Risk Management Fundamentals

Question 1

Risk management

Answer 1

Risk management is the practice of identifying assessing controlling and mitigating risks.

Question 2

Threats

Answer 2

A threat is an activity that represents a possible danger.

Question 3

Asset

Answer 3

An asset is a thing of value worth protecting

Question 4

Vulnerability

Answer 4

A vulnerability is a weakness

Question 5

Impact of loss

Answer 5

Impact of loss is a loss resulting in a compromise to business functions or assets.

Question 6

Business functions

Answer 6

Business functions or the activities a business performs to sell products or services.

Question 7

Denial of service attack DOS

Answer 7

An organization received several emails that are unrelated to business functions, which temporarily clog up email space and make that work resources unavailable

Question 8

Social engineering

Answer 8

A person calls an organization pretending to have a legitimate purpose and attempts to trick someone in the organization into divulging personal or protected information. This is a form of impersonation which can compromise the organizations business functions and lead to losses.

Question 9

What is CIA?

Answer 9

Confidentiality integrity and availability

Question 10

Tangible value

Answer 10

Tangible value is the actual cost of the asset and can be expressed in the monetary terms such as $5000.

Question 11

What is considered tangible?

Answer 11

Computer systems, network components, software applications, and data

Question 12

What is intangible value?

Answer 12

Intangible value is value that cannot be measured by cost such as client confidence or company reputation.

Question 13

What is GAAP?

Answer 13

GAAP is generally acceptable accounting principles.

Question 14

What is the equation for loss in this Chapter?

Answer 14

The equation for loss is lost revenue plus repair costs equals total tangible value.

Question 15

What is future lost revenue?

Answer 15

Future lost revenue is any additional purchases customers make with another company or a loss to the company whose website was down.

Question 16

What is cost of gaining the customer?

Answer 16

Large sums of money or invested in attracting customers a repeat customer is much easier to sell then to acquiring a new customer. If a company loses a customer, the company’s investment is lost.

Question 17

What is customer influence?

Answer 17

Customers have friends, families, and business partners. They commonly share their experience with others, especially if the experience is exceptionally positive or negative.

Question 18

What is reputation?

Answer 18

Customers share their negative experience with others, so when customers bad experience could potentially influence other current or potential customers to avoid future business transactions.

Question 19

What is impact?

Answer 19

The impact is the amount of loss, which can be expressed in monetary terms, such as $5000.

Question 20

What are the levels of impact?

Answer 20

The levels of impact are very high, high, moderate, low, and very low.

Question 21

What guide includes the scale for assessing the impact of threats to the businesses assets?

Answer 21

National Institute of standards and technology, the guide for conducting risk assessments. (NIST SP 800-30)

Question 22

What is an organizations weakest link?

Answer 22

And organizations weakest link is the organizations employees.

Question 23

What is a leaders and managers perception of risk?

Answer 23

Leaders and managers are concerned mostly with profitability and survivability.

Question 24

What is the perception of risk for system administrators?

Answer 24

System administrators are responsible for protecting IT systems. When they understand the risks, they often want to lock systems down as tight as possible. Administrators are often highly technical individuals. Sometimes they lose sight of the need to balance security costs with profitability. They often view the security controls as hindrances to performing their job and don’t always recognize the importance.

Question 25

What is a developers concern and perception of risks?

Answer 25

Some companies have in-house application developers. They write applications that can be used in health or sold as a part of the company‘s product offerings. Many developers have adopted a secure computing mindset. They realize that security needs to be included beginning at the design stage and going all the way through the release stage. When developers having adopted a security mindset,They often try to patch security holes at the end of the development cycle. This patching mindset really addresses all of the problems and results in the release of vulnerable software. Ideally, security needs to be an integral step in the lifecycle of software or application development.

Question 26

What is the end-users perception of risk?

Answer 26

The end-users simply want the computer to work for them. They are mostly concerned with usability and don’t often understand the reason for the security controls and restrictions. Instead, security is viewed as an inconvenience. Well-meaning users often try to circumvent controls so they can accomplish their job.

Question 27

What properly defines risk?

Answer 27

Threat times vulnerability

Question 28

What properly defines total risk?

Answer 28

Threat times vulnerability times asset value

Question 29

Is it true or false that the best bet is to reduce risk to a level that can be accepted?

Answer 29

True

Question 30

What are the two accurate pairings of threat categories?

Answer 30

External and internal. Intentional and accidental.

Question 31

A loss of client confidence or public trust is an example of what kind of loss?

Answer 31

It is intangible loss.

Question 32

What is used to reduce a vulnerability?

Answer 32

Control is used.

Question 33

True or false. As long as a company is profitable, it does not need to consider survivability.

Answer 33

False.

Question 34

What is the primary goal of an information security program?

Answer 34

To eliminate losses related to employee actions

Question 35

What is an industry recognize standard list of common vulnerabilities?

Answer 35

Mitre CVE

Question 36

Which of the following is a goal of risk management?

Answer 36

To identify the correct cost balance between risks and controls.

Question 37

If the benefits outweigh the cost, the control is implemented. Costs and benefits are identified by completing a what?

Answer 37

Cost benefit analysis

Question 38

What can be done to manage risk?

Answer 38

Except it, transfer it, avoid it.

Question 39

After controls to minimize risk in the environment have been applied, what is the remaining risk called?

Answer 39

Residual risk

Question 40

Who is ultimately responsible for losses resulting from residual risk?

Answer 40

End users