Chapter 1: Managing Risk

Question 1

Anything that can harm your resources. There are three types:

Answer 1

A threat; Environmental, Manmade, Internal vs. External

Question 2

A graphical tool that is often used to identify threats

Answer 2

A risk register

Question 3

Deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities or a loss of information itself.

Answer 3

Risk Assessment (a.k.a risk analysis or risk calculation)

Question 4

A weakness that could be exploited by a threat

Answer 4

Vulnerability

Question 5

Three chief components of a risk assessment:

Answer 5

1. ) Risks to Which the Organization Is Exposed
2. ) Risks That Need Addressing
3. ) Coordination with BIA (Business Impact Analysis)

Question 6

A monetary measure of how much loss you could expect in a year.

Answer 6

Annual Loss Expectancy (ALE)

Question 7

Monetary value that represents how much you could expect to lose at any one time

Answer 7

Single Loss Expectancy (SLE)

Question 8

The value of the item

Answer 8

Asset value (AV)

Question 9

the percentage of the asset threatened

Answer 9

Exposure Factor (EF)

Question 10

The likelihood, often drawn from historical data, of an event occurring within; a year

Answer 10

Annualized Rate of Occurence (ARO)

Question 11

To compute Risk Assessment:

Answer 11

SLE(AV * EF) * ARO = ALE

Question 12

A score representing the the possibility of threat initiation.

Answer 12

Likelihood

Question 13

Used to look at the vendors your organization works with strategically and potential risks they introduce.

Answer 13

Supply chain assessment

Question 14

The way in which an attacker poses a threat

Answer 14

Threat vector

Question 15

The measure of the anticipated incidence of failure for a system or component.

Answer 15

Mean Time Between Failures (MTBF)

Question 16

The average time to failure for a nonrepairable system.

Answer 16

Mean Time to Failure (MTTF)

Question 17

The measurement of how long it takes to repair a system or component once a failure occurs.

Answer 17

Mean Time to Restore (MTTR)

Question 18

The maximum amount of time that a process or service is allowed to be down and then consequences still to be considered acceptable.

Answer 18

Recovery Time Objective (RTO)

Question 19

Defines the point at which the system needs to be restored

Answer 19

Recovery Point Objective (RPO)

Question 20

Often associated with a business impact analysis, and it identifies the adverse impacts that can be associated with the destruction, corruption, or loss of accountability of data for the organization.

Answer 20

Privacy Impact Assessment (PIA)

Question 21

Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Answer 21

Personally Identifiable Information (PII)

Question 22

More commonly known as “analysis” rather than “assessment.” This is the compliance tool used in conjunction with PIA.

Answer 22

Privacy Threshold Assessment (PTA)

Question 23

Involves identifying a risk and making the decision not to engage any longer in the actions associated with that risk.

Answer 23

Risk Avoidance

Question 24

Share some of the burden of the risk completely to another entity; like moving some services to the cloud.

Answer 24

Risk Transference

Question 25

Accomplished any time you take steps to reduce risk.

Answer 25

Risk Mitigation

Question 26

A system that monitors the content of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed.

Answer 26

Data Loss Prevention (DLP)

Question 27

The choice that you must make when the cost of implementing any of the other responses exceeds the value of harm that would occur that would occur if the risk came to fruition

Answer 27

Risk Acceptance

Question 28

Hosting services and data on the internet instead of hosting it locally.

Answer 28

Cloud Computing

Question 29

Vendors allow apps to be created and run on their infrastructure.

Answer 29

Platform as a Service (PaaS) a.k. cloud platform services

Question 30

Applications are run remotely over the web.

Answer 30

Software as a Service (SaaS)

Question 31

Utilizes virtualization, and clients pay a cloud service provider for resources used.

Answer 31

Infrastructure as a Service (IaSS)

Question 32

Allows one set of hardware to host multiple virtual machines

Answer 32

Virtualization

Question 33

The software that allows the virtual machines to exist.

Answer 33

Hypervisor

Question 34

Provide the people in an organization with guidance about their expected behavior.

Answer 34

Policies

Question 35

Outlines what the policy intends to accomplish and which documents, laws, and practices the policy addresses.

Answer 35

Scope statement

Question 36

Provides the goal of the policy, why it’s important, and how to comply with it.

Answer 36

Policy overview statement

Question 37

Informs the policy readers about the substance of the policy

Answer 37

Policy statement

Question 38

Addresses who is responsible for ensuring that the policy is enforced and provides additional information to the reader about who to contact if a problem is discovered.

Answer 38

Accountability Statement

Question 39

Provides specific guidance about the procedure or process that must be followed in order to deviate from the policy.

Answer 39

Exception Statement

Question 40

Deals with specific issues or aspects of a business.

Answer 40

Standard

Question 41

What are the key aspects of standards documents?

Answer 41

1. Scope and Purpose
2. Roles and Responsibilities
3. Reference Documents
4. Performance Criteria
5. Maintenance and Administrative Requirements

Question 42

The process of evaluation.

Answer 42

Audit

Question 43

Help an organization implement or maintain standards by providing information on how to accomplish the policies and maintain the standards.

Answer 43

Guidelines

Question 44

What are the four items that make up the minimum contents of a good guidelines document?

Answer 44

1. Scope and Purpose
2. Roles and Responsibilities
3. Guideline Statements
4. Operational Considerations

Question 45

Provide the step-by-step instructions or procedures on how to accomplish a task in a specific manner.

Answer 45

Guideline Statements

Question 46

Specify and identify what duties are required and at what intervals.

Answer 46

Operational Considerations

Question 47

Serves as the baseline for business and, if properly written, covers what is expected on a regular basis and outlines what to do when things aren’t running as well as they should.

Answer 47

Standard Operating Procedure (SOP)

Question 48

Outlines responsibilities and obligations (as well as the sharing of profits and losses) between business partners.

Answer 48

Business Partner Agreements (BPA)

Question 49

Define the terms and conditions for securely sharing data and information resources.

Answer 49

Memorandum of Understanding (MOU) and Memorandum of Agreement (MOA)

Question 50

Documents the technical and security requirements for establishing, operating, and maintaining the interconnection.

Answer 50

Interconnection Security Agreement (ISA)

Question 51

Requires employees to take time away from work and refresh, and it is primarily used in jobs related to the financial sector.

Answer 51

Mandatory Vacation Policy

Question 52

Defines intervals at which employees must rotate through positions.

Answer 52

Job Rotation Policy

Question 53

Designed to reduce the risk of fraud and to prevent other losses in an organization by requiring more than one person to complete.

Answer 53

Separation of Duties Policies

Question 54

An agreement between two or more parties established for the purpose of committing deception or fraud.

Answer 54

Collusion

Question 55

Give users only the permissions that they need to do their work and no more.

Answer 55

Least Privilege Policy

Question 56

Describe how the employees in an organization can use company systems and resources, both software and hardware.

Answer 56

Acceptable Use Policies (AUPs)

Question 57

The act of using of small, portable devices to download large amounts of data on an unauthorized basis.

Answer 57

Pod slurping

Question 58

Defines what controls are required to implement the security of systems, users, and networks.

Answer 58

Security policies

Question 59

Events that aren’t really incidents.

Answer 59

False positives (Type I Error)

Question 60

Deviations from the established rules of acceptance.

Answer 60

Anomalies

Question 61

Events that seem like they aren’t incidents but actually are.

Answer 61

False negatives (Type II Error)

Question 62

The process of evaluating all of the critical systems (important to core business functions) in an organization to define impact and recovery plans.

Answer 62

Business Impact Analysis (BIA)

Question 63

What are the critical components of a BIA?

Answer 63

1. ) Identifying Critical Functions
2. ) Prioritizing Critical Business Functions
3. ) Calculating a Timeframe for Critical Systems Loss
4. ) Estimating the Tangible and Intangible Impact on the Organization

Question 64

Part of a system that, if it fails, will stop the entire system from working.

Answer 64

Single Point of Failure (SPOF)

Question 65

A plan designed to take a possible future event or circumstance into account.

Answer 65

Contingency Plan

Question 66

The ability to scale of resources as needed.

Answer 66

Elasticity

Question 67

Distributing the load (file requests, data routing, and so on) so that no device is overly overburdened.

Answer 67

Distributive Allocation

Question 68

The measures used to keep services and systems operational during an outage.

Answer 68

High availability (HA)

Question 69

The capacity to recover quickly from difficulties.

Answer 69

Resiliency

Question 70

Refers to systems that either are duplicated or fail over to other systems in the event of a malfunction.

Answer 70

Redundancy

Question 71

Refers to the process of reconstructing a system or switching over to other systems when a failure is detected.

Answer 71

Fail over

Question 72

Involves multiple systems connected together cooperatively (which provides load balancing) and networked in such a way that if any of the systems fail, the other systems take up the slack and continue to operate.

Answer 72

Clustering

Question 73

The ability of a system to sustain operations in the event of a component failure.

Answer 73

Fault tolerance

Question 74

What are two key components of fault tolerance should not be overlooked?

Answer 74

Spare parts and electrical power.

Question 75

A device that allows a computer to keep running for at least a short time when the primary power source is lost.

Answer 75

Uninterruptible Power Supply (UPS)

Question 76

An appliance that runs off of gasoline, propane, natural gas, or diesel and generate the electricity needed to provide steady power.

Answer 76

Backup generator

Question 77

A technology that uses multiple disks to provide fault tolerance.

Answer 77

Redundant Array of Disks (RAID)

Question 78

RAID Level that uses multiple drives and maps them together as a single physical drive. Done primarily for performance, not for fault tolerance. If any drive fails in this RAID, the entire logical drive becomes unstable. (Uses two disks)

Answer 78

RAID Level 0 (Disk Striping)

Question 79

RAID Level that provides 100% redundancy because everything is stored on two disks. Each drive keeps an exact copy of all information, which reduces the effective storage capability to 50 percent of the overall rated storage. (Uses two disks)

Answer 79

RAID Level 1 (Disk Mirroring)

Question 80

Disk ______ is where one controller card writes sequentially to two disks while disk _______ uses two controllers to write to two disk at the same time.

Answer 80

(Disk) mirroring, (disk) duplexing

Question 81

RAID Level that is disk striping with a a dedicated parity disk. (Uses three disks.)

Answer 81

RAID Level 3

Question 82

A technique that checks whether data has been lost or written over when it is moved from one place in storage to another or when it is transmitted between computers.

Answer 82

Parity information

Question 83

RAID Level that is disk striping with distributed parity. (Uses three disks.)

Answer 83

RAID Level 5

Question 84

The discipline of focusing on how to document and control for change.

Answer 84

Change management

Question 85

Which business matters must be evaluated?

Answer 85

• Policies
• Standards
• Guidelines

Question 86

What are the three categories of control types? (Exam Essential)

Answer 86

The three types of controls that can be administered are technical, management, and operational.

Question 87

Risk can calculated either _______ (subjectively) or _______(objectively). (Exam Essential)

Answer 87

Qualitatively, Quantitatively

Question 88

The basic formula for quantitative calculations is ____________. (Exam Essential)

Answer 88

SLE * ARO = ALE

Question 89

What are the four difference approaches to risk? (Exam Essential)

Answer 89

The four risk response strategies are avoidance (don’t engage in that activity), transference (think insurance), mitigation (take steps to reduce the risk), and acceptance (be willing to live with the risk.)