Chapter 1 Risk Management Flashcards
(205 cards)
1
Q
An item of value to an institution, such as data, hardware, software, or physical property. An asset is an item or collection of items that has a quantitative (numeric) or qualitative (subjective) value to a company.
A
Asset
2
Q
The probability or likelihood of the occurrence or realization of a threat.
A
Risk
3
Q
A weakness in hardware, software, or components that may be exploited in order for a threat to destroy, damage, or compromise an asset.
A
Vulnerability
4
Q
Any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset.
A
Threat
5
Q
Probability of occurrence or the odds that the event will actually occur.
A
Likelihood of Threat
6
Q
Driving force behind the activity.
A
Motivation
7
Q
What are some common motivations of risk activities such as hacking?
A
prestige, money, fame, and challenge
8
Q
What are some examples of Internal Risk?
A
- disgruntled employee
- failed hard drive
9
Q
What are some examples of External Risk?
A
- Natural disasters such as floods
- Person-made events such as strikes and protests
10
Q
Internal or external cause of risk
A
Risk Source
11
Q
Events over which we have no control, such as bad weather (hurricanes, snowstorms, tornadoes), fires, floods, earthquakes, and tsunamis, but could also include global events like pandemics.
A
Natural Disaster
12
Q
All forms of damaging programs, such as viruses, worms, Trojans, keyloggers, and so forth. This software is distinguishable in that it is developed to damage, alter, expose, or destroy a system or data. For example, viruses are executable programs that can replicate and attach to and infect other executable objects. Some viruses also perform destructive or discreet activities (payload) after replication and infection are accomplished.
A
Malicious Code
13
Q
Instigated by a trusted insider or an untrusted outsider. Intruders, vandals, and thieves remove sensitive information, destroy data, or physically damage or remove hardware such as hard drives and mobile devices.
A
Breach of Physical Security
14
Q
Stolen, lost, damaged, or modified data. Loss or damage to an organization’s data can be a critical threat if there are no backups or external archiving of the data as part of the organization’s data recovery and business continuity plan. Also, if the compromised data is of a confidential nature, this can also be a critical threat to the organization, depending on the potential damage that can arise from this compromise.
A
Hacker Attack
15
Q
Attack on a network or web-based system is designed to bring down the network or prevent access to a particular device by flooding it with useless traffic. Can be launched in several ways. What was done manually with simple tools before is now automated and coordinated, on a massive scale with multiple systems.
A
Distributed Denial of Service (DDoS) Attack
16
Q
When attackers use computers, Internet communications, and other cyber tools to penetrate and disrupt critical national infrastructures such as water, electric, and gas plants; oil and gasoline refineries; nuclear power plants; waste management plants; and so on.
A
Cyberterrorism
17
Q
Identify weaknesses and gaps in the deployment of controls and to identify more accurately what areas require the highest level of protection.
A
Risk Assessment
18
Q
Process of identifying all of the organization’s assets.
A
Asset Identification
19
Q
What are the two types of assets?
A
Tangible and Intangible
20
Q
What are some types of tangible assets?
A
Documentation, Data, Hardware, Software
21
Q
What are some types of intangible assets?
A
Reputation, Services, Knowledge
22
Q
What are the 5 aspects of the Risk Assessment Process?
A
- Asset Identification
- Information Classification
- Risk Assessment
- Risk Analysis
- Implementing Controls
23
Q
What is the CIA Security Triad?
A
Confidentiality, Integrity, and Availability
24
Q
Strengthens the organization in many ways. Labeling information secret or strictly confidential helps employees see the value of the information and give it a higher standard of care.
A
Information Classification
25
Specifies how employees are to handle specific information. For example, company policy might state, “All sensitive documents must be removed from the employee's desk when leaving work. We support a clean desk policy.”
Information Classification
26
What are the two widely used classification systems?
Government Classification System and Commercial Classification System
27
Which aspect of the CIA Triad does the Government Classification System focus on?
Confidentiality
28
Which aspect of the CIA Triad does the Commerical Classification System focus on?
Integrity
29
What are the four categories of the Government Classification System?
Unclassified, Confidential, Secret, and Top Secret
30
Which Governmental Information Classification, if disclosed, would cause grave damage to national security.
Top Secret
31
Which Governmental Information Classification, if disclosed, would be expected to cause serious damage to national security.
Secret
32
Which Governmental Information Classification, if disclosed, could cause damage to national security and should be safeguarded against.
Confidential
33
Which Governmental Information Classification, does not have sensitive information and need not be protected unless For Official Use Only (FOUO) is appended to the classification.
Unclassified
34
Information that would not normally cause damage, but over time FOUO information could be compiled to deduce information of a higher classification.
Unclassified Information
35
Which Commercial Information Classification has the most sensitive rating.
Confidential
36
Which Commercial Information Classification includes the information that keeps a company competitive.
Confidential
37
Which Commercial Information Classification includes information that is internal use only, but its release or alteration could seriously affect or damage a corporation.
Confidential
38
Which Governmental Information Classification includes information that requires the highest level of control.
Top Secret
39
Which Governmental Information Classification includes information that may divulge significant scientific, technological, operational, and logistical as well as many other developments.
Secret
40
Which Commercial Information Classification includes restricted information that is considered personal in nature and might include medical records or human resource information.
Private
41
Which Commercial Information Classification includes information that requires controls to prevent its release to unauthorized parties. Damage could result from its loss of confidentiality or its loss of integrity.
Sensitive
42
Which Commercial Information Classification includes information, if disclosed, that could result in damage to the company due to loss of confidentiality or loss of integrity.
Sensitive
43
Which Commercial Information Classification includes information similar to unclassified information in that its disclosure or release would cause no damage to the corporation.
Public
44
Step of the Risk Assessment Process where potential risks and threats are identified and their impact determined.
Risk Assessment
45
Responsible for identifying and analyzing risks. Its members should consist of managers and employees from across the company.
Risk Management Team
46
What are the two techniques of Risk Analysis?
Quantitative and Qualitative
47
Method of the Risk Assessment Process that assigns a cost (monetary value) to the elements of risk assessment and the assets and threats of a risk analysis.
Quantitative
48
Method of the Risk Assessment Process that ranks threats by nonmonetary value and is based on scenario, intuition, and experience.
Qualitative
49
What are the two most widely used Quantitative Risk Assessment formulas?
1. SLE = AV x EF
2. ALE = ARO x SLE
50
What does SLE stand for in the SLE = AV x EF formula?
Single Loss Expectancy
51
What does AV stand for in the SLE = AV x EF formula?
Asset Value
52
What does EF stand for in the SLE = AV x EF formula?
Exposure Factor
53
What does ALE stand for in the ALE = ARO x SLE formula?
Annualized Loss Expectancy
54
What does ARO stand for in the ALE = ARO x SLE formula?
Annualized Rate of Occurrence
55
What does SLE stand for in the ALE = ARO x SLE formula?
Single Loss Expectancy
56
What are some examples of the resulting loss of a threat or vulnerabiity?
* Financial loss
* Danger or injury to staff, clients, or customers
* Breach of confidence or violation of law
* Exposure of confidential information
* Theft of equipment, hardware, or software
57
What are the quantifiable steps to calculate a loss?
1. Determine the asset value (AV) for each information asset.
2. Identify threats to the asset.
3. Determine the exposure factor (EF) for each information asset in relation to each threat.
4. Calculate the single loss expectancy (SLE).
5. Calculate the annualized rate of occurrence (ARO).
6. Calculate the annualized loss expectancy (ALE).
58
What is the strength of a quantitative risk assessment?
It assigns dollar values and dollar values are easy to understand.
59
What is the primary disadvantage of a quantitative risk assessment?
Because it is dollar-based, the team must attempt to compute a dollar value for all elements, which can be time consuming.
60
Type of risk assessment that is scenario-based and does not attempt to assign dollar values to the components of the risk analysis.
Qualitative
61
Risk assessment method that ranks the potential of a threat and sensitivity of assets by grade or scale such as low, medium, or high
Qualitative
62
Potential impact level assigned for risks that are a minor inconvenience.
Low
63
Potential impact level assigned for risks that can result in damage to an organization, cost a moderate amount of money to repair, and result in negative publicity.
Medium
64
Potential impact level assigned for risks that will result in a loss of goodwill between the company and client or employee.
High
65
Potential impact level assigned for risks that may result in a large legal action or fine or cause the company to lose significant revenue or earnings.
High
66
Potential impact level assigned for risks that can be tolerated for a short period of time but will not result in financial loss.
Low
67
What is a disadvantage of Qualitative Risk Assessments?
It does not provide cost values.
68
What are some examples of Qualitative assessment techniques?
ISAM, Delphi, and FRAP
69
What does ISAM stand for?
INFOSEC Assessment Methodology
70
Provides nongovernment organizations with the ability to complete a qualitative assessment that ranks assets as critical, high, medium, or low and to determine the impact based on CIA.
ISAM or INFOSEC Assessment Methodology
71
Group assessment process that allows individuals to contribute anonymous opinions and is often used to forecast the likelihood and outcomes of different types of events.
Delphi Technique
72
What does FRAP stand for?
Facilitated Risk Assessment Process
73
Subjective process that obtains results by asking a series of questions. It is designed to be completed in a matter of hours, making it a quick process to perform.
FRAP or Facilitated RIsk Assessment Process
74
What are the two assessment techniques used to study failures?
1. Failure modes and effects analysis (FMEA)
2. Failure mode, effects, and criticality analysis (FMECA).
75
What does FMEA stand for?
failure modes and effects analysis (FMEA)
76
What does FMECA stand for?
failure mode, effects, and criticality analysis (FMECA)
77
What is the next step after a quantitative or qualitative risk assessment is complete?
Make a risk determination and decide which security controls should be applied.
78
What is an assessment technique that can assist with examining loss and impact?
Risk Ranking using Aggregate Score
79
The total amount of risk the company is willing to accept.
Risk Appetite
80
Which alternative for handling potential risk eliminates the risk, to withdraw from the practice, or to not become involved. This may be a viable option; there may also be an opportunity cost associated with avoiding the activity.
Avoid
81
Which alternative for handling potential risk means that it is understood and has been evaluated. Senior management has made the decision that the benefits of moving forward outweigh the risk. If those in charge have not been provided with good data on risk or have made invalid assumptions, poor choices may be made. This can give rise to disasters with global impact (BP, Fukushima, Chernobyl, Challenger, and so on).
Accept
82
Which alternative for handling potential risk deflects it to a third party. For example, insurance is obtained. Instead of managing the risk directly, the organization incurs an ongoing continual cost from that third party.
Transfer
83
Which alternative for handling potential risk uses a control to reduce the risk. For example, installing a firewall is one method by which risk can be mitigated.
Mitigate
84
The risk that remains after your organization has taken proper precautions and implemented appropriate controls.
Residual Risk
85
Recognizes the areas where you are not compliant in regard to laws, policies, or regulations.
Risk Exception
86
Having some process, policy, or system in place that discourages others from exploiting a vulnerability that, if exploited, would realize the risk.
Risk Deterrence
87
What does AATM stand for?
Avoid, Accept, Transfer, Mitigate
88
What is the next step of the Risk Assessment Process after a decision has been made on how to handle identified risk?
Implement Controls
89
What document drives the process of Implementing Controls?
Risk Assessment Report
90
What is contained in the Risk Assessment Report
Findings, information, assessments, and recommendations
91
What are the three types of security controls?
Physical, Technical, and Operational
92
What types of security controls include locks, fences, CCTV, lights, gates, and guards.
Physical
93
What types of security controls include encryption, VPNs, security protocols (IPsec, SSL, TLS, and so on), VLANs, firewalls, and IDSs and are based on CIA requirements and organizational policies?
Technical
94
What types of security controls include hiring practices, security awareness training, employment practices, termination practices, business continuity, and disaster testing and training.
Operational
95
What are some of the purposes that security controls serve?
Prevention, deterrence, correction, mitigation
96
What is the purpose of implementing controls?
Address identified risks, threats, and vulnerabilities.
97
What is put in place to determine what controls are needed and determines total cost of an asset or countermeasure?
Total Cost or Ownership (TCO) Report
98
What types of costs are included in the TCO Report?
Purchase price, maintenance fees, updates, insruance, etc. All costs are included.
99
Used to verify that the employee has a clean background and that any negative history is uncovered before employment.
Background Check
100
Act of verifying someone's educational background.
Education Verification
101
Defines what employees, contractors, and third parties are authorized to do on the organization's IT infrastructure and its assets.
Acceptable Use Policy (AUP)
102
Contract that establishes confidentiality between two parties—the owner of the information and the recipient of that information.
Non-disclosure Agreement (NDA)
103
What issues does an employee handbook address?
* Security practices, policies, and procedures
* Paid holiday and vacation policy
* Work schedule and overtime policy
* Moonlighting and outside employment
* Employee evaluations
* Disaster response and emergency procedures
* Disciplinary procedures for noncompliance
104
Just because an employee is cleared to access a particular file, document, or physical location, this doesn't mean that they should be able to do so.
The principle of lease privilege
105
What are some common employee controls?
* Mandatory Vacations
* Job Rotation
* Dual Control
* Separation of Duties
* Least Privilege
106
Which employee control uncovers misuse and gives the organization a time to audit the employee while they are not at work.
Mandatory Vacations
107
Which employee control rotates employees to new areas of assignment.
Job Rotation
108
What are the benefits of Job Rotation?
*Helps ensure backup if an employee is not available.
*Reduces fraud or misuse by providing the company with a means of moving people to prevent an individual from having too much control over an area.
109
Where is the Mandatory Vacation control most widely used?
Financial firms or applied to job roles where money is handled.
110
Which employee control requires employees to work together to complete critical actions, thereby forcing employees who are planning anything illegal to collude with others. A common example is that of a combination or code for a safe. Two employees are required to open it successfully.
Dual Control
111
Which employee control is closely related to Dual Control, where an activity, such as cryptographic recovery, is divided up among several individuals so that no one person acting alone can perform the entire key recovery process?
M of N Concept
112
Which employee control limits what one employee can do. For example, one employee may be able to write a check, but another must approve it.
Separation of Duties
113
Which employee control restricts the employee's access to only what is needed to do the job and nothing more. This control is closely related to need to know.
Least Privilege
114
What are some common training methods?
* Apprenticeship programs
* Classroom training
* Continuing education programs
* Degree programs
* In-house training
* On-the-job training
* Vendor training
115
Technique used to determine whether a planned action is or is not acceptable.
Cost-benefit Analysis
116
What common way to determine cost-benefit analysis is calculated by dividing net profits by total assets?
Return on Investment (ROI)
117
Maintaining control over your inventory, which must be identified, managed, and continually monitored to derive a reliable return on investment.
Asset Management
118
Determines how much time will lapse before accrued benefits will overtake accrued and continuing costs.
Payback Analysis
119
What are the three steps of cost-benefit analysis?
1. calculate costs
2. calculate benefits
3. compare the results
120
Purchase price of an asset plus the cost of operation; commonly overlooked when evaluating intangible benefits in a cost-benefit analysis.
Total Cost of Ownership (TCO)
121
What all is included in the TCO?
purchase price, cost of operations (costs of environmental modifications, compatibility with other countermeasures, maintenance costs, testing costs, support contracts, etc.)
122
Allows organizations to evaluate the operating effectiveness of controls on or near a real-time basis.
Continuous Monitoring
123
What should continuous monitoring include?
* Configuration management
* Control processes
* Security impact analyses
* Assessment of selected security
* Security status reporting
* Active involvement of asset owners
124
What should continuous monitoring address?
* Reporting progress
* Addressing vulnerabilities
* Describing how the information system owner intends to address those vulnerabilities
125
Risks continously reviewed, assessed, and monitored as new assets are identified.
Risk Management Lifecycle
126
Involved at nearly every step of the risk management process; contains each risk as it is identified, assessed, owned by someone, responded to, and ultimately reassessed and monitored.
Risk Register
127
Processes used to plan, allocate, and control information security resources; used for IT governance and include people, processes, and technologies.
Enterprise Security Architecture (ESA) Framework
128
What are two examples of Enterprise Security Architecture (ESA) Frameworks?
Enterprise Architecture (EA) and Sherwood Applied Business Security Architecture (SABSA)
129
ESA framework that is used by the federal government to ensure that business strategy and IT investments are aligned.
Enterprise Architecture (EA)
130
ESA framework that is a strategy based on an architectural viewpoint.
Sherwood Applied Business Security Architecture (SABSA)
131
What are defined metrics are typically included in an ESA framework?
* Strategic alignment
* Effective risk management
* Value delivery
* Resource management
* Performance measurement
* Process assurance integration
132
What are some of the most popular ESA frameworks?
11.*FISMA risk management framework*
COSO Enterprise Risk Management Framewor*k
ISO 31000 for Risk Management
133
What is the Prudent Person Rule?
Legal principle that is used to restrict the choices of the financial manager of an account to the types of investments that a person seeking reasonable income and preservation of capital might buy for their own portfolio.
134
Defines a company's primary goal.
Mission Statement
135
Formation of a plan for what to do should the business suffer an interruption.
Business Continuity Planning (BCP)
136
Formal process designed to identify mission-essential functions in an organization and facilitate the identification of the critical systems that support those functions that must be continued during an emergency.
Business Impact Analysis
137
Any event that has the potential to disrupt an organization's business.
Disaster
138
Triggered by an event that has the potential to disrupt an organization's business; identifies and prioritizes the risks posed to the facility by an internal or external disaster.
Disaster Recovery Plan
139
What are the two key concepts in business continuity planning?
Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
140
Set duration of time that a business can still function and process information after experiencing a significant interruption to its operations. That is the time that the business has to recover operations.
Recovery Point Objective (RPO)
141
Amount of actual time (duration) since the beginning of the interruption that is deemed tolerable before the interruption is considered intolerable to the business.
Recovery Time Objective (RTO)
142
Percentage measurement (0–100 percent) of how much computing power is needed. This is based on a percentage of the production system that you will need during an emergency.
Recovery Service Level (RSL)
143
The length of time between an interruption and the recovery from that interruption.
Mean Time to Recovery (MTTR)
144
Measure of the reliability of a system or component. It's a crucial element of maintenance management, representing the average time that a system or component will operate before it fails.
Mean Time Between Failure (MTBF)
145
What are the four types of Disaster Recovery Sites?
Cold Site, Warm Site, Hot Site, Mobile Site
146
Cheapest Disaster Recovery Site that will require the most time to have running. Likely initial steps involve opening boxes, equipment is available to set up but partial setup and configuration are not done.
Cold Site
147
Disaster Recovery site that is probably already running but still requires considerable effort to resume operations. Likely initial steps involve restoring backups, equipment is set up and configured and ready to turn on.
Warm Site
148
Disaster Recovery site that with minimal efforts to resume operations. Likely initial steps involve assuring minimal data loss since the disaster event place with equipment setu up and running as a copy to the lost data center.
Hot Site
149
A Disaster Recovery site that can be moved or mobilized to a new location. Picture a truck trailer filled with equipment to mirror your data center.
Mobile Site
150
What are some methods to review and evaluate the effectiveness of existing security controls?
Gap Analysis, Audits, Vulnerability Assessments, and Ethical Hacking
151
Security control evaluation method that involves an examination of an area or environment designed to report the difference between “where we are” and “where we want to be.”
Gap Analysis
152
Security control evaluation method that is typically a review of a company's technical, physical, and administrative controls.
Information Security Audit
153
Security control evaluation method that utilizes tools and scanners to provide information on vulnerabilities within a targeted application or system or an entire network.
Vulnerability Assessment Tools
154
How are vulnerabilities ussally graded in a vulnerability assessment tool?
High, Medium, or Low
155
Security control evaluation method that is the process of looking at a network in the same way as an attacker would.
Ethical Hacking
156
What is the goal of the Ethical Hacker evaluation method?
Attempting to determine what the attacker can access and obtain, what an attacker can do with that information, and whether anyone would notice what the attacker is doing.
157
What is another name for Ethical Hacking?
Penetration Testing
158
What is the purpose of Lessons Learned?
Determine the effectiveness of processes, identify improvements, and provide insights and recommendations for when these processes are repeated.
159
Written contract that specifies the levels of service that will be provided by the vendor and what the customer can do if the vendor fails to meet the terms.
Service Level Agreement (SLA)
160
What is another name for Lessons Learned?
After Action Review
161
A method of measuring something, or the results obtained from this.
Metrics
162
Help an organization better measure important metrics such as scalability, availability, and reliability.
Key Performance Indicator (KPI)
163
Metrics that predict potential risks that can negatively impact businesses.
Key Risk Indicators (KRI)
164
Accomplishment of a given task measured against preset known standards of accuracy, completeness, cost, and speed.
Performance
165
One of the most well-known types of SLAs that detail the agreed-on amount of uptime. For example, they can be used for network services such as a WAN link or equipment like servers.
Uptime Agreements
166
The percentage of help-desk or response calls answered within a given time.
Time Service Factor
167
The number of callers who hang up while waiting for a service representative to answer.
Abandon Rate
168
The number of resolutions that are made on the first call and do not require the user to call back to the help desk to follow up or seek additional measures for resolution.
First Call Resolution
169
Delay; determine how long it takes an application to respond or even the amount of delay in a WAN network.
Latency
170
The ability of a program, application, or network to continue to function as scale, volume, or throughput is changed.
Scalability
171
The ability to meet or achieve a specific goal.
Capability
172
The extent to which a product can be used by specified users to achieve specified goals.
Usability
173
Must meet the criteria of usability to be viable and effective.
Security Requirements
174
Identify problems that demand finding a balance between different factors, such as the time and cost.
Trade-off Analysis
175
Defines the capability to restore systems to the exact point in time at which the failure occurred.
Recoverability
176
Usable through the expected time of use.
Maintainability
177
The functional state of a system and, in the networking world, is often simplified to uptime.
Availability
178
Total operating time divided by the number of failures
mean time between failure (MTBF)
179
The amount of time it takes to restore a system if and when a failure occurs.
mean time to recovery (MTTR)
180
First step in prevention that provide a planned approach to practice procedures, such as those drafted for disaster recovery.
Testing Plans
181
What are five types of Testing Plans?
Walk-through, Checklist, Tabletop Exercise, Parallel and Simulation Tests, and Full Interruption Test
182
Straightforward exercise where you manually perform and analyze the steps of disaster recovery without causing any real disruption.
Walk-through
183
The easiest form of testing; read through procedures and steps toward disaster recovery. Any glaring gaps or concerns are analyzed further.
Checklist
184
Raise situational awareness in the context of information security, foster discussion of incident response, demonstrate scenarios that are most likely to occur.
Tabletop Exercise
185
Simulates a disaster recovery by running through all the steps alongside the disaster recovery systems and processes.
Parallel Test
186
Going through all motions in the disaster recovery process but leaving production systems running.
Simulation Test
187
True test of confidence in disaster recovery planning. Production systems are temporarily taken offline once disaster recovery systems are set up and ready to assume the place of the shutdown systems.
Full Interruption Test
188
Audit conducted to improve an entity's operations; monitors the operations of the organization regarding the improvement of effectiveness, control, governance processes, and risk management.
Internal Audit
189
Audit of the organization by an independent audit firm, which is not controlled by the organization that it is auditing
External Audit
190
Why are external audits performed?
Statutory requirements to verify whether security controls, processes, and documentation are in accordance with acceptable standards and regulatory requirements.
191
Why are internal audits performed?
Provide an independent opinion and consultancy to senior management and those charged with governance.
192
You've been told there is a problem. Obtain a specific description of the problem.
Define the Problem
193
Ask yourself questions when something fails or is not working properly.
Gather the Facts
194
Think about all the possibilities for why something doesn't work or why something is behaving in a certain way.
Brainstorm
195
Make a step-by-step list of the possibilities for testing. Test each possibility to see if it corrects the problem.
Implement
196
Think back to what you have done, and then document causes and solutions to the problem.
Evaluate
197
Risk assessment technique that is more subjective, not monetary-based, and uses descriptors such as critical, high, medium, and low.
Qualitative
198
Risk assessment technique that assigns and uses monetary values against known risks.
Quantitative
199
Provide the necessary information about an organization's IT infrastructure and its assets' current level of security so that the assessor can provide recommendations for increasing or enhancing that level of security.
Risk and Vulnerability Assessments
200
True or False: Conducting a Risk Assessment is difficult and prone to errors.
True
201
What should the cost of a control not exceed?
The value of the asset.
202
Threats coupled with vulnerabilities can lead to what?
Loss
203
True or False: Business continuity and DR plans must be practiced periodically.
True
204
Formalized approach to risk prioritization that lets an organization conduct reviews in a structured manner.
Risk Assessment
205
Process of applying controls to reduce the probability or impact of a risk.
Risk Mitigation
