Sec+ Chapter 17: Risk Management and Privacy

Question 1

ERM

Answer 1

Enterprise risk management

A formal approach to risk analysis that identifies risks, determines risk severity, and adopts risk management strategies

Question 2

Threats

Answer 2

Any possible event that can adversely impact the CIA of information or info systems

Question 3

Vulnerabilities

Answer 3

Weaknesses in a system or control that can be exploited by a threat

Question 4

Risks

Answer 4

Occurs at the intersection of threat and vulnerability

A threat without corresponding vulnerability and vice versa doesn’t pose a risk

Question 5

Risk ID process

Answer 5

Identifies threats and vulnerabilities that exist in your operating environment

Question 6

External risks

Answer 6

Originate from a source outside an org, like hacker groups or former employees

Question 7

Internal risks

Answer 7

Originate from within an org, like disgruntled employees or partners with access to your network

Question 8

Multiparty risks

Answer 8

When my data breach involves multiple other entities because our networks are connected together

Question 9

Legacy systems

Answer 9

Outdated and older systems that don’t receive updates

Must be heavily protected against unpatchable vulnerabilities

Question 10

IP theft

Answer 10

Intellectual property theft

When a company possesses trade secrets or proprietary info that could compromise a business advantage if disclosed

Question 11

Software compliance / licensing

Answer 11

Too few licenses means your employees can’t do their job

Too many licenses is a waste of money as they sit unused

Understand exactly what your licensing requirements are and that you’re purchasing and managing them properly

Question 12

Likelihood of occurrence

Answer 12

Probability that a risk will occur

Question 13

Magnitude of impact

Answer 13

Impact risk will make if it does occur

Question 14

Formula for risk severity

Answer 14

Risk severity = likelihood of occurrence * magnitude of impact

Question 15

Risk assessment

Answer 15

A formalized approach to risk prioritization that allows orgs to conduct their reviews in a structured manner

Question 16

Quantitative risk assessment

Answer 16

Numeric data for straightforward prioritization of risks

Question 17

Qualitative risk assessment

Answer 17

Subjective judgements and categories for risks that are difficult to quantify

Question 18

Quantitative risk assessment process

Answer 18

1) Determine asset value (AV) of affected asset

2) Determine the likelihood the risk will occur

3) Determine the amount of damage that will occur to the asset if the risk materializes

4) Calculate the single loss expectancy (SLE)

5) Calculate the annualized loss expectancy (ALE)

Question 19

ARO

Answer 19

Annualized rate of occurrence

The number of times a risk is expected each year

EX: If a risk is expected twice a year ARO = 2.0
EX: Once every hundred years ARO = 0.01

Question 20

EF

Answer 20

Exposure factor

The percentage of the asset expected to be damaged

EX: EF of a risk that completely destroys an asset = 100% / half = 50% / etc

Question 21

SLE

Answer 21

Single loss expectancy

The amount of financial damage expected each time a risk materializes

SLE = AV * EF

Question 22

ALE

Answer 22

Annualized loss expectancy

Amount of damage expected from a risk each year

ALE = SLE * ARO

Question 23

Risk management

Answer 23

The process of systematically addressing the risks facing an organization

Question 24

Risk mitigation

Answer 24

The process of applying security controls to reduce the probability and/or magnitude of a risk

Question 25

Risk avoidance

Answer 25

When you change business practices to completely eliminate the potential that a risk will materialize

Question 26

Risk transference

Answer 26

Shifts some of the impact of a risk from the organization experiencing the risk to another entity

Question 27

Risk acceptance

Answer 27

Deliberately choosing to take no other risk management strategy, accept the risk, and continue operations as normal in the face of a risk

Question 28

Inherent risk

Answer 28

Risk that exists in the absence of any security controls

Impact + likelihood

Question 29

Residual risk

Answer 29

The level of risk that exists after implementing controls to mitigate, avoid, or transfer inherent risk

Inherent risk + security control effectiveness

Question 30

Risk appetite

Answer 30

The level of risk an org is willing to accept as a cost of doing business

Question 31

DRP

Answer 31

Disaster recovery plan

A detailed plan for resuming operations after a disaster

Plan before the disaster to have backups, offsite data replication, cloud alternatives, remote sites, etc

Question 32

BIA

Answer 32

Business impact analysis

A formal process to identify the mission critical functions within an org and facilitate the identification of the critical systems that support those functions

Question 33

MTBF

Answer 33

Mean time between failures

The expected amount of time that will elapse between outages

Question 34

MTTR

Answer 34

Mean time to repair

The average amount of time to restore a system to its normal operating state after a failure

Question 35

RTO

Answer 35

Recovery time objective

How long it takes to get back up and running to a particular service level, not always a complete recovery

Question 36

RPO

Answer 36

Recovery point objective

The amount of data the org can tolerate losing during an outage

We set an objective to meet a certain set of requirements to get a system up and running to determine how much unavailable is unacceptable

Question 37

Single points of failure

Answer 37

Systems, devices, or components that will cause a full outage if it fails

Question 38

Privacy notice

Answer 38

A notice that outlines the privacy practices adopted by an org

Question 39

PII

Answer 39

Personally identifiable information

Any info that uniquely identifies an individual person

Question 40

PHI

Answer 40

Protected health information

Medical records maintained by healthcare providers and protected under HIPAA

Question 41

Financial information

Answer 41

Any personal financial records maintained by an org

Question 42

Information classification

Answer 42

Programs that organize data into categories based on the sensitivity of the information and the impact on the org should it be inadvertently disclosed

Question 43

Data controller

Answer 43

Responsible for the purposes and means by which the data is processed

Question 44

Data steward / custodian

Answer 44

Responsible for the accuracy of the data, keeping it private, and the security of the data stored in your systems

They will also identify or set labels associated with data so you know who has access

Keeps track of all data laws and regulations so your org complies with them

Implements security controls for data

Question 45

Data processor

Answer 45

Processes data on behalf of the data controller

Often a third party or different group

EX:
Payroll department is data controller, defines payroll amount and timeframe
Payroll company is data processor, they process payroll and store employee information

Question 46

Data minimization

Answer 46

Collecting the smallest possible amount of information necessary to meet their business requirements

Information that’s not necessary should be either immediately discard or not collected in the first place

Question 47

Purpose limitation

Answer 47

Information should only be used for the purpose it was originally collected for

Question 48

Data retention

Answer 48

Determines how long data should be kept

Question 49

De-identification

Answer 49

AKA anonymization

The process of removing the ability to link data back to an individual, which reduces its sensitivity

Question 50

Data obfuscation

Answer 50

Transforming data into a format where the original information can’t be retrieved

EX: Hashing, tokenization, and Data masking

Question 51

Data owner

Answer 51

A person responsible for a certain set of data within an organization

EX: VP sales, and they’re responsible for all customer relationship data

Question 52

DPO

Answer 52

Data protection officer

Higher level manager responsible for orgs overall data privacy policies

Defines what the privacy policies are, makes sure processes in place to keep data private, and have procedures for handling data throughout the work day