Risk Management and Business Impact Analysis Flashcards
Which of the following is the name often used to describe the process of addressing the questions associated with sources of risk, the impacts and the steps taken to mitigate them in the enterprise?
Risk assessment
Business impact analysis
Penetration test
Business impact analysis
Business impact analysis (BIA) is the name often used to describe a document created by addressing the questions associated with sources of risk and the steps taken to mitigate them in the enterprise. A risk assessment is a method to analyze potential risk based on statistical and mathematical models. A common method is the calculation of the annualized loss expectancy (ALE). A threat assessment is a structured analysis of the threats that confront an enterprise. Penetration tests are used by organizations that want a real-world test of their security
Which of the following terms is used to describe the target time that is set for a resumption of operations after an incident?
RPO
MTBF
RTO
RTO
The term recovery time objective (RTO) is used to describe the target time that is set for a resumption of operations after an incident. Recovery point objective (RPO) is the time period representing the maximum period of acceptable data loss. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures. Mean time to repair (MTTR) is a common measure of how long it takes to repair a given failure
Which of the following is a common measure of how long it takes to fix a given failure?
MTTR
RPO
MTBF
MTTR
Mean time to repair (MTTR) is a common measure of how long it takes to repair a given failure. The term recovery time objective (RTO) is used to describe the target time that is set for a resumption of operations after an incident. Recovery point objective (RPO) is the time period representing the maximum period of acceptable data loss. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures
Which of the following is a system component whose failure or malfunctioning could result in the failure of the entire system?
Mean time between failures
Single point of failure
Single loss expectancy
Single point of failure
A single point of failure is any aspect that, if triggered, could result in the failure of the system. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures. Single loss expectancy (SLE) is the expected loss from the occurrence of a risk on an asset. The likelihood of occurrence is the chance that a particular risk will occur
Which type of security control is used post event, in an effort to minimize the extent of damage?
Deterrent
Corrective
Preventative
Corrective
Corrective controls are used post event, in an effort to minimize the extent of damage. A deterrent control acts to influence the attacker by reducing the likelihood of success. A preventative control is one that prevents specific actions from occurring. A detective control is one that facilitates the detection of a security breach
Which type of security control is used to meet a requirement when the requirement cannot be directly met?
Preventative
Deterrent
Compensating
Compensating
A compensating control is one that is used to meet a requirement when the requirement cannot be directly met. Fire suppression systems do not prevent fire damage, but if properly employed, they can mitigate or limit the level of damage from fire. A preventative control is one that prevents specific actions from occurring. A physical control is one that prevents specific physical actions from occurring, such as a mantrap prevents tailgating. A deterrent control acts to influence the attacker by reducing the likelihood of success
Which of the following is the process of subjectively determining the impact of an event that affects a project, program, or business?
Supply chain assessment
Qualitative risk assessment
Quantitative risk assessment
Qualitative risk assessment
Qualitative risk assessment is the process of subjectively determining the impact of an event that affects a project, program, or business. The likelihood of occurrence is the chance that a particular risk will occur. A supply-chain assessment considers not just the risk associated with a system, but the risk embedded in a system as a result of its components that the vendor has obtained through its supply chain, which could span the globe. Quantitative risk assessment is the process of objectively determining the impact of an event that affects a project, program, or business
Which of the following describes mission-essential functions? (Choose all that apply.)
Functions that if they do not occur, the mission of the organization would be directly affected.
Functions that if they are not accomplished properly would directly affect the mission of the organization.
Functions that are considered essential to the organization.
The routine business functions.
Functions that if they do not occur, the mission of the organization would be directly affected.
Functions that if they are not accomplished properly would directly affect the mission of the organization.
Functions that are considered essential to the organization.
Mission-essential functions are those that should they not occur, or be performed improperly, the mission of the organization will be directly affected. This is where you spend the majority of your effort, protecting the functions that are essential. It is important to separate mission-essential functions from other business functions
Which security control is a policy or procedure used to limit physical security risk?
Technical
Administrative
Corrective
Administrative
An administrative control is a policy or procedure used to limit security risk. A physical control is one that prevents specific physical actions from occurring. A technical control is the use of some form of technology to address a security issue. Corrective controls are used post event, in an effort to minimize the extent of damage
A mantrap is an example of which security control? (Choose all that apply.)
Physical
Corrective
Administrative
Preventative
Physical
Preventative
It is possible for a specific security control to fall into more than one category. Because a mantrap is a physical barrier that prevents tailgating, it is both a physical control and a preventative control. Corrective controls are used post event, in an effort to minimize the extent of damage. An administrative control is a policy or procedure used to limit security risk
Which of the following impacts is in many ways the final arbiter of all activities, for it is how we “keep score”?
Reputation
Safety
Finance
Finance
Finance is in many ways the final arbiter of all activities, for it is how we keep score. The others are important but are not considered the final arbiter
Which of the following is an analysis of whether PII is collected and maintained by a system?
Privacy threshold assessment
Privacy impact assessment
Risk assessment
Privacy threshold assessment
A privacy threshold assessment is an analysis of whether PII is collected and maintained by a system. A privacy impact assessment (PIA) is a structured approach to determining the gap between desired privacy performance and actual privacy performance. A risk assessment is an analysis of risks based on statistical and mathematical models. A threat assessment is a structured analysis of the threats that confront an enterprise
Which of the following has its roots in system engineering, where it is commonly referred to as configuration management?
Configuration control
Administrative control
Change management
Change management
Change management has its roots in system engineering, where it is commonly referred to as configuration management. Configuration control is the process of controlling changes to items that have been baselined. Configuration control ensures that only approved changes to a baseline are allowed to be implemented. A security control is a mechanisms employed to minimize exposure to risk and mitigate the effects of loss. An administrative control is a policy or procedure used to limit security risk
Which of the following is a representation of the frequency of an event, measured in a standard year?
Annual Loss Expectancy (ALE)
Annualized Rate of Occurrence (ARO)
Annualized Expectancy of Occurrence (AEO)
Annualized Rate of Occurrence (ARO)
The annualized rate of occurrence (ARO) is a representation of the frequency of the event, measured in a standard year. The annual loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the likelihood or number of times the event is expected to occur in a year. The SLE is calculated by multiplying the asset value times the exposure factor. Annualized expectancy of occurrence (AEO) is not a term used in the cybersecurity industry
