Risk management Lecture 2

Question 1

What are your options in regards to responding to an identified risk?

Answer 1

1. Remediate or mitigate the risk
2. Avoid the risk by removing the business process / activity altogether
3. Transfer the risk to another organization, e.g., purchasing an insurance
4. Accept the risk

Question 2

When choosing how to respond to an identified risk, what key considerations do you have to take before selecting an option?

Answer 2

A) Cost vs. benefits – you do not want to buy a lock (or door) which is more expensive than the
content within the room!
B) Only the business owners can accept a risk
C) Although you can mitigate a risk in many cases, it is very Rare that you can eliminate the risk
entirely

Question 3

Is risk appetite a universal value across all businesses?

Answer 3

Risk can be defined differently across some organizations in regards to different categories of risk.

A) If a company has internal expertise to handle a risk then the tolerance to the risk can be higher

B) alignment with business objective. When business stake is high, risk appetite can be higher in some
cases. Stay in mind that business objective is the driver of almost everything, risk functions exist only
to support the business.

Question 4

What is Risk Tolerance?

Answer 4

risk tolerance is the tolerable deviation from the level set by risk appetite
definition.

e.g., company standard says “all critical vulnerabilities must be addressed within 30 days”;
but under certain circumstances, addressing them within 45 days can be tolerated. Remember that
this type of deviation typically requires approval on a case-by-case basis, and it would require sign-off
from risk owners or senior management.

Question 5

What is the difference between risk appetite and risk tolerance?

Answer 5

risk appetite is how much the business is willing to live with on a long term basis

while risk tolerence is a how much a business is willing to put up with past their risk appetite on a short term basis

Question 6

What is Inherent risk?

Answer 6

the risk level or exposure without taking into account the actions that management has taken or might take

Question 7

What is a control?

Answer 7

Controls are methods, may they be technical, administrative or physical an organization can use to mitigate risk.
or.
control is to bring down the residual risk to an acceptable level!

Question 8

What are the kinds of controls a company can take to mitigate risk?

Answer 8

Technical
eg. anti-virus software

Administrative
eg. company policy forbiding use of non work sanctioned websites

Physical
eg. placing a lock on a door

Question 9

What is control effectiveness?

Answer 9

A measure of how effective a control is at mitigating risk.
Possibly measured with:
Highly effective, somewhat effective, and not effective.

Question 10

What is Residual Risk?

Answer 10

the remaining risk after management has implemented risk response. Keep in mind that the purpose of control is to bring down the residual risk to an acceptable level!!

Question 11

When faced with a “High rated” inherent risk
with “highly effective” control method
What is the residual risk?

Answer 11

The residual risk would be Low

Question 12

When faced with a “High rated” inherent risk
with “not effective” control method
What is the residual risk?

Answer 12

The residual risk would be high

Question 13

What is BCP ( Business continuity Planning)?

Answer 13

BCP are plans businesses use to remain functional during undesirable situations such as:

flooding, earthquakes, aws outages, cyber attacks

Question 14

What is the the key to BCP(Business Continuity planning)?

Answer 14

The key is prioritization.

Question 15

What is DR(Disaster recovery)?

Answer 15

Disaster recovery is a key component of BCP(Business Continuity planning) and it is focused on recovering the IT systems

Question 16

What is a BIA(Business impact analysis)?

Answer 16

BIA is a careful examination of business processes and support functions,
as well as the system of business processess in their entirety to better understand the objectives of recovery

Question 17

How do you assess whether one business process(or application) is more important than another?

Answer 17

Conduct a BIA(Business impact analysis)

Question 18

What is RTO(Recovery Time Objective)?

Answer 18

RTO is the earliest time period within a business process most be restored after a disaster to avoid unacceptable consequences.

Question 19

What is RPO(Recovery Point Objective)?

Answer 19

RPO is the acceptable amount of data loss measured in time.
How much data can we afford to lose in disaster?
Helps determine frequency of data backups

For example, if the RPO is set to 30 minutes for application XYZ, then a backup of the application data
is required to be done every 30 minutes (or less). If no data loss is acceptable, then the RPO is zero. If
this is the case, you will have to replicate your data in real-time to the DR site.

Question 20

What is MTD(Maximum tolerable downtime)?

Answer 20

MTD Represents the total amount of time a business process can be disturbed without causing unacceptable consequences.

Determingi the MTD of critical business processos is important because it helps define IT stability levels and urgency for recovery.

An example showing relationship between RTO and MTD:
Business Process A has a MTD = 5 hours
Business Process B has a MTD = 4 hours
A Windows server is supporting both Process A and B. In other words, both Process A and B have a
dependence on the server. What is the RTO for the Windows server?
Answer - 4 hours

Question 21

What are the 3 different methods for data backup?

Answer 21

Full Backup

Incremental Backup

Differential Backup

Question 22

What is a Full Data Backup?

Answer 22

– read the name and you get it right! It is a full copy of your entire data set. Make the recovery work easier, but very time consuming to
produce a full copy backup. Also, you will need large number of tapes or disks!

Question 23

What is an incremental data backup?

Answer 23

– only backup the data that has changed since the previous full backup. For example, a full backup takes place every Sunday evening.
Monday evening you will do an incremental backup to cover Monday’s change of data. Tuesday evening you will do another incremental
one to cover Tuesday’s change. Keep doing it every day till the next full backup taking place. Now backup work is much easier, but
recovery would become difficult.

Suppose you need to restore the data backup for a Wednesday, then you need recover 4 pieces of backups in sequence
Sunday’s full backup, Monday’s incremental, Tuesday’s incremental, and Wednesday’s incremental. If say Tuesday’s
backup happens to be a bad disk, then your recovery will fail!

Question 24

What is a differential backup?

Answer 24

similar to incremental backup. The difference is that while an incremental backup only includes the data that has changed since the
previous backup, a differential backup contains all of the data that has changed since the last full backup.

Back to the above example, you run a full backup on Sunday and a differential backup each day for the rest of the week. Now suppose you need to restore the data
backup for a Wednesday, then you will only need two pieces of back – Sunday’s full backup + Wednesday’s differential backup!

Question 25

What is a recovery site?

Answer 25

A recovery site is a location off “site” away from your main “site” of operations to store backup data/equipment.

Question 26

What are the 3 kinds of recovery site?

Answer 26

Hot Site

Warm Site

Cold Site

Question 27

In relation to recovery sites, what is a hot site?

Answer 27

contains all necessary equipment and IT systems/applications and ready to go in a very
short time period. Typically, the only thing missing in the recovery site is the production data, where
you will need to retrieve from a backup site. Very expensive to maintain!

Question 28

In relation to recovery sites, what is a warm site?

Answer 28

a facility that is partially ready with some basic equipment and computing resources. IT
systems and applications are usually not configured (or maintained) to the current state. Recovery
time would be longer, but less expensive to maintain.

Question 29

In relation to recovery sites, what is a cold site?

Answer 29

– a very basic facility with minimum equipment such as power supply and air conditioning.
Network equipment and IT system do not exist. Minimum cost as well!

Question 30

What does a hashing function do?

Answer 30

A hash function takes the original passwords (plaintext) as input, and produce a hash (or digest) of a fixed size.

Question 31

What are the key features of a hash algorithm?

Answer 31

a) Only work for one-direction conversion, and cannot recovery the plaintext using the hash output (in theory)
b) Unpredictable and volatile – if you make a very slight change in plaintext, the output would look very different

Question 32

What does “Salting” Mean in relation to hashing?

Answer 32

During the converting process, you can also include some random values into the output in order to make the output more secure. The process is called “salting”. Salting can be
used to protect certain types of attacks including “rainbow table attack”.

Question 33

What are the two methods to data encryption?

Answer 33

Symmetric ( Single Key)

and

Asymmetric ( public key + private key)

Question 34

What is Symmetric (single key) data encryption?

Answer 34

it uses a single key to perform the encryption-decryption processes. The
key is treated as a secret which is maintained by both parties. It works very fast and efficient; but the
difficulty is to maintain the secret and prevent others to get the secret.
Some well-known algorisms include AES, DES, 3DES, etc.

Question 35

What is asymmetric data encryption?

Answer 35

Asymmetric (public key + private key) – a pair of key consists of a public one and a private one. The
two pieces are related to each other so that a message encrypted with a public key can ONLY be
decrypted with the private key. It eliminates the need to send a secret key over the internet,
e.g., if Bob wants to send a message which is only readable by Alice, he will use Alice’s public key to encrypt the message. No one, except Alice, can decrypt the message!

Although it works great and it is very slow/inefficient. Due to this reason, it is typically used to
transmit the secret (single key) between two parties at the beginning of a communication.

Some well-known algorisms include RSA, DSA, DH (Diffie-Hellman), etc.

Question 36

What is a digital signiture?

Answer 36

A digital signature is an electronic means of validating the integrity and authenticity of a given piece of message.
Say Alice wants to send a piece of message to Bob, Alice takes the message and processes it with a hashing
algorithm. Alice then encrypts this hash with her own private key, and delivers it along with the message. Bob
then takes the encrypted hash, and decrypts it with Alice’s public key. Then Bob takes the original message and
runs it though the same hashing algorithm. If the two hashes are identical, then Bob knows the message was not
altered during transmission.
This is how email signature works!

Question 37

Name a couple risks an enterprise can expect to have to deal with?

Answer 37

Strategic
Environmental
Market
Credit
Operational
Compliance