Section 3: Risk Management

Question 1

Risk Types

Answer 1

Inherent Risk
▪ Occurs when a risk is identified but no mitigation factors are applied
▪ Inherent risk is the level of risk in place prior to taking any mitigating actions to reduce the impact or likelihood of that risk being realized

o Residual Risk
▪ Occurs when we calculate the risk after we apply our mitigations and security controls
o Risk Exception
▪ Any risk that is created due to an exemption being granted or failure to comply with corporate policy

Question 2

Risk Register

Answer 2

▪ A tool that is used to identify potential risks in a system or organization
● Risk Register Should Include:
o Risk identified
o Description
o Level
o Likelihood
o Owner
o Mitigation measures implemented
o Residual level

Question 2

Risk Assessment

Answer 2

o A tool used during risk management to identify vulnerabilities and threats, to assess their impact, and to determine what controls to utilize
▪ Identify assets and their value
▪ Identify vulnerabilities and threats
▪ Calculate threat probability and impact
▪ Balance the threat impact with the cost of counter-measures

Question 3

SLE vs ALE vs ARO

Answer 3

o Single Loss Expectancy (SLE)
▪ The cost associated with the realization of each individual threat that occurs

o Annual Loss Expectancy (ALE)
▪ The expected cost of a realized threat over a given year

o Annualized Rate of Occurrence (ARO)
▪ Provides us with an estimate of how many times per year a given threat might be realized

SLE x ARO = ALE
SLE = $2,000
ARO = 3
$2000 x 3 = $6000