Chapter 3 Review

Question 1

Chapter 3 Review

When implementing this program, the organization must consider several characteristics;

1. Risk tolerance
2. Management Structure
3. Executive Management Support
4. Culture
5. Regulatory and Legal obligations

Answer 1

RISK MANAGEMENT PROGRAM

Question 2

Chapter 3 Review

When implementing a risk management program, the organisation must consider the characterstics of the following 5 things;

1. ____ ; Senior Management contentness with deviation from risk appetite
2. ____ ; How many managers, and their business unit alignments
3. ____ ; How well the program is endorsed
4. ____ ; Attitudes within the business
5. ____ ; Mandated committments

Answer 2

1. RISK TOLERANCE
2. MANAGEMENT STRUCTURE
3. EXEC MANAGEMENT SUPPORT
4. CULTURE
5. REGULATORY and LEGAL OBLIGATIONS

Question 3

Chapter 3 Review

A risk management program should include several avenues of this so that business leaders and stakeholders understand the program and how it is integrated into the organization.

Answer 3

COMMUNICATION

Question 4

Chapter 3 Review

The risk management program should be transparent with regard to these 2 things

Answer 4

PROCEDURES and PRACTICES

Question 5

Chapter 3 Review

When building or improving a risk management program, security managers may select one of several industry frameworks, such as:

1. ISO/IEC ____
2. ISO/IEC ____
3. ISO/IEC ____
4. NIST SP 800-____
5. NIST SP 800-____
6. C____
7. R____ I ____
8. R____
9. F____

Answer 5

1. ISO/IEC 27001
2. ISO/IEC 27005
3. ISO/IEC 31010
4. NIST SP 800-37
5. NIST SP 800-39
6. COBIT
7. Risk IT
8. RIMS
9. FAIR

Question 6

Chapter 3 Review

Risk management program frameworks offer these 7 similar components to each other

1. S____ ; What is covered
2. O____ ; Desired targets
3. P____ ; Governance
4. R____ ; Senior Mgmt contentness with deviation from risk appetite
5. R____ ; Definining ownership and what personnel must do
6. R____ ; A Lifecycle process
7. M____ ; An analysis by leaders

Answer 6

1. SCOPE
2. OBJECTIVES
3. POLICY
4. RISK TOLERANCE
5. ROLES and RESPONSIBILITIES
6. RISK MANAGEMENT LIFE-CYCLE
7. MANAGEMENT REVIEW

Question 7

Chapter 3 Review

To the greatest reasonable extent, a risk management program should be integrated into the business to avoid causing this to the organization whilst also achieving this in regards to risk

Answer 7

DISRUPTION
MINIMIZING RISK

Question 8

Chapter 3 Review

When planning a risk management program, the security manager and executive leadership need to understand and this in regards to why the program has been put in place

Answer 8

CONTEXT

This includes the program’s scope, participants and stakeholders, and risk tolerance.

Question 9

Chapter 3 Review

This person must consider many aspects of the organization’s internal and external environments such as;

1. Market and Economic Conditions
2. External Stakeholders
3. Customers
4. External Threats

Answer 9

SECURITY MANAGER

Question 10

Chapter 3 Review

The security manager must consider these 4 aspects in regards to the internal and external environments when devloping a risk management program;

1. ____ ; Environment in which the business is operating
2. ____ ; Third party people who have an investment in the business
3. ____ ; People to whom the business exists to serve
4. ____ ; Actors or events outside of the business that serve to cause harm

Answer 10

1. MARKET and ECONOMIC CONDITIONS
2. EXTERNAL STAKEHOLDERS
3. CUSTOMERS
4. EXTERNAL THREATS

Question 11

Chapter 3 Review

The security manager may need to perform a one of these to better understand the current state as compared to the desired future state of the program.

Answer 11

GAP ANALYSIS

Question 12

Chapter 3 Review

Security managers can fill gaps in these 2 areas of their understanding through networking with other security and risk professionals, training, periodicals, and conferences.

Answer 12

KNOWLEDGE and EXPERIENCE

Question 13

Chapter 3 Review

The risk management life cycle consists of a set of activities that enable the organisation to to these 2 things in relation to risk.

Answer 13

DISCOVER and MANAGEMENT

Question 14

Chapter 3 Review

These are the 6 steps in the risk management life cycle process;

1. S____ ; Defining what the program covers
2. A____ ; Discovering information/information systems and their worth
3. Risk I____ ; What are the risks
4. Risk A____ ; Determine the threat, likliehood and impacts of the risks
5. Risk T____ ; Determine remediation activities
6. Risk C____ ; Tell people about the risks

Answer 14

1. SCOPE DEFINITION
2. ASSET IDENTIFICATION and VALUATION
3. RISK IDENTIFCATION
4. RISK ANALYSIS
5. RISK TREATMENT
6. RISK COMMUNICATION

Question 15

Chapter 3 Review

Carrying these out on a periodic basis contribute to continued risk identification.

Answer 15

RISK ASSESSMENTS

Question 16

Chapter 3 Review

A key step in risk analysis is the identification of vulnerabilities, or weaknesses, in these 3 areas

1. P____ ; Individuals
2. B____ P ____ ; Methodologies
3. T____ ; Hardware or software

Answer 16

1. PEOPLE
2. BUSINESS PROCESSES
3. TECHNOLOGY

Question 17

Chapter 3 Review

A key step in risk analysis is the identification and analysis of these 2 threats

Answer 17

INTERNAL and EXTERNAL

Question 18

Chapter 3 Review

Security managers need to recognize that these things often need to be considered in a risk assessment, and some may not yet be included in current standards.

Answer 18

EMERGING THREATS

Question 19

Chapter 3 Review

After risks are identified, the amount of risk present can be calculated using input from these 5 areas;

1. T____ ; Events that could cause harm
2. T____ A ____ ; Individuals or groups that could cause harm
3. V____ ; Weaknesses in systems or processes
4. A____ V ____ ; Worth of Information/Information systems
5. I____ ; Ramifications of events occurring

Answer 19

1. THREATS
2. THREAT ACTORS
3. VULNERABILITES
4. ASSET VALUE
5. IMPACT

Question 20

Chapter 3 Review

In most cases, risk is calculated in this way to provide an easy to understand evaluation of the risk

Answer 20

QUALITATIVE

primarily because it is difficult to know the precise (or even an approximate) probability of threat occurrence and somewhat difficult to know the financial impact of a threat.

Question 21

Chapter 3 Review

In quantitative risk analysis, key values are;

1. (AV)
2. (EF)
3. (SLE)
4. (ARO)
5. (ALE)

Answer 21

1. ASSET VALUE (AV)
2. EXPOSURE FACTOR (EF)
3. SINGLE LOSS EXPECTANCY (SLE)
4. ANNUALISED RATE OF OCCRRENCE (ARO)
5. ANNUALISED LOSS EXPECTANCY (ALE)

Question 22

Chapter 3 Review

RISK = T____ x V ____

Answer 22

RISK = THREATS x VULNERABILITIES
RISK = THREATS x VULNERABILITIES x ASSET VALUE
RISK = THREATS x VULNERABILITIES x PROABILITY

Question 23

Chapter 3 Review

Industry-standard techniques are available for performing risk analysis, including

1. O____
2. B____ T ____ Analysis
3. D____ Method
4. B____ Analysis
5. E____ T ____ Analysis
6. F____ T ____ Analysis
7. M____ C ____ Analysis

Answer 23

1. OCTAVE ALLEGRO
2. BOW TIE ANALYSIS
3. DELPHI METHOD
4. BAYESIAN ANALYSIS
5. EVENT TREE ANALYSIS
6. FAULT TREE ANALYSIS
7. MONTE CARLO ANALYSIS

Delph climbed a tree in Monte Carlo bay with his 8 pokka dot bow tie on

Question 24

Chapter 3 Review

Risks identified in a risk assessment or risk analysis needs these 4 activities performing;

1. E____ ; Assessed
2. R____ ; Scored against a matrix
3. C____ ; Placed into a corresponding grouping
4. A____ ; Responsibility appointed to an individual

Answer 24

1. EVALUATED
2. RANKED
3. CATEGORIZED
4. ASSIGNED A RISK OWNER

Question 25

Chapter 3 Review

An organization will enact these to address a risk.

Answer 25

CONTROLS

Question 26

Chapter 3 Review

Risk management and this program have several common components and linkages.

Answer 26

BUSINESS CONTINUITY PLANNING

Question 27

Chapter 3 Review

Risk Management and Business Continuity Planning both are concerned with these 2 areas, and both utilize business impact analysis to better understand the organization’s most critical processes.

Answer 27

BUSINESS RESILIENCE and SURVIVAL

Question 28

Chapter 3 Review

Risk Management and Business Continuity Planning both are concerned with business resilience and survival, and both utilize this method to better understand the organization’s most critical processes.

Answer 28

BUSINESS IMPACT ANALYSIS

Question 29

Chapter 3 Review

This tool is the central business record in a risk management program.

Answer 29

RISK REGISTER

Question 30

Chapter 3 Review

A risk register is a catalog of all current and historical risks, along with many pieces of metadata describing what in relation to risk.

Answer 30

EACH RISK IN DETAIL

Question 31

Chapter 3 Review

A risk register may be stored in a

1. S____
2. D____
3. G____

Answer 31

1. SPREADSHEET
2. DATABASE
3. GRC TOOL

Question 32

Chapter 3 Review

____ and ____ are incorporated into many other business activities, including but not limited to;

1. software development
2. change management
3. configuration management
4. incident and problem management
5. physical security
6. enterprise risk management
7. human resource management

Answer 32

SECURITY and RISK MANAGEMENT

Question 33

Chapter 3 Review

This program is established to close the gap between the existing state of controls, as identified by a risk assessment, and the desired state, which will be obtained through meeting control objectives

Answer 33

INFORMATION SECURITY PROGRAM

Most standard frameworks for information security show the development of an information security program as starting with a risk assessment and control objectives