2. Information Risk Management Flashcards
(36 cards)
Name common Risk Management Frameworks
ISO 27001 - in requirements 4 through 10
ISO 27005 -
ISO 31010
NIST 800-37
COBIT 5
RIMS Risk Maturity Model
Facilitated Risk Assessment Process
T or F Scope of a Risk Management Process is NOT Iterative
True
Also included geographical or business unit parameters
What are the steps of the iterative risk management process
Risk Identification
Risk Analysis
Risk Treatment
What is the primary business record in most risk management programs
Risk Register or Ledger
Compare NIST 800-30 and 800-37
800-30 - conducting Risk Assessment
800-37 - RMF
Which RMF helps a risk manager understand the factors that contribute to a risk and is considered complementary to NIST 800-30 and ISO 27005
FAIR - Factor Analysis of Information Risk
FAIR uses six types of losses as defined by Productivity, Response, Replacement, Fines and Judgements, Competitive Advantage and Reputation.
Uses “what if” analysis to determine the probability of a threat event
How does a BIA differ from a Risk Assessment?
BIA identifies the most critical business processes.
What is the Risk Analysis approach developed by Carnegie Mellon
Octave
Octave Allegro latest version of 8 steps
What is defined as the capacity of a temporary or recovery process as compared to the normal process
Recovery capacity objective (RapO)
What is defined as the level or quality of service that is required after an event
Service Delivery Objective (SDO)
What is defined as the point of no return after a disaster
Maximum tolerable downtime (MTD) aka Acceptable Interruption Window (AIW)
MTD’s are not for the entire business but typically for critical business functions
What is the metric that measures how long an organization can tolerate in recovery or alternative processing mode
Maximum tolerable outage (MTO) aka Maximum acceptable outage (MAO)
If a steering committee has decided to accept a risk should the security manager simply mark as permanently closed on Risk Register
No. It should be put in a state to be reconsidered after a time period.
What is the scheme that prescribes required methods to protect information at rest, in motion and in transit
Data Classification Policy
Would a code review be included in a risk management process
No. too narrow and tactical in nature
Per ISO 27005 and other risk management frameworks what steps must be completed prior to the start of a risk assessment
Determine scope, purpose and criteria for the audit
Removing a risk from a final report would be considered Risk Acceptanct?
True but questionable and a risk manager might need to report this as a protest.
is FAIR considered a risk management methodology / Framework
No. It is a risk assessment methodology and more concerned with the outcomes of risk assessment.
Uses what if analysis to determine the probability of a threat event
To establish an asset classification scheme does their need to be a data classification program
No. even in the absence of a data classification program you can base assets on criticality and mapped to a BIA
What are the primary criteria of a data classification program even with regulatory requirements
Monetary value, operational criticality and sensitivity.
If you are developing a system classification plan how would support servers generally be categorized
Support servers should be classified at the same level as the highest level of server they support.
What is the biggest challenge when implementing a data classification program
Training end users on data handling procedures since the willingness for them to comply is challenging
Is repair cost a valid method for assigning asset value
No.
Net present value, replacement cost, book value, redeployment cost, creation cost, reacquisition cost, and consequential financial cost.
What mechanism does GDPR provide for multi-national organizations to make internal transfer of PII
Binding Corporate rules. typically, internal HR information
