Risk Management Flashcards
What is the purpose of the document?
To provide an overview of risk management standards, methodologies, and tools, and to support EU institutions in addressing gaps in risk management.
Which EU institution facilitates the establishment of risk management standards?
ENISA (European Union Agency for Cybersecurity).
What is the NIS Directive?
The Network and Information Security Directive (Directive 2016/1148) that sets legal obligations for ICT security in the EU.
How does the Cybersecurity Act define ENISA’s role?
ENISA shall facilitate the establishment and take-up of European and international standards for risk management and ICT security.
Which sectors are considered critical under the NIS Directive?
Energy, Transport, Banking, Financial market infrastructures, Health, Drinking water supply, and Digital Infrastructure.
What is risk according to ISO 31000:2018?
The effect of uncertainty on objectives.
What is risk management?
Coordinated activities to direct and control an organization with regard to risk (ISO 31000:2018).
What are the key steps in the risk management process?
Risk identification, risk analysis, risk evaluation, risk treatment, risk monitoring, and risk communication.
What is risk treatment?
The process of modifying risk, including avoiding, reducing, sharing, or accepting it.
Which regulation focuses on cybersecurity certification?
The Cybersecurity Act (Regulation (EU) 2019/881).
What is ISO/IEC 27005?
A standard providing guidelines for information security risk management.
Which ISO standard provides general guidelines for risk management?
ISO 31000:2018.
What is the role of risk management in cybersecurity?
To protect valuable assets, evaluate security threats, prevent fraud, and ensure business continuity.
What are the risk treatment options according to ISO 31000?
Avoiding, taking/increasing, mitigating, sharing, or retaining the risk.
What is NIST 800-30?
A risk management guide developed by NIST for assessing and mitigating risks in IT systems.
What does the GDPR regulate?
It governs data protection and privacy for individuals in the EU (Regulation (EU) 2016/679).
What is the purpose of risk assessment?
To identify and evaluate risks and prioritize them for treatment.
What is the difference between risk assessment and risk treatment?
Risk assessment identifies and evaluates risks, while risk treatment focuses on reducing or mitigating them.
What are the components of risk analysis?
Threat identification, likelihood estimation, and impact assessment.
What does the OCTAVE methodology focus on?
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a self-directed risk evaluation method.
What is CRAMM?
A methodology for evaluating security risks by analyzing corporate environments.
What does the MEHARI method focus on?
A qualitative risk management approach developed by CLUSIF in France.
What is the primary purpose of the Cybersecurity Act?
To establish cybersecurity certification frameworks and risk management standards in the EU.
What is IT-Grundschutz?
A risk assessment framework developed by the German BSI for IT security management.
What is a standard?
A document providing rules or guidelines on the design, use, or performance of technologies, processes, or systems.
What is a methodology?
A structured approach or set of principles for performing a particular activity, such as risk management.
What is ISO/IEC 18045?
A companion standard to ISO/IEC 15408, providing evaluation methodologies for IT security.
What is an example of a risk assessment tool?
FAIR (Factor Analysis of Information Risk) provides quantitative risk assessment.
Which standard is commonly used for cybersecurity risk management in healthcare?
EN ISO 14971 (risk management for medical devices).
What is the role of ENISA in risk management?
To facilitate cooperation between stakeholders and support the adoption of EU risk management standards.
What does ISO/IEC 27001 focus on?
Information Security Management Systems (ISMS) requirements.
What does ISO/IEC 27002 provide?
Guidelines and best practices for information security management.
What is a risk owner?
A person or entity responsible for managing and mitigating a specific risk.
Which framework is used for vulnerability assessment?
Common Vulnerabilities and Exposures (CVE) system.
What is the Security Content Automation Protocol (SCAP)?
A synthesis of security standards used for automated vulnerability management and compliance assessment.
What does the BowTie methodology focus on?
A qualitative risk analysis method used to visualize risk scenarios and mitigation strategies.
What is the Digital Services Act (DSA)?
A proposed EU regulation for a single market for digital services, including cybersecurity measures.
What is CLUSIF?
CLUSIF (Club de la Sécurité de l’Information Français) is a French non-profit organization dedicated to information security and risk management. It develops methodologies like MEHARI, promotes cybersecurity awareness, and facilitates collaboration between cybersecurity professionals, businesses, and government agencies.
What is the role of the European Standardisation Organisations (ESOs)?
ESOs (CEN, CENELEC, and ETSI) develop European standards (ENs) that apply across EU countries, supporting cybersecurity and risk management.
What is a European Standard (EN)?
A document ratified by one of the three ESOs that must be implemented as a national standard in EU member states.
What is the purpose of ISO/IEC 15408 (Common Criteria)?
It provides a framework for evaluating ICT product security through security functional and assurance requirements.
What is ENISA’s role in European cybersecurity?
ENISA supports EU cybersecurity policies, promotes risk management standards, and enhances cybersecurity resilience across member states.
What is the CSA (Cybersecurity Act) regulation?
The Cybersecurity Act (Regulation (EU) 2019/881) establishes EU-wide cybersecurity certification frameworks and strengthens ENISA’s role.
What is risk acceptance?
The decision to retain a risk after assessing its impact and likelihood, acknowledging that the risk remains.
What is ISO/IEC 27001 designed for?
It defines requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
What is EBIOS Risk Manager?
A risk assessment methodology developed in France, compliant with ISO 31000 and ISO/IEC 27005, designed to analyze and mitigate cybersecurity risks.
What is the role of ISO/IEC 27005?
It provides guidelines for information security risk management, supporting the implementation of ISO/IEC 27001.
What is the MEHARI methodology?
A risk assessment and management method developed by CLUSIF that helps organizations evaluate security threats and define protection measures.
What is the difference between ISO 31000 and ISO/IEC 27005?
ISO 31000 provides general risk management principles, while ISO/IEC 27005 focuses on information security risk management.
What is the IT-Grundschutz approach?
A cybersecurity framework developed by Germany’s BSI that provides structured risk management and protection guidelines for IT systems.
What is the purpose of NIST SP 800-39?
It provides a framework for managing information security risks at organizational, mission, and business levels.
What is the role of ISO/IEC 18045?
It provides methodologies for IT security evaluation, complementing the Common Criteria (ISO/IEC 15408).
What is the difference between qualitative and quantitative risk assessment?
Qualitative risk assessment uses descriptive scales (e.g., low, medium, high), while quantitative risk assessment assigns numerical values to risk impact and probability.
What does the Baldrige Cybersecurity Excellence Builder (BCEB) do?
It is a self-assessment tool that helps organizations evaluate and improve their cybersecurity risk management.
What is the Common Vulnerability Scoring System (CVSS)?
A framework for rating and communicating the severity of software vulnerabilities.
What is the MITRE CVE system?
A global system that identifies and catalogs publicly known cybersecurity vulnerabilities.
What is a vulnerability database?
A database that collects, categorizes, and provides information on known cybersecurity vulnerabilities (e.g., MITRE CVE, NVD).
What is the role of Security Content Automation Protocol (SCAP)?
SCAP provides automated security vulnerability management and compliance assessment.
What is the OWASP Threat Modeling Tool?
A tool that helps organizations identify, assess, and mitigate security threats in software and systems.
What is the Digital Services Act (DSA)?
A proposed EU regulation aiming to establish a single market for digital services with cybersecurity and risk management requirements.
What is the purpose of a Risk Treatment Plan?
A structured action plan to mitigate, transfer, accept, or avoid identified risks.
What is the difference between a Risk Register and a Risk Treatment Plan?
A Risk Register is a record of identified risks, while a Risk Treatment Plan describes actions to manage or mitigate those risks.
What is the BowTie Risk Analysis method?
A qualitative risk analysis method that visually represents risk scenarios, identifying preventive and reactive measures.
What is the role of Artificial Intelligence in risk management?
AI can automate risk detection, analyze patterns, and predict cybersecurity threats.
What is the main goal of the Cyber Risk Temperature Tool?
It helps SMEs assess cybersecurity risks by identifying vulnerabilities and recommending security measures.
What is the purpose of the ePrivacy Regulation?
It aims to strengthen online privacy by regulating electronic communications and protecting personal data.
What is a supply chain attack?
A cyberattack targeting vendors or third-party providers to compromise the security of a final product or service.
What is the MITIGATE framework?
A cybersecurity framework for supply chain risk assessment, integrating threat intelligence and ISO standards.
What is the purpose of the RESISTO project?
It provides cyber-physical risk management solutions for critical communication infrastructures.
What does the FINSEC project focus on?
It provides a cybersecurity toolbox for risk assessment and anomaly detection in the financial sector
What is the role of risk management in cybersecurity certification?
It ensures that ICT products, services, and processes meet security requirements before deployment.