S3-m3

Question 1

NIST Special Publication 800-39

Answer 1

The risk management framework outlies a comprehensive process to manage risks by applying four components
-Risk Framework
-Assess Risk
-Respond to Risk
-Monitor Risk

Question 2

Risk Framework

Answer 2

Involves defining, or framing, the environment in which risk-based decisions are made. The purpose of this component is to form a strategy that enables a company to asses, respond, and monitor risk. Companies must identify
-Risk assumptions
-Risk constraints
-Risk tolerance
-Priorities and trade offs

Question 3

Assess Risk

Answer 3

This component addresses the way companies asses risk in the context of the risk framework. The goal is to identify
-threats to nations, organizations, individuals, assets or operations
-vulnerabilities internal and external to orgs and entities
-the harm that may occur given the potential for threats exploiting vulnerabilities
-the likelihood that harm will occur

Question 4

Respond to Risk

Answer 4

The purpose of this component is to provide a consistent, organization wide response based on the risk assessment results by:
-developing alt courses of action
-evaluation the alt courses of action
-determining appropriate courses of action consistent with org risk tolerance

Question 5

Monitor Risk

Answer 5

To evaluate and monitor risk over time by:
-determining the ongoing effectiveness of risk responses
-identifying risk impacting changes to org info systems and the environments in which the systems operated
-Verifying that planned risk response are implemented and that info security requirements are satisfied

Question 6

Security assessment engagements involve…

Answer 6

addressing the second component of the risk management framework, which includes performing a risk assessment and testing controls to obtain data on the company’s current state.
-often results in a SAR to management

Question 7

Examination

Assesment Method

Answer 7

Process of analyzing, observing, and reviewing one or more assessment objects, security activities, or relevant operations

Question 8

Interviewing

Assesment Method

Answer 8

Involves having individual or group discussions to better understand, collect, and evaluate evidence

Question 9

Testing

Assesment Method

Answer 9

The process of testing assessment objects that reflect how the object performs in its current state compared to a target expected state

Question 10

Security Assessment Reports (SARs)

Answer 10

issued as evidence of controls complying, or not complying, with state security goals and objectives. NIST defines a security assessment report as a report that provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified issues or vulnerabilities in the security controls

Question 11

Satisfied Rating

Answer 11

Indicates the assessment objective was met and yielded an acceptable result

Question 12

Other Than Satisfied Rating

Answer 12

Indicated that an assessor could not obtain sufficient information that me the statements in the assessment procedure.

Question 13

Summary of Findings

SARs

Answer 13

Introductory portion of SAR has a synopsis of key findings and recommended actions to address weaknesses or deficiencies

Question 14

System Overview

SARs

Answer 14

The overview of SAR outlines the information management system being assessed, including hardware, software, personnel, and other relevant resources

Question 15

Assessment Methodology

SARs

Answer 15

This part of a SAR explains the techniques and procedures utilized to perform the assessment

Question 16

Security Assessment Findings

SARs

Answer 16

The findings section of a SAR discusses the gaps and deficiencies discovered during the assessment

Question 17

Recommendations

SARs

Answer 17

This portion of the report provides prescriptive direction to remediate the deficiencies that were discovered

Question 18

Action Plan

SARs

Answer 18

This final section of a SAR roadmap that covers the steps that should be taken to remediate the deficiencies

Question 19

Management

Security Awareness

Answer 19

Tasked with designing and evaluating security awareness programs or coordinating with third party vendors hired to develop and or perform the security awareness training

Question 20

Specialized IT Personnel

Security Awareness

Answer 20

Tasked with caring out the policies set forth in security awareness programs. Specialized jobs include network security engineers, penetration testers, incident response analysts

Question 21

All other Employees

Security Awareness

Answer 21

Tasked with following the security procedures based on their specific job roles

Question 22

Phishing Simulations

Answer 22

designed to teach employees to recognize phony emails by sending messages that mirror actual phishing emails and other communications. When employees click the email they receive a communication informing them they performed a action in violation

Question 23

Click Rate

Answer 23

The % of employees who clicked on a phishing email link

Question 24

Re-click Rate

Answer 24

The % of employees who failed first and click again

Question 25

Report Rate

Answer 25

The % of employees who report phishing emails

Question 26

Non-responder Rate

Answer 26

The % of employees who ignored the email and did not respond in any way

Question 27

Reply Rate

Answer 27

The % of employees who replied to the phishing emails

Question 28

Employee Consultations

Program Champion Metric

Answer 28

Reports the number of times employees consult with a security’s program champion

Question 29

Security Behaviors (With and without Champions)

Program Champion Metric

Answer 29

This would involve capturing and comparing security awareness measures in departments that have champions vs those that do not

Question 30

Champion Density Vs Security Behaviors

Program Champion Metric

Answer 30

Measure the degree of correlation and linear relationship of champion activity or density among different departments and security behaviors

Question 31

The centralized incident response team

Answer 31

serves as the single incident response team tasked with managing incidents across the organization. They would be responsible for responding to incidents, potentially including those identified as par of a SAR

Question 32

To manage risk, it takes a FARM

Answer 32

-Framework
-Assessing
-Responding
-Monitoring