Risk Management Flashcards

1
Q

What is the purpose of the document?

A

To provide an overview of risk management standards, methodologies, and tools, and to support EU institutions in addressing gaps in risk management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which EU institution facilitates the establishment of risk management standards?

A

ENISA (European Union Agency for Cybersecurity).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the NIS Directive?

A

The Network and Information Security Directive (Directive 2016/1148) that sets legal obligations for ICT security in the EU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How does the Cybersecurity Act define ENISA’s role?

A

ENISA shall facilitate the establishment and take-up of European and international standards for risk management and ICT security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which sectors are considered critical under the NIS Directive?

A

Energy, Transport, Banking, Financial market infrastructures, Health, Drinking water supply, and Digital Infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is risk according to ISO 31000:2018?

A

The effect of uncertainty on objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is risk management?

A

Coordinated activities to direct and control an organization with regard to risk (ISO 31000:2018).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the key steps in the risk management process?

A

Risk identification, risk analysis, risk evaluation, risk treatment, risk monitoring, and risk communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is risk treatment?

A

The process of modifying risk, including avoiding, reducing, sharing, or accepting it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which regulation focuses on cybersecurity certification?

A

The Cybersecurity Act (Regulation (EU) 2019/881).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is ISO/IEC 27005?

A

A standard providing guidelines for information security risk management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which ISO standard provides general guidelines for risk management?

A

ISO 31000:2018.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the role of risk management in cybersecurity?

A

To protect valuable assets, evaluate security threats, prevent fraud, and ensure business continuity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the risk treatment options according to ISO 31000?

A

Avoiding, taking/increasing, mitigating, sharing, or retaining the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is NIST 800-30?

A

A risk management guide developed by NIST for assessing and mitigating risks in IT systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does the GDPR regulate?

A

It governs data protection and privacy for individuals in the EU (Regulation (EU) 2016/679).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the purpose of risk assessment?

A

To identify and evaluate risks and prioritize them for treatment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the difference between risk assessment and risk treatment?

A

Risk assessment identifies and evaluates risks, while risk treatment focuses on reducing or mitigating them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the components of risk analysis?

A

Threat identification, likelihood estimation, and impact assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What does the OCTAVE methodology focus on?

A

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a self-directed risk evaluation method.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is CRAMM?

A

A methodology for evaluating security risks by analyzing corporate environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What does the MEHARI method focus on?

A

A qualitative risk management approach developed by CLUSIF in France.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the primary purpose of the Cybersecurity Act?

A

To establish cybersecurity certification frameworks and risk management standards in the EU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is IT-Grundschutz?

A

A risk assessment framework developed by the German BSI for IT security management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is a standard?

A

A document providing rules or guidelines on the design, use, or performance of technologies, processes, or systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is a methodology?

A

A structured approach or set of principles for performing a particular activity, such as risk management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is ISO/IEC 18045?

A

A companion standard to ISO/IEC 15408, providing evaluation methodologies for IT security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is an example of a risk assessment tool?

A

FAIR (Factor Analysis of Information Risk) provides quantitative risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which standard is commonly used for cybersecurity risk management in healthcare?

A

EN ISO 14971 (risk management for medical devices).

29
Q

What is the role of ENISA in risk management?

A

To facilitate cooperation between stakeholders and support the adoption of EU risk management standards.

30
Q

What does ISO/IEC 27001 focus on?

A

Information Security Management Systems (ISMS) requirements.

31
Q

What does ISO/IEC 27002 provide?

A

Guidelines and best practices for information security management.

32
Q

What is a risk owner?

A

A person or entity responsible for managing and mitigating a specific risk.

33
Q

Which framework is used for vulnerability assessment?

A

Common Vulnerabilities and Exposures (CVE) system.

34
Q

What is the Security Content Automation Protocol (SCAP)?

A

A synthesis of security standards used for automated vulnerability management and compliance assessment.

35
Q

What does the BowTie methodology focus on?

A

A qualitative risk analysis method used to visualize risk scenarios and mitigation strategies.

36
Q

What is the Digital Services Act (DSA)?

A

A proposed EU regulation for a single market for digital services, including cybersecurity measures.

37
Q

What is CLUSIF?

A

CLUSIF (Club de la Sécurité de l’Information Français) is a French non-profit organization dedicated to information security and risk management. It develops methodologies like MEHARI, promotes cybersecurity awareness, and facilitates collaboration between cybersecurity professionals, businesses, and government agencies.

38
Q

What is the role of the European Standardisation Organisations (ESOs)?

A

ESOs (CEN, CENELEC, and ETSI) develop European standards (ENs) that apply across EU countries, supporting cybersecurity and risk management.

39
Q

What is a European Standard (EN)?

A

A document ratified by one of the three ESOs that must be implemented as a national standard in EU member states.

40
Q

What is the purpose of ISO/IEC 15408 (Common Criteria)?

A

It provides a framework for evaluating ICT product security through security functional and assurance requirements.

41
Q

What is ENISA’s role in European cybersecurity?

A

ENISA supports EU cybersecurity policies, promotes risk management standards, and enhances cybersecurity resilience across member states.

42
Q

What is the CSA (Cybersecurity Act) regulation?

A

The Cybersecurity Act (Regulation (EU) 2019/881) establishes EU-wide cybersecurity certification frameworks and strengthens ENISA’s role.

43
Q

What is risk acceptance?

A

The decision to retain a risk after assessing its impact and likelihood, acknowledging that the risk remains.

44
Q

What is ISO/IEC 27001 designed for?

A

It defines requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

45
Q

What is EBIOS Risk Manager?

A

A risk assessment methodology developed in France, compliant with ISO 31000 and ISO/IEC 27005, designed to analyze and mitigate cybersecurity risks.

45
Q

What is the role of ISO/IEC 27005?

A

It provides guidelines for information security risk management, supporting the implementation of ISO/IEC 27001.

46
Q

What is the MEHARI methodology?

A

A risk assessment and management method developed by CLUSIF that helps organizations evaluate security threats and define protection measures.

47
Q

What is the difference between ISO 31000 and ISO/IEC 27005?

A

ISO 31000 provides general risk management principles, while ISO/IEC 27005 focuses on information security risk management.

47
Q

What is the IT-Grundschutz approach?

A

A cybersecurity framework developed by Germany’s BSI that provides structured risk management and protection guidelines for IT systems.

48
Q

What is the purpose of NIST SP 800-39?

A

It provides a framework for managing information security risks at organizational, mission, and business levels.

49
Q

What is the role of ISO/IEC 18045?

A

It provides methodologies for IT security evaluation, complementing the Common Criteria (ISO/IEC 15408).

50
Q

What is the difference between qualitative and quantitative risk assessment?

A

Qualitative risk assessment uses descriptive scales (e.g., low, medium, high), while quantitative risk assessment assigns numerical values to risk impact and probability.

50
Q

What does the Baldrige Cybersecurity Excellence Builder (BCEB) do?

A

It is a self-assessment tool that helps organizations evaluate and improve their cybersecurity risk management.

51
Q

What is the Common Vulnerability Scoring System (CVSS)?

A

A framework for rating and communicating the severity of software vulnerabilities.

52
Q

What is the MITRE CVE system?

A

A global system that identifies and catalogs publicly known cybersecurity vulnerabilities.

53
Q

What is a vulnerability database?

A

A database that collects, categorizes, and provides information on known cybersecurity vulnerabilities (e.g., MITRE CVE, NVD).

54
Q

What is the role of Security Content Automation Protocol (SCAP)?

A

SCAP provides automated security vulnerability management and compliance assessment.

55
Q

What is the OWASP Threat Modeling Tool?

A

A tool that helps organizations identify, assess, and mitigate security threats in software and systems.

56
Q

What is the Digital Services Act (DSA)?

A

A proposed EU regulation aiming to establish a single market for digital services with cybersecurity and risk management requirements.

57
Q

What is the purpose of a Risk Treatment Plan?

A

A structured action plan to mitigate, transfer, accept, or avoid identified risks.

58
Q

What is the difference between a Risk Register and a Risk Treatment Plan?

A

A Risk Register is a record of identified risks, while a Risk Treatment Plan describes actions to manage or mitigate those risks.

59
Q

What is the BowTie Risk Analysis method?

A

A qualitative risk analysis method that visually represents risk scenarios, identifying preventive and reactive measures.

60
Q

What is the role of Artificial Intelligence in risk management?

A

AI can automate risk detection, analyze patterns, and predict cybersecurity threats.

61
Q

What is the main goal of the Cyber Risk Temperature Tool?

A

It helps SMEs assess cybersecurity risks by identifying vulnerabilities and recommending security measures.

62
Q

What is the purpose of the ePrivacy Regulation?

A

It aims to strengthen online privacy by regulating electronic communications and protecting personal data.

63
Q

What is a supply chain attack?

A

A cyberattack targeting vendors or third-party providers to compromise the security of a final product or service.

64
Q

What is the MITIGATE framework?

A

A cybersecurity framework for supply chain risk assessment, integrating threat intelligence and ISO standards.

65
Q

What is the purpose of the RESISTO project?

A

It provides cyber-physical risk management solutions for critical communication infrastructures.

66
Q

What does the FINSEC project focus on?

A

It provides a cybersecurity toolbox for risk assessment and anomaly detection in the financial sector

67
Q

What is the role of risk management in cybersecurity certification?

A

It ensures that ICT products, services, and processes meet security requirements before deployment.