Section 4: Risk Management

Question 1

Risk Management

Answer 1

The process of identifying, assessing, and determining how to handle known risks

Question 2

Threat

Answer 2

Potential for unwanted harm to personnel or an organizational asset

Question 3

Vulnerability

Answer 3

A weakness in an organizational asset that can cause harm

Question 4

Risk Formula

Answer 4

Risk = Threats * Vulnerabilities
A threat with no vulnerability means there’s no risk
A vulnerability without a threat means there’s no risk
Both must exist for there to be a risk

Question 5

NIST SP 800-30

Answer 5

Guide for Conducting Risk Assessments

Question 6

Which phase of NIST SP 800-30 involves understanding how the organization reacts to risks?

Answer 6

Frame

Question 7

Which phase of NIST SP 800-30 involves analyzing organizational assets to discover possible risks?

Answer 7

Assess

Question 8

Which phase of NIST SP 800-30 involves determining the best course of action to address a risk?

Answer 8

Respond

Question 9

Which phase of NIST SP 800-30 is continuous involves verifying the risk response implementation remains compliant and effective?

Answer 9

Monitor

Question 10

Risk Mitigation

Answer 10

Reducing the risk to an acceptable level

Question 11

Risk Assignment

Answer 11

Allocate the risk responsibility to someone else (transfer the risk)
Insurance company for example

Question 12

Risk Deterrence

Answer 12

Implementing deterrent controls to reduce risk

Question 13

Risk Avoidance

Answer 13

Don’t introduce changes that will increase the level of risk

Question 14

Risk Acceptance

Answer 14

The risk exists and you accept the consequences if it occurs

Question 15

Risk Monitoring

Answer 15

Verify the risk response implementation remains compliant and effective

Question 16

Deterrent Control

Answer 16

Discourage unauthorized actions
Guards, warning banners, etc

Question 17

Preventative Control

Answer 17

Stop unauthorized actions
IPS, access control mechanisms

Question 18

Detective Control

Answer 18

Discover unauthorized actions
IDS, log review, etc

Question 19

Corrective Control

Answer 19

Correct or modify unauthorized actions
Employee reprimand

Question 20

Compensating Control

Answer 20

Support other controls
Awareness training, backups, UPS

Question 21

Directive Control

Answer 21

Direct compliance with security policy
Security policy, warning signs and messages

Question 22

Recovery Control

Answer 22

Recover from an event
UPS, archives, etc

Question 23

A service provider recently identified a range of potential security threats to its critical infrastructure. They aim to implement measures that will not only reduce the likelihood of these risks, but also discourage malicious actors from violating security policies. Which type of risk response would BEST meet this objective?

Answer 23

Risk deterrence

Question 24

After a breach, an organization implemented a control designed to stop similar violations from occurring in the future by adjusting system configurations and restricting user privileges. What type of control was MOST likely implemented to mitigate further policy violations?

Answer 24

Corrective control

Question 25

NIST SP 800-137

Answer 25

Information Security Continuous Monitoring

Question 26

ISO 27004

Answer 26

Monitoring, measurement, analysis and evaluation

Question 27

Continuous Monitoring Steps

Answer 27

DEFINE strategy based on risk tolerance levels
ESTABLISH metrics, methods, frequencies, scope
IMPLEMENT methods to collect monitoring data
ANALYZE the collected data and REPORT the findings to senior management
RESPOND to known risks using security controls
REVIEW/UPDATE the monitoring program by adjusting strategies to meet the organizational needs

Question 28

NIST IR 7622

Answer 28

National Supply Chain Risk Management Practices for Federal Information Systems

Question 29

CNSSD 505

Answer 29

Supply Chain Risk Management

Question 30

ISO 28000

Answer 30

Specification for security management systems for the supply chain

Question 31

The CISO wants to implement a strategy that provides real-time visibility into the organization’s security posture, while promptly identifying and mitigating risks as they emerge. With high-value assets spread across different geographic regions, what is the MOST effective method to maintain ongoing risk awareness and adapt to evolving threats?

Answer 31

Conducting continuous monitoring