Chapter 17 - Risk Management and Privacy

Question 1

Enterprise Risk Management (ERM)

Answer 1

Enterprise Risk Management programs have organizations take a formal approach to risk analysis that begins with identifying risks, continues with determining the severity of each risk, and then results in adopting one or more risk management strategies to address each risk.

Question 2

Threats

Answer 2

Threats are any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of our information or information systems.

Question 3

Vulnerabilities

Answer 3

Vulnerabilities are weaknesses in our systems or controls that could be exploited by a threat.

Question 4

Risks

Answer 4

Risks occur at the intersection of a vulnerability and a threat that might exploit that vulnerability. A threat without a corresponding vulnerability does not pose a Risk, nor vice versa.

Question 5

Risk Identification Process

Answer 5

The Risk Identification Process requires identifying the threats and vulnerabilities that exist in your operating environment.

Question 6

External Risks

Answer 6

External Risks are those risks that originate from a source outside the organization. This is an extremely broad category of risk, including cybersecurity adversaries, malicious code, and natural disasters, among many other types of risk.

Question 7

Internal Risks

Answer 7

Internal Risks are those risks that originate from within the organization. They include malicious insiders, mistakes made by authorized users, equipment failures, and similar risks.

Question 8

Multiparty Risks

Answer 8

Multiparty Risks are those that impact more than one organization. For example, a power outage to a city block affects all the buildings on that block. Similarly, the compromise of an SaaS provider’s database is a multiparty risk because it compromises the information of many different customers of the SaaS provider.

Question 9

Legacy Systems

Answer 9

Legacy Systems pose a unique type of risk to organizations. These outdated systems often do not receive security updates and cybersecurity professionals must take extraordinary measures to protect them against unpatchable vulnerabilities.

Question 10

Intellectual Property (IP) Theft

Answer 10

Intellectual Property (IP) Theft risks occur when a company possesses trade secrets or other proprietary information that, if disclosed, could compromise the organization’s business advantage.

Question 11

Software Compliance/Licensing Risks

Answer 11

Software Compliance/Licensing Risks occur when an organization licenses software from a vendor and intentionally or accidentally runs afoul of usage limitations that expose the customer to financial and legal risk.

Question 12

Likelihood of Occurrence/Probability

Answer 12

Likelihood of Occurrence refers to the chances of the risk actually occurring. This could be expressed as the percent of chance that a threat will exploit a vulnerability over a specified period of time.

Question 13

Impact

Answer 13

In risk assessment, Impact refers to the gravity of the effects that the risk would have on the organization if it did occur. This is often expressed as a financial cost.

Question 14

Risk Severity Formula

Answer 14

Risk Severity = Likelihood * Impact

Question 15

Continuous Risk Assessments

Answer 15

Continuous Risk Assessments involve ongoing monitoring and analysis of risks. This can include automated systems that constantly scan for new threats or changes in the risk environment, as well as regular reviews and updates to the risk management strategy.

Question 16

Recurring Risk Assessments

Answer 16

Recurring Risk Assessments are performed at regular intervals, such as annually or quarterly. These assessments are meant to track the evolution of risks over time, monitor changes in the risk profile, and ensure that risk management practices are adapting to new threats and vulnerabilities.

Question 17

Ad hoc Risk Assessments

Answer 17

Ad hoc Risk Assessments are conducted in response to a specific event or situation, such as a new project, technology implementation, or significant change in the business environment.

Question 18

What are the steps to performing Quantitative Risk Analysis?

Answer 18

1. Determine the asset value (AV) or the asset affected by the risk.
2. Determine the likelihood that the risk will occur calculating the annualized rate of occurrence (ARO) for the risk.
3. Determine the amount of damage that will occur to the asset if the risk materializes. This is called the exposure factor (EF).
4. Calculate the single loss expectancy (SLE). This is the amount of financial damage expected each time a risk materializes.
5. Calculate the annualized loss expectancy (ALE). This is the amount of damage expected from a risk each year.

Question 19

Risk Mitigation

Answer 19

Risk Mitigation is the process of applying security controls to reduce the probability and/or magnitude of a risk.

Question 20

Risk Avoidance

Answer 20

Risk Avoidance is a risk management strategy where we change our business practices to completely eliminate the potential that a risk will materialize.

Question 21

Risk Transference

Answer 21

Risk Transference shifts some of the impact of a risk from the organization experiencing the risk to another entity. The most common example of risk transference is purchasing an insurance policy that covers a risk. When purchasing insurance, the customer pays a premium to the insurance carrier. In exchange, the insurance carrier agrees to cover losses from risks specified in the policy.

Question 22

Risk Acceptance

Answer 22

Risk Acceptance boils down to deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.

Question 23

Risk Appetite

Answer 23

Risk Appetite is the level of risk that an organization is willing to accept as a cost of doing business.

Question 24

Risk Register

Answer 24

The Risk Register is the primary tool that risk management professionals use to track risks facing the organization.

Question 25

Key Risk Indicator (KRI)

Answer 25

Key Risk Indicators are metrics used to measure and provide early warning signals for increasing levels of risk. These indicators help in tracking the effectiveness of risk mitigation efforts and make sure that the residual risk stays within the risk appetite.

Question 26

Risk Owner

Answer 26

The Risk Owner is an individual or entity responsible for managing and monitoring risks, including implementing necessary controls and actions to mitigate them.

Question 27

Disaster Recovery Planning (DRP)

Answer 27

Disaster Recovery Planning is the discipline of developing plans to recover operations as quickly as possible in the face of a disaster.

Question 28

Business Impact Analysis (BIA)

Answer 28

Business Impact Analysis is a formal process designed to identify the mission-essential functions within an organization and facilitate the identification of the critical systems that support those functions.

Question 29

What are the four key metrics used in the business impact analysis process?

Answer 29

1. Mean Time Between Failures (MTBF)
2. Mean Time to Repair (MTTR)
3. Recovery Time Objective (RTO)
4. Recover Point Objective (RPO) [amount of data that the organization can tolerate losing during an outage]

Question 30

Data Inventory

Answer 30

A Data Inventory is a list of the type of the types of information maintained by the organization and the places where that data is stored, processed, and transmitted.

Question 31

What are the four major classification categories used by the U.S. Government?

Answer 31

1. Top Secret
2. Secret
3. Confidential
4. Unclassified

Question 32

Right to be Forgotten

Answer 32

The Right to be Forgotten allows individuals to request the deletion of personal data about them under certain circumstances. The Right to be Forgotten, also known as the right to erasure, has been implemented in various data protection laws, notably the European Union’s GDPR.

Question 33

Deidentification

Answer 33

Deidentification is the process of removing the ability to link data back to an individual, reducing its sensitivity.

Question 34

Data Obfuscation

Answer 34

Data Obfuscation is the process of transforming data into a format where the original information can’t be retrieved. Some common tools for Obfuscation are hashing, tokenization, and data masking.