Section 4 Information security risk management program Flashcards
Risk Management
processes for managing risk on an ongoing basis, in order to monitor and keep it at a level na acceptable sa organization
Understanding the Fundamentals:
How would you differentiate between risk management and risk assessment in simple terms?
Risk management is the continuous process of handling risks to maintain an acceptable level, while risk assessment is the specific activity of identifying, analyzing, and evaluating risks at a given moment.
Risk Management:
Definition: Continuous process.
Objective: Handling risks.
Purpose: Maintain an acceptable level of risk.
Risk Assessment:
Definition: Specific activity.
Activities: Identifying, analyzing, and evaluating risks.
Risk Management Programs
Demonstrate Leadership and commitment
Assign responsibilities
Define the responsibilities
Ensure accountability
Establish a risk management policy
Establish a risk management process
Provide the resources
How to Demonstrate Leadership and commitment
Implement and customize RIsk Management Framework
Pag bibigay ng statement or policy
Ensure resources are allocated
Pag assign ng authority, responsibility and accountability
Who is accountable for managing risk?
Top Management
Who is accountable for overseeing risk management?
oversight bodies
Internal Interested Parties
- Top Management
- Financial Department
- HR
- InfoSec Manager
- IT technician
- Legal Department
- Public Relations Department
- Internal Auditor
They are the ones most directly
affected by the risks to intangible assets, such as reputation, brand recognition, and trademarks.
Top Management
Who is typically responsible for the risk management program in an organization?
Risk Manager
Why is it important for the person responsible for the risk management program to be familiar with all aspects of the organization’s operations?
a. It’s a legal requirement
b. To enhance communication with stakeholders
c. To show off their knowledge
d. To increase workload
b. To enhance communication with stakeholders
The core elements of the risk management process defined by ISO 31000 and ISO/IEC 27005 are:
Establishing the context
Risk assessment (comprising risk identification, risk analysis, and risk evaluation)
Risk treatment
Monitoring and review
Communication and consultation
What is? ISO/IEC 27005, clause 3.2.3 Risk assessment
Overall process of risk identification, risk analysis and risk evaluation
True or Flase
Infosec Risk Management Cycles
the risk assessment and risk treatment should be updated on a regular basis and based on changes
True
When is the strategic cycle typically conducted in risk management?
a. Only when minor changes occur
b. At shorter time intervals
c. At longer time intervals or when major changes occur
d. On a daily basis
c. At longer time intervals or when major changes occur
What does the operational cycle focus on in the risk management process?
a. Only major changes
b. Short-term risks
c. Environmental objectives
d. Long-term goals
b. Short-term risks
What is the primary focus of the strategic cycle in the risk management process?
a. Short-term goals
b. Detailed risk assessments
c. Achieving organizational objectives
d. Daily operational activities
c. Achieving organizational objectives
How often should the operational cycle be conducted?
c. Depending on detailed risks and changes
In which cycle can there be many risk assessments with different contexts and scope?
a. Only in the strategic cycle
b. Only in the operational cycle
c. Both in the strategic and operational cycles
d. In neither cycle
c. Both in the strategic and operational cycles
Who is responsible for following up on the implementation of risk management recommendations?
The HR
The risk manager
The top management
The risk manager
The risk manager is responsible, among others, for ensuring the follow-up of the implementation of recommendations.
Who is responsible for ensuring that resources are allocated for risk management?
The top management
The risk manager
The internal auditor
Top management is responsible for ensuring that the necessary resources are allocated to managing risk.
Which of the following is considered as a resource for risk management?
Documented processes and procedures
People and skills
Both A and B
Both A and B
Top management and oversight bodies should ensure allocation of appropriate resources for risk management, including, among others, people, skills, experience, competence, documented processes and procedures, and information and knowledge management systems.
What is the primary goal of risk management?
a. Identifying risks
b. Analyzing risks
c. Managing risks on an ongoing basis
d. Evaluating risks at a certain point in time
c. Managing risks on an ongoing basis
How is risk assessment defined?
a. A permanent program in the organization
b. A set of processes for managing risk
c. The process of identifying, analyzing, and evaluating risks
d. Monitoring and keeping risks at an acceptable level
c. The process of identifying, analyzing, and evaluating risks
Is risk management a permanent program in the organization?
a. Yes, always
b. No, only at certain times
c. It depends on the organization
d. Only during major changes
a. Yes, always
approves risks, holds overall responsibility.
Top management
Department that analyzes costs, manages financial resources.
Financial Dept.
Department that identifies training needs, contributes to risk awareness.
HR
Who proposes controls for risk management.
InfoSec Manager
Who implements technical solutions for daily operations.
IT technician
Department that identifies requirements for compliance (legal, regulatory, and contractual) and its analysis
Legal Dept.
Who validates impacts on organization’s reputation, manages external communications.
Public Relations (PR)
Who validates security control compliance.
Internal auditor
They are the ones most directly
affected by the risks to intangible assets, such as reputation, brand recognition, and trademarks.
Top Management
Who is typically responsible for the risk management program in an organization?
a. CEO
b. Risk Manager
c. IT Manager
d. Marketing Manager
b. Risk Manager
Why is it considered a good practice to assign the risk management role to the risk manager?
a. To increase workload
b. Because it’s a legal requirement
c. The risk manager is familiar with all aspects of the organization’s operations
d. It’s a temporary role
c. The risk manager is familiar with all aspects of the organization’s operations
With whom should the risk manager interact effectively?
a. Only with business managers
b. Only with support services staff
c. Both business managers and support services staff
d. Only with the CEO
c. Both business managers and support services staff
Why should the person responsible for risk management be familiar with all aspects of the organization’s operations?
a. It’s a legal requirement
b. To increase workload
c. To effectively manage risks in different areas
d. Only for strategic planning
c. To effectively manage risks in different areas
Can one person perform risk assessments that cover only a specific area or department of the organization?
Yes
Performing risk assessments for a specific area or department of the organization by one person is often feasible due to the relatively focused scope and limited complexity associated with such assessments
Who are considered interested parties (key players) in the context of risk assessments?
a. Only team members
b. External consultants
c. Only top management
d. Individuals or groups affected by the assessment outcomes
d. Individuals or groups affected by the assessment outcomes
ISO/IEC 27005, clause 3.2.3 Risk assessment
Overall process of risk identification, risk analysis and risk evaluation
A risk manager should be appointed to ensure proper coordination of risk management by:
- Planning activities,
- Supervising the risk management team
- Drafting risk assessment report
- Managing communication and awareness of risk with interested parties
- Follow up on the implementation of recommendations
What are the core elements of the risk management process defined by ISO 31000 and ISO/IEC 27005 are:
Establishing the context
Risk assessment (comprising risk identification, risk analysis, and risk evaluation)
Risk treatment
Monitoring and review
Communication and consultation
What should top management and oversight bodies demonstrate to convey their commitment to risk management according to ISO 27005?
They should demonstrate and articulate their continual commitment through a policy, a statement, or other forms that clearly convey the organization’s objectives and commitment to risk management.
According to ISO 27005, how should risk assessment and risk management be updated, and into what cycles can updates be divided?
They should be updated on a regular basis and based on changes. Updates can be divided into two cycles: strategic cycles and operational cycles.
How does the timing differ between the strategic and operational cycles in ISO 27005 risk management?
The strategic cycle is conducted at longer intervals or when major changes occur, while the operational cycle is shorter and depends on detailed risks identified and assessed, as well as related risk treatment.
What is the primary focus of the strategic cycle compared to the operational cycle in ISO 27005 risk management?
The strategic cycle applies to the environment where the organization aims to achieve its objectives, while the operational cycle applies to all risk assessments within the context of the risk management process.
