Week 3A - Managing Cyber/Info Security

Question 1

Risk Definition (AS/NZS 27005)

Answer 1

Risk is the effect of uncertainty on objectives

Question 2

Effect of Event

Answer 2

The consequence, derivation from the normal state

Question 3

Uncertainty

Answer 3

How likely is it that this event will happen?

Question 4

Types of Objectives

Answer 4

Financial
Health & Safety
Information Security
Environmental

Question 5

Which two terms are used to express InfoSec risk?

Answer 5

Likelihood and Consequence

Question 6

Likelihood

Answer 6

The chance of something happening

Question 7

Consequences

Answer 7

Outcome of an event affecting objectives

Question 8

Consequences have ___ and ___

Answer 8

Magnitude and Impact

Question 9

Consequences - Magnitude

Answer 9

Perception of magnitude is defined by stakeholder perspective

Question 10

Consequences - Impact

Answer 10

The impact on stakeholders varies - need to understand context

Question 11

Which Australian Standard provides guidelines for information security risk management?

Answer 11

AS/NZS 27005:2012

Question 12

What are the 6 Broad Steps of the Risk Management Process of AS/NZS 27005:2012?

Answer 12

1. Context Establishment
2. Risk Assessment - Identification, Analysis, Evaluation
3. Risk Treatment
4. Risk Communication
5. Risk Monitoring
6. Risk Acceptance

Question 13

1. Context Establishment - What are the 3 types contexts to consider?

Answer 13

External Context
Internal Context
Risk Management Context

Question 14

1. Context Establishment - External Context

Answer 14

Relationship between organisation and external environment

Question 15

1. Context Establishment - Internal Context

Answer 15

Understand the organisation – capabilities, goals, objectives

Question 16

1. Context Establishment - Risk Management Context

Answer 16

Goals, objectives, strategies, scope and parameters of area the risk management process is being applied to

Question 17

2. Risk Assessment - What are the 3 components of risk assessment?

Answer 17

2.1 Risk Identification
2.2 Risk Analysis
2.3 Risk Evaluation

Question 18

2.1 Risk Identification

Answer 18

Identify assets, consider threats, vulnerabilities and existing controls

Question 19

2.2 Risk Analysis

Answer 19

Determine the magnitude of identified risks using Qualitative and Quantitative analysis

Question 20

2.2 Risk Analysis - Qualitative Analysis

Answer 20

Uses descriptive scales (in words) with ordered categories

Question 21

2.2 Risk Analysis - Quantitative Analysis

Answer 21

Uses numerical values for scales

Question 22

2.2 Risk Analysis - Asset Value (AV)

Answer 22

Estimated total value of asset (in $$$)

Question 23

2.2 Risk Analysis - Exposure Factor (EF)

Answer 23

% of asset loss caused by threat occurrence

Question 24

2.2 Risk Analysis - Annualized Rate of Occurrence (ARO)

Answer 24

Estimated frequency a threat will occur in a year

Question 25

2.3 Evaluation - What is the output of the risk analysis stage?

Answer 25

A prioritized list of risks for further action - high risk needs immediate action, low risk may be accepted without treatment

Question 26

3. Risk Treatment - List 4 risk treatment options

Answer 26

Risk Avoidance
Risk Modification
Risk Sharing
Risk Retention

Question 27

3. Risk Treatment - Risk Avoidance

Answer 27

Stop doing the activity that gives rise to risk

Question 28

3. Risk Treatment - Risk Modification

Answer 28

Apply controls to change the likelihood of he event or reduce the magnitude of consequences

Question 29

3. Risk Treatment - Risk Sharing

Answer 29

Share with another party that can effectively manage the risk

Question 30

3. Risk Treatment - Risk Retention

Answer 30

Know the risk exists, but decide to do nothing

Question 31

3. Risk Treatment - What is Treatment Proportionality?

Answer 31

Balance the cost and effort of implementing treatment option against benefits derived

Question 32

3. Risk Treatment - Residual Risk

Answer 32

Risk remaining after risk treatments have been applied

Question 33

4. Risk Communication

Answer 33

Use communication and consultation so all stakeholders understand the basis or decisions and why they are required

Question 34

4. Risk Communication - What is a risk statement?

Answer 34

A relatively short summary of risk used to communicate risks to stakeholders

Question 35

4. Risk Communication - Risk Statement Format

Answer 35

“There is a risk that <event/incident> occurs leading to <consequence> that causes <impact>"</impact></consequence>

Question 36

5. Risk Monitoring & Review

Answer 36

Ongoing review is essential to ensure continuing relevance

Question 37

5. Risk Monitoring & Review - What 3 things need to be monitored?

Answer 37

1. Changes in Identified Risks
2. Effectiveness of Treatment Plan
3. Emerging risks

Question 38

5. Risk Monitoring & Review - Recording the Process

Answer 38

Each stage of the risk management process should be recorded

Question 39

6. Risk Acceptance

Answer 39

What level of risk is acceptable for the organisation?