents and disasters, so that the organization will be able to either maintain or quickly resume mission critical functions.

BCM standards:

  • ISO 27031 Guidelines for ICT readiness for business continuity
  • NISTSP800 34 Contingency Planning Guide for Federal Information Systems
19
Q

The range of incidents to be considered in the BCM standard

A

Acts of nature, for example:

  • Excessive weather conditions
  • Earthquake
  • Flood
  • Fire

Human acts (inadvertent or deliberate), for example:

  • Hacker activity
  • Mistakes by operating staff
  • Theft
  • Fraud
  • Vandalism
  • Terrorism
20
Q

The business continuity plan describes:

A

A sequence of actions and the parties responsible for carrying them out in response to disasters in order to restore normal business operations as quickly as possible

21
Q

BCP terminology

A

Business Continuity Plan:
- Plan for restoring normal business functions after disruption

Business Contingency Plan:

  • Same as Business Continuity Plan
  • Contingency means something unpredictable that can happen

Disaster Recovery:

  • Reestablishment of business functions after a disaster, possibly in temporary facilities
  • Requires a BCP

Business Continuity Management:

  • Denotes the management of Business Continuity
  • Includes the establishment of a BCP
  • ICT Readiness for Business Continuity (IRBC) (term used in ISO 27031)
22
Q

Security Strategies

A

…..
Ask What, Why, How, Who, Where, When ?

Contextual, conceptual, logical, physical, component, operational.
(CISSP, s.28)

23
Q

ISO/IEC 2700 series

A

ISO/IEC 2700 series; International standards on how to develop and maintain an ISMS developed by ISO and IEC. (CISSP, s.15)

A Security Program

Is a framework made up of many entities; logical, administrative and physical protection mechanisms; procedures; business processes and people that all work together to provide a protection level for the environment.

Because a security program is a framework, organization are free to plug in different types of technologies, methods and procedures to accomplish the necessary protection level for their environment.

24
Q

Threat

A

A scenario of steps or procedures, controlled or triggered by a threat actor, which can negatively affect the victim’s information assets.

25
Q

Vulnerability

A

The absence of security controls to stop a threat scenario

26
Q

CIA

A

Often referred to as AIC triad.

We refer to the CIA properties of an asset, and that refers to the security objectives for that data, protected by information security; Confidentiality, Integrity, Availability
?

27
Q

Determining the level of a specific risk

A
  1. Likelihood/frequency of each type of incident.
  2. Impact on assets (loss) resulting from each type of incident.

Each specific risk results from a threat scenario that can affect specific assets. Motivation, capacity, vulnerabilities, and impact determine the risk level for that specific risk.

28
Q

Risk defined by ISO 31000, ISO 27005

A

“Risk management consists of coordinated activities to direct and control and organization with regard to risk” - ISO 31000

“IS management analyses what can happen and what the possible consequences can be, before deciding what should be done and when, to reduce the risk an acceptable level” - ISO 27005

29
Q

BIA: Business Impact Analysis

A

A Business Impact Analysis (BIA) is performed as part of the BCP development to identify the functions that in the event of a disaster or disruption, would cause the greatest financial or operational loss.

Consider e.g.:

  • IT network support
  • Data processing
  • Accounting
  • Software development
  • Payroll
  • Customer support
  • Order entry
  • Production scheduling
  • Purchasing
  • Communications
30
Q

MTD: Maximum tolerable downtimes

A 
Non essential = 30 days
Normal = 7 days
Important = 72 hours
Urgent = 24 hours
Critical = minutes to hours
31
Q

BCP testing

A

Checklist test:
- Copies of the BCP distributed to departments for review

Structured walk through test:
- Representatives from each department come together to go through the plan

Simulation test:
- All staff in operational and support functions come together to practice executing the BCP

Parallel test:
- Business functions tested at alternative site

Full interruption test:
- Business functions at primary site halted, and migrated to alternative site in accordance with the BCP

In2120 (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions