Section 5.4 Risk Management Processes & Concepts

Question 1

What is the act of identifying, assessing and reducing the risk of issues that can impact your organizations operations and assets?

Answer 1

Risk Management

Question 2

What kind of risk comes from elements within the organization’s control?

Answer 2

Internal Risk

Question 3

What kind of risk is usually the type of risk that the organization has limited control over?

Answer 3

External Risk

Question 4

The cost of reducing a risk is mitigated by what?

Answer 4

The potential cost of dealing with a security breach.

Question 5

Ultimately, __________ is a cost/benefit analysis of your security infrastructure.

Answer 5

Risk Assessment

Question 6

________ involves identifying both types of assets and determining asset value?

Answer 6

Asset Identification

Question 7

Asset value should consider?

Answer 7

Repair/Replace Costs
Deprecation,
Revenue Generated
Value to competition
Exposure factor

Question 8

What identifies the critical risks that pose a security threat?

Answer 8

Risk analysis

Question 9

What kind of risk analysis is a numerical calculation of the exact cost of the loss of a specific company asset because of disaster?

Answer 9

Quantative risk analysis

Question 10

What kind of risk analysis considers tangible and intangible factors in determining costs?

Answer 10

Qualitative risk analysis

Question 11

The consolidation of many different types of services on the same hardware creates a security risk known as?

Answer 11

Single Point of Failure

Question 12

What allows a computer to host multiple instances of an operating system environment, all running from the same computer on the same hardware?

Answer 12

Use of Virtualization Technology

Question 13

What do you call the current awareness of the risk associated with an organization, both internal and external?

Answer 13

Risk awareness

Question 14

What do you call the amount of risk that is acceptable to an organization?

Answer 14

Risk Tolerance

Question 15

What do you call the level of risk that an organization is willing to take before actions are taken to reduce the risk?

Answer 15

Risk Appetite

Question 16

What do you call the untreated risk, or the level of risk before any controls have been put into place to mitigate or counter risk?

Answer 16

Inherent risk

Question 17

What do you call the risk that occurs when internal controls either fail to reduce risk or misstate the amount of risk that is present or being mitigated?

Answer 17

Control risk

Question 18

What do you call the level of risk that remains after controls are put into place to mitigate or reduce risk?

Answer 18

Residual Risk

Question 19

What depicts the rating of various risks according to the likelihood of occurrence and potential impact?

Answer 19

Risk Matrix Format

Question 20

What will dictate how much funds need to be budgeted for risk countermeasures and mitigation?

Answer 20

Likelihood and Impact

Question 21

The funds that are budgeted for risk countermeasures and mitigation?

Answer 21

Annualized Loss Expectancy (ALE)

Question 22

The annualized loss expectancy (ALE) is calculated by multiplying?

Answer 22

Annualized Rate of Occurrence (ARO) x Single Loss Expectancy (SLE)

Question 23

What concept prevents sensitive and private data from being intercepted or read by unauthorize users?

Answer 23

Confidentiality

Question 24

Ensuring confidentiality for risk control often entails including:

Answer 24

Encryption and Access Control Measures

Question 25

What concept ensures that your data is consistent and never modified by unauthorized persons or manipulated in any intentional or accidental manner?

Answer 25

Integrity

Question 26

What concept ensures information can be trusted from the supposed sender?

Answer 26

Nonrepudiation

Question 27

Data integrity includes the use of what for protecting data against manipulation?

Answer 27

Proper authentication
Authorization Security Techniques

Question 28

Data integrity includes the use of what for protecting data from corruption?

Answer 28

Redundancy Planning
Fault Tolerant Systems

Question 29

What are the common risk control methods of ensuring integrity?

Answer 29

Hashing
Digital Signatures
Certificates

Question 30

What concept ensures that your systems and networks are always operation and providing service to users?

Answer 30

Availability

Question 31

When considering risk control, what ensures availability?

Answer 31

Implementation of Hot\Warm\Cold sites
Site Sharing Agreements

Question 32

What concept ensures that personnel will be safe and then that organizational priorities will be carried out?

Answer 32

Safety

Question 33

The cost of risk management solutions should not exceed the value of?

Answer 33

The asset if it is lost

Question 34

What do you call a living document use to track different types of data elements, most commonly risk factors and risk scenarios?

Answer 34

Risk Register

Question 35

What risk management strategy opts to avoid the risk all together?

Answer 35

Risk avoidance

Question 36

What risk management strategy transfers, or “passes on” the risk to a 3rd party?

Answer 36

Risk Transference

Question 37

What risk management strategy decides to just deal with the risk?

Answer 37

Risk Acceptance

Question 38

What risk management strategy decides to use countermeasures?

Answer 38

Risk Mitigation

Question 39

What types of disasters occur based on location?

Answer 39

Environmental

Question 40

Environmental disasters are protected against by?

Answer 40

Data Backups
Offsite Locations

Question 41

What types of disasters can be accidental or intentional?

Answer 41

Person-made

Question 42

Person-made disasters are protected against by?

Answer 42

Access Controls
Physical Security

Question 43

What kind of disasters happen to a company that is permanently connected to the internet and can come from inside and outside of the network?

Answer 43

Network and Hacking Attacks

Question 44

What kind of disasters are caused by special programs able to replicate themselves?

Answer 44

Virus attacks

Question 45

Protection against virus attacks include:

Answer 45

Antivirus Software
User Education

Question 46

What are extremely important in preventing downtime for your organization in the event of equipment or communications failure?

Answer 46

Disaster Recovery
Operations Planning

Question 47

What do you call a step by step plan to recover your networks and systems in the event of a disaster?

Answer 47

Disaster Recovery Plan

Question 48

Who are responsible for creating and executing business continuity activities and a disaster recovery plan that outlines the goals for restoring company operations and functionality as quickly as possible following a disaster?

Answer 48

Disaster Recovery Team

Question 49

What assessment looks for single points of failures and looks to replace them with redundant or fault tolerant systems?

Answer 49

Site Risk Assessments

Question 50

What analysis outlines your organizations most critical functions and how they’ll be affected during a disaster?

Answer 50

Business Impact Analysis (BIA)

Question 51

What do you call the most important functions to complete?

Answer 51

Mission Essential Functions (MEF)

Question 52

Critical business functions and their associated systems must be prioritized so that in case of a disaster, they’ll be what?

Answer 52

They will be made operation before other less critical functions and systems

Question 53

Most important in the BIA will be examining?

Answer 53

Total Financial loss incurred through certain types of disasters

Question 54

What analysis’s purpose is to determine if a system is using privacy information or connecting to one that is?

Answer 54

Privacy Threshold analysis

Question 55

The most important part of an organization to get operational in the event of a disaster is what?

Answer 55

Communications

Question 56

Inside of DRP documentation, what includes a list of people and businesses to notify in case of a disaster?

Answer 56

Notification List

Question 57

Inside of DRP documentation, what includes phone numbers and contact information for employees, vendors, data recovery agencies, and offsite facilities?

Answer 57

Contact information

Question 58

Inside of DRP documentation, what included blueprints and diagrams of all networking and facilities infrastructure so they can be re-created at the new site?

Answer 58

Networking and facility diagrams

Question 59

Inside of DRP documentation, what includes configuration information for all servers, applications, and networking equipment?

Answer 59

System configurations

Question 60

Inside of DRP documentation, what includes step-by-step information on how to restore data from the backup media?

Answer 60

Backup restoration procedures

Question 61

Inside of DRP documentation, what includes the operating system software, appropriate license keys, and backup media?

Answer 61

Location of Backup and licensing media

Question 62

To complete your disaster recovery plan, you should do what to ensure that all parts of the plan work as they should?

Answer 62

Test it

Question 63

What is it called when departments sit together and go through scenarios?

Answer 63

Tabletop excercises

Question 64

What do you all a report that allows you to give an honest assessment of the testing, detail the areas that should be improved upon, and identify the path forward for filling any gaps?

Answer 64

After Action Report(AAR) or Lessons learned report

Question 65

High availability systems want to provide what?

Answer 65

Uninterrupted service consistently

Question 66

What term specifies in measurable terms the level of service to be received, such as the percentage of time services are available?

Answer 66

Service Level

Question 67

What industry-standard term refers to the average length of time from the moment a component fails until it is repaired?

Answer 67

Mean Time to Repair (MTTR)

Question 68

What industry-standard term refers to the length of time that a component is expected to last in regular service?

Answer 68

Mean Time to Failure (MTTF)

Question 69

What industry-standard term refers to the average length of time a specific component is expected to work until it fails?

Answer 69

Mean Time between Failures (MTBF)

Question 70

What industry-standard term refers to the maximum amount of time that is considered tolerable for a service or certain business function to be unavailable?

Answer 70

Recovery Time Objective (RTO)

Question 71

What industry-standard term refers to the maximum acceptable amount of lost data due to an outage or disaster?

Answer 71

Recovery Point Objective (RPO)

Question 72

What is a strategy to deflect threats in order to avoid the costly and disruptive consequences of a damaging event?

Answer 72

Risk avoidance