Chapter 1 Risk Management

Question 1

The likelihood of a threat actor taking
advantage of a vulnerability by using a threat against
an IT asset

Answer 1

Risk

Question 2

Anyone or anything with the motive
and resources to attack another’s IT infrastructure

Answer 2

Threat Actor

Question 3

A weakness in an asset

Answer 3

Vulnerability

Question 4

An action that a threat actor can use
against a vulnerability to cause harm

Answer 4

Threat

Question 5

Pathways to gain access to infrastructure

Answer 5

Attack Vectors

Question 6

occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data.

Answer 6

Supply-chain attack

Question 7

• Government reports
• Media
• Academic papers

Answer 7

OSINT (open-source intelligence)

Question 8

• Tor network, Tor Web browser
• Encrypted anonymous connections
• Not indexed by search engines
• Tor encryption and anonymity
   Journalists
   Law enforcement
   Government informants

Answer 8

Dark Web/dark net

Question 9

Exchange of cybersecurity intelligence (CI) between
entities

Answer 9

Automated Indicator Sharing (AIS)

Question 10

• A form of AIS
• Data exchange format for cybersecurity intelligence

Answer 10

Structured Threat Information eXpression (STIX)

Question 11

• Like RSS feed for threats
• Consists of TAXII servers and clients
• Real-time cyber intelligence feeds

Answer 11

Trusted Automated eXchange of Intelligence
Information (TAXII)

Question 12

• Financial statement integrity
• Internal controls
• Type I and Type II

Answer 12

Statement on Standards for Attestation Engagements
System and Organization Controls (SSAE SOC 2)

Question 13

• “Guide for Conducting Risk Assessments“

Answer 13

NIST Special Publication (SP) 800-30, Rev. 1

Question 14

Protects EU citizens’ private data

Answer 14

General Data Protection Regulation (GDPR)

Question 15

Protect American patient medical information

Answer 15

Health Insurance Portability and Accountability Act
(HIPAA)

Question 16

Protect cardholder information

Answer 16

Payment Card Industry Data Security Standard (PCI
DSS)

Question 17

a nonprofit organization that promotes research into best practices for securing cloud computing and the use of cloud technologies to secure other forms of computing.

• • Cloud Controls Matrix (CCM)

Answer 17

Cloud Security Alliance (CSA)

Question 18

Specifies which users are allowed or denied access to a set of protected resources

Answer 18

Resource access policies

Question 19

Defines why and how you store data, for how long, and then how you dispose of it.

Answer 19

Data retention policies

Question 20

• Risk awareness
• Cybersecurity intelligence sources
• Evaluate security controls
• Inherent (current) and residual risk
• Implement security controls
• Periodic review

Answer 20

Risk Assessment Process

Question 21

• Environmental
• Flood, hurricane
• Person-made
• Riots, terrorism, sabotage
• Internal
• Malicious insider, malware infections
• External
• Distributed denial of service (DDoS)

Answer 21

Risk Types

Question 22

• Mitigation/reduction
• Transference/sharing
• Avoidance
• Acceptance

Answer 22

Risk Treatments

Question 23

Security controls are proactively put in place before
undertaking the risk

Answer 23

Mitigation/reduction

Question 24

• Some risk is transferred to a third party in exchange for
  payment
• Example: cybersecurity insurance

Answer 24

Transference/sharing

Question 25

Avoid an activity because the risks outweigh potential gains

Answer 25

Avoidance

Question 26

- The current level of risk is acceptable - The risk falls within the organization's risk appetite

Answer 26

Acceptance

Question 27

Strives to determine the likelihood and impact of threats

Answer 27

risk assessment

Question 28

* Based on numeric values * Asset value (AV) * Exposure factor (EF) - Percentage of asset value loss when negative incident occurs

Answer 28

Quantitative Risk Assessment

Question 29

- Percentage of asset value loss when negative incident occurs

Answer 29

Exposure factor (EF)

Question 30

* How much loss is experienced during one negative incident? SLE = AV (Asset Value)x EF(Exposure Factor)

Answer 30

Single Loss Expectancy (SLE)

Question 31

Number of incidents per year.

Answer 31

Annualized rate of occurrence (ARO)

Question 32

- Total yearly cost of bad things happening ALE = SLE(single Loos Expectancy) X ARO(Annual Rate of Occurrence)

Answer 32

Annualized loss expectancy (ALE)

Question 33

Based on subjective opinions regarding: - Threat likelihood - Impact of realized threat * Threats are given a severity rating

Answer 33

Qualitative Risk Assessment

Question 34

* Centralized list of risks, severities, responsibilities, and mitigations * Generally considered qualitative - Example: severity or impact ratings - Occasionally includes hard numbers (%, $)

Answer 34

Risk Register

Question 35

* Table of risk details * Similar to a heat map but without colors

Answer 35

Risk Matrix

Question 36

* Prioritize mission-critical processes * Assess risk

Answer 36

Business Impact Analysis (BIA)

Question 37

- Payment processing systems - Customer/patient records

Answer 37

Prioritize mission-critical processes

Question 38

- Identify sensitive data - Identify single points of failure - Identify security controls and compliance

Answer 38

Assess risk

Question 39

- Average time between repairable component failures - Software patching

Answer 39

Mean time between failures (MTBF)

Question 40

- Average time between NON-repairable component failures - Hard disks, switches, routers

Answer 40

Mean time to failure (MTTF)

Question 41

Time required to repair a failed component

Answer 41

Mean time to repair (MTTR)

Question 42

- Maximum tolerable amount of data loss - Directly related to backup frequency

Answer 42

Recovery point objective (RPO)

Question 43

- Maximum tolerable amount of downtime - Return systems and data to usable state

Answer 43

Recovery time objective (RTO)

Question 44

- Top secret - Secret - Confidential

Answer 44

Government/military classification

Question 45

- PII (personally identifiable information) - PHI (protected health information) - Proprietary - Public/private - Critical - Financial

Answer 45

Standard classification

Question 46

* Ensure data privacy and breach notification * Levy fines * Protect intellectual property (IP)

Answer 46

Data Privacy Standards

Question 47

* Any method of applying metadata - Example: cloud resource tagging

Answer 47

Data Classification Tools

Question 48

- Legal data owner - Set policies on how data will be managed

Answer 48

Owner

Question 49

Ensure data complies with applicable regulations

Answer 49

Controller

Question 50

Handles data in accordance with privacy guidelines

Answer 50

Processor

Question 51

Responsible for managing data (permissions, backup) in alignment with data owner policies

Answer 51

Custodian/steward

Question 52

Ensures data privacy regulation compliance such as with GDPR

Answer 52

Data privacy officer (DPO)

Question 53

Ensures data privacy regulation compliance such as with GDPR

Answer 53

Data privacy officer (DPO)

Question 54

* Collect * Store * Process * Share * Archive/delete

Answer 54

Information Life Cycle

Question 55

One or more pieces of sensitive information that can be traced back to an individual

Answer 55

Personally Identifiable Information (PII)

Question 56

One or more pieces of sensitive medical information that can be traced back to an individual

Answer 56

Protected Health Information (PHI)

Question 57

* Pseudo-anonymization * Data minimization * Tokenization * Data masking

Answer 57

Anonymization Techniques

Question 58

Replace PII with fake identifiers

Answer 58

Pseudo-anonymization

Question 59

Limit stored/retained sensitive data

Answer 59

Data minimization

Question 60

A digital token authorizes access instead of the original credentials

Answer 60

Tokenization

Question 61

- Hide sensitive data from unauthorized users - Masked out credit card number digits on a receipt

Answer 61

Data masking

Question 62

Location of data and laws that apply to it - Where did the data originate? - Where does the data reside? - Which laws/regulations apply to the data?

Answer 62

Data Sovereignty

Question 63

* Standard operating procedure (SOP) * Mandatory vacation, job rotation * Separation of duties (multi-person control)

Answer 63

Personnel Management Policies

Question 64

- Reduce intentional/ unintentional sensitive data exfiltration

Answer 64

Data Loss Prevention (DLP) systems

Question 65

- Legal review, regulatory compliance - Linking companies, partners, agencies - Vulnerability scan results - Mandatory training/ certification - Input from IT security professionals

Answer 65

Interconnection security agreement (ISA)

Question 66

- Contractual document stating level of service - Guarantee service uptime - Consequences for not meeting requirements

Answer 66

Service level agreement (SLA)

Question 67

Broad terms of agreement between parties

Answer 67

Memorandum of understanding (MOU)

Question 68

Detailed terms between parties

Answer 68

Memorandum of agreement (MOA)

Question 69

- Legal document - Responsibilities, investment, decision-making

Answer 69

Business partnership agreement (BPA)

Question 70

Prevent sensitive data disclosure to third parties

Answer 70

Non-disclosure agreement (NDA)