Risk Management and Control

Question 1

What is risk?

Answer 1

1. Future
2. Asset
3. Objectives or Goals

Question 2

What is a cyber-risk?

Answer 2

Risk that is caused by a cyber threat

Question 3

What is new in the modern viewpoint on risk?

Answer 3

Effect can be positive or negative!

Question 4

What are the steps in the Risk Management Cycle?

Answer 4

1. Establish the context
2. Identify the risks
3. Analyse the risks
4. Evaluate the risks
5. Treat the risks
6. Communication and consultation

Question 5

Why risk management may fail?

Answer 5

1. Limitations of scope
2. Lack of top management support
3. Did not engage all stakeholders
4. Failure to share information
5. Risk management not embedded within planning & management

Question 6

What are the three components of the ISO 31000 for Risk Management?

Answer 6

1. Principles
2. Framework
3. Process

Question 7

What is the extra step in the risk management process compared with the Risk Management Cycle?

Answer 7

7. Monitoring and review

Question 8

What are the steps in the Risk Management Framework?

Answer 8

1. Design of management framework
2. Implement Risk Management
3. Monitoring & Review
4. Continual Improvement
5. Mandate

Question 9

How do the Risk Management Framework, Risk Management Process and Risk Management Principles fit together?

Answer 9

Principles + Framework = Process

Question 10

What is the difference between classical access control and RBAC?

Answer 10

In RBAC, the access to objects is based on the user’s role, while in classical access control access is based on the user itself

Question 11

What steps do we take in a cybersecurity risk assessment?

Answer 11

1. Characterise the system
2. Identify the threats
3. Determine inherent risk and impact
4. Analyse the control environment
5. Determine a likelihood rating
6. Risk assessment matrix