Chapter 2: IT Risk Assessment Flashcards
(203 cards)
1
Q
How does risk identification begin?
A
By documenting the assets of the organization and determining the value of an asset
2
Q
Risk identification also includes…
A
Documenting threats that could pose a risk of damage to the organization
3
Q
What is risk assessment?
A
A process used to identify and evaluate risk and its potential effects
4
Q
Statistical inference that uses prior distribution data to determine the probability of a result
A
Bayesian Analysis
5
Q
Provides a diagram to communicate risk assessment results by displaying links between possible causes, controls, and consequences. The cause of the event is depicted in the middle of the diagram and triggers, controls, mitigation strategies, and consequences branch off the knot.
A
Bow Tie Analysis
6
Q
The purpose of this is to gather a large group of types of potential risk or ideas
A
Brainstorming/ Structured Interview
7
Q
The process to determine the impact of losing the support of any resource
A
Business Impact Analysis
8
Q
Combines the technique of a fault tree analysis and and even tree analysis and allows for time delays to be considered
A
Cause and Consequence Analysis
9
Q
Looks at the factors that contributed to a certain effect and groups the causes into categories which are then displayed using a diagram
A
Cause-and-effect Analysis
10
Q
List of potential or typical threats or other considerations that should be of interest to the organization
A
Checklists
11
Q
Uses expert opinion which is often received using two or more rounds of questionnaires
A
Delphi Method
12
Q
A forward, bottom up model that uses inductive reasoning to assess the probability of different events resulting in possible outcomes
A
Event Tree Analysis
13
Q
Starts with an event and examines possible means for the event to occur and displays these results in a logical tree diagram
A
Fault Tree Analysis
14
Q
Originally developed for the food safety industry for proactively preventing risk and assuring quality, reliability, and safety of processes
A
Hazard Analysis and Critical Control Points (HACCP)
15
Q
A structured means of identifying and evaluating potential risk by looking at possible deviations from existing processes
A
Hazard and Operability Studies (HAZOP)
16
Q
Examines the effect of human error on systems and their performance
A
Human Reliability Analysis (HRA)
17
Q
A semiquantitative risk analysis technique that uses aspects of HAZOP data to determine risk associated with risk events. Also looks at controls and their effectiveness.
A
Layers of Protection Analysis (LOPA)
18
Q
Used to analyze systems that can exist in multiple states and assumes that future events are independent of past events
A
Markov Analysis
19
Q
A simulation used to establish the aggregate variation in a system resulting from variations in the system, for a number of inputs, where each input has a defined distribution and the inputs are related to the output via defined relationships
A
Monte Carlo Analysis
20
Q
Looks at what threats or hazards may harm an organization’s activities, facilities, or systems
A
Preliminary Hazard Analysis
21
Q
Analyzes the functions and potential failures of a specific asset, particularly a physical asset such as equipment
A
Reliability-centered Maintenance
22
Q
Examines possible future scenarios that were identified during risk identification
A
Scenario Analysis
23
Q
Used to identidy design errors or sneak conditions- latent hardware, software, or integrated conditions that may cause an unwanted event to occur
A
Sneak Circuit Analysis
24
Q
Uses structured brainstorming to identify risk, typically within a facilitated workshop
A
Structured “What If” Analysis
25
What are contributing factors in risk prevention, detection, and response?
Structure and culture of the organization
26
The risk management function should have an enterprise wide mandate that
Allows the risk management team to review and provide input into all business processes
27
The risk management function should participate in...
Incident management activities and be responsible for investigating incidents to ensure that all lessons are learned
28
Policies provide direction regarding...
Acceptable and unacceptable behavior and actions to the organization and send a clear message from senior management regarding the desired approach to the protection of assets and the culture of the organization
29
Policies give authority to the...
Staff of risk management, audit, and security teams of the organization to perform their job responsibilities
30
High level is policy is issued by
Senior management as a way to address the objectives of the organization's mission and vision statement
31
High level policy (aka overarching security policy) should require compliance with...
Laws and best practices, and state the goal of managing risk through protecting the organization's assets
32
The next level of policies after the high level policy is...
Technical and functional
33
Where policies are out of date, unenforced, or incomplete, the risk practitioner should...
Underline the vulnerability and the risk it poses to the organization
34
A mandatory requirement, code of practice, or specification approved by external standards organizations
Standard
35
A document containing a detailed description of the steps necessary to perform specific operations in conformance with applicable standards
Procedures
36
A lack of standards and procedures will result in...
Undependable, inconsistent operations and may result in risk due to not detecting a risk event, noncompliance, or difficulty preventing an attack
37
What is risk identification?
The process of determining and documenting risk that an enterprise faces.
38
Some of the considerations that affect risk assessment related to technology:
```
Age of equipment
Expertise available for maintenance
Variety of vendors/suppliers
Documentation of systems
Availability of replacement parts
Ability to test systems or equipment
Operating environment and user expertise
Ability to patch/mitigate vulnerabilities
```
39
A key factor in the maturation of the processes and practices of an organization is the development of...
An enterprisewide approach to risk management, architecture, and business continuity
40
A lack of architecture often results in:
```
Controls that overlap
Controls that conflict with one another
Unidentified single points of failure
Unidentified methods to bypass controls
Inadequate network isolation
```
41
Controls are implemented to...
Mitigate risk or comply with regulations
42
An alternate form of control that corrects a deficiency or weakness in the control structure of the enterprise; may be considered when an entity cannot meet a requirement explicitly, as stated, due to legitimate technical or business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls
Compensating controls
43
Remediate errors, omissions, and unauthorized uses and intrusions, once they are detected
Corrective controls
44
Warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods, and checksums
Detective controls
45
Provide warnings that can deter potential compromise, such as warning banners on login screens or offering rewards for the arrest of hackers
Deterrent controls
46
Mandate the behavior of an entity by specifying what actions are, or are not, permitted
Directive control
47
Inhibit attempts violate security and include such controls as access control enforcement, encryption, and authentication
Preventive controls
48
The risk is much more serious if:
```
Controls are inadequate.
The wrong controls are being used.
Controls are ignored or bypassed.
Controls are poorly maintained.
Logs or control data are not reviewed.
Controls are not tested.
Changes to configuration of controls are not managed.
Controls can be physically accessed and altered.
```
49
The condition of the program at a point in time
Current state
50
Used to determine the state of IT risk on a regular basis and with scheduled reporting to management
Regular reviews of IT risk
51
An excellent source of analysis data and recommendations which are often related to the improvement of managerial, technical, and operational controls
Audits
52
The risk practitioner must test the performance of the control to ensure that it is...
It is properly installed, operating correctly, and providing the desired result
53
Testing the control includes...
Testing both the technical and nontechnical aspects of the control
54
What are the nontechnical aspects of a control?
Rules governing the operation of the control
Procedures used in monitoring and operating the control
Proficiency if the staff responsible for the operation of the control
55
A thorough review of an incident can identify...
Weak controls
Poor detection
Inappropriate or ineffective response
Lack of training of staff
56
Interviewing operations staff and reviewing logs and trouble tickets may...
Indicate an unmitigated or recurring problem or trend within a system that may require remediation
57
Logs should contain a record of all important events that occur on a system such as...
```
Changes to permissions
System start up or shut down
Login or logout
Changes to data
Errors or violations
Job failures
```
58
A review of logs can identify...
Risk relevant events and can detect compliance violations, suspicious behaviors, errors, probes or scans, and abnormal activity
59
It is a careful, methodical review of the security controls for a system with the intent of discovering any weaknesses or potential gaps on the control framework that could allow a successful attack
Vulnerability assessment
60
Techniques for vulnerability assessments:
Social engineering
Physical security tests
Network probes and scans
Application vulnerability reviews
61
Possible vulnerabilities
Unpatched systems
Buffer overflows
Susceptibility to injection attacks
Unlocked server rooms
Exposed cabling
Sensitive data left on unattended desks or screens
Open ports or services that are not required
62
Can be used to validate the results of a vulnerability assessment and prove whether the controls and countermeasures used by the organization are working correctly
Penetration test
63
The desired state of IT risk is closely linked to the the
Risk acceptance level set by management
64
Challenges of data analysis
Are all of the data available?
Have any of the data been altered or changed?
Are the data in the correct format?
Are the data based on measuring important factors?
65
A predictive or diagnostic analytical tool that is used to explore the root causes or factors that contribute to positive or negative effects or outcomes and to identify potential risk
Cause and effect analysis
66
A technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome (top-level event) and combines hardware failures and human failure
Fault tree analysis
67
A quantitative risk analysis technique that helps to determine which risk factors potentially have the most impact and examines the extent to which the uncertainty of each element affects the object under consideration when all other elements are held at their baseline values
Sensitivity analysis
68
Examines the nature of the threat and the potential threat scenarios
Threat modeling
69
It is done by mapping the potential method, approaches, steps, and techniques used by an adversary to perpetrate an attack
Threat modeling
70
Examines how a system will function and provide "use" for users
Use case modeling
71
Looks at all possible errors, mistakes, or ways a system can be misused
Misuse case modeling
72
Examines ways a system can be attacked and used for a purpose for which the system was never intended
Threat modeling
73
A process of diagnosis to establish the origins of events which can be used for learning from consequences, typically from errors and problems
Root cause analysis
74
A facilitated workshop where the group is told to pretend that the project has failed and then they are to discuss why it has failed
Pre-mortem
75
Base on documenting the desire state or condition of risk that management wants to reach and then carefully analyzing and evaluating the current condition of the organization; identifies the current gap or difference between the desired and current state so that corrective action can be taken when necessary
Gap analysis
76
It is a measure that determines how well the process is performing in enabling the goal to be reached; it is a good indicator of capabilities, practices, and skills
KPI Key Performance Indicator
77
A good method of indicating a trend that may have the potential to result in a problem in the future
Key Risk Indicator KRI
78
A measure that tells management, after the fact, whether an IT process has achieved its business requirements and is usually expressed in terms of information criteria
Key Goal Indicator KGI
79
Two main methods of analyzing risk
Quantitative and Qualitative
80
Based on numerical calculations, such as monetary values, and is most suitable for supporting cost-benefit analysis calculations because all IT risk can be compared to the cost of a control and the value of the benefit that the control would provide
Quantitative risk assessment
81
Quantitative risk assessment is often based on the...
Calculation of the impact of a single risk event and on what the event would cost, including direct costs (lost of sales) and indirect costs (damage to reputation)
82
One challenge with all risk assessment approaches is
The problem of forecasting the likelihood or frequency of a risk event
83
To properly use data from a quantitative risk assessment
The cost of the risk is often calculated on an annual basis
84
Based on scenarios or descriptions of situations that may have occurred or may occur
Qualitative Risk Assessment
85
The development of scenarios may be based on
Threats
Vulnerabilities
Asset/impact
86
Examines a risk event from the basis of what threat sources (threat agents) exist and the threats that can be launched against the organization
Threat - based scenario
87
The threat- based scenario would
Identify the potential method of attack
The vulnerabilities exploited
The intent and skill of the attacker
The potential damage to the assets affected
88
Examines the organization's known vulnerabilities and attempts to determine the threats that could exploit those vulnerabilities and the impact
Vulnerability based scenario approach
89
Based on the identification of critical and sensitive assets and the potential ways that an asset could be damaged
Asset/impact approach
90
Combines the value of qualitative and quantitative risk assessment
Semiquantitative risk assessment
91
In the semiquantitative approach, the risk practitioner creates
A range of values used to assess risk
92
It is derived from a combination of all the components of risk including the recognition of the threats and the characteristics and capabilities of a threat source, likelihood, vulnerabilities, severity of the vulnerability, likelihood of attack success and level of impact of a successful attack
Risk ranking
93
OCTAVE
Operationally Critical Threat Asset and Vulnerability Evaluation
94
This process-driven methodology is used to identify, prioritize, and manage information security risk
OCTAVE
95
OCTAVE helps organiztions:
Develop qualitative risk evaluation criteria based on operational risk tolerances
Identify assets that are critical to the mission of the organization
Identify vulnerabilities and threats to the critical assets
Determine and evaluate potential consequences to the organization if threats are realized
Initiate corrective actions to mitigate risk and create practice-based protection strategy
96
It is a comprehensive, systematic, context-driven and self-directed evaluation approach
OCTAVE
97
The OCTAVE process is based on three primary phases:
1. Build asset-based threat profiles (organizational evaluation)
2. Identify infrastructure vulnerabilities (technological evaluation)
3. Develop security strategy and mitigation plans (strategy and plan development)
98
When assessing risk, it is important to measure...
The capability and maturity of the risk management processes of the organization
99
Key elements used to measure IT risk management capability:
Support of senior management
Regular communication between stakeholders
Existence of policy, procedures, and standards
Completion of a current BIA
Logging and monitoring of system activity
Regular review of logs
Scheduled risk assessments and reviews
Testing of BCPs and DRPs
Training of staff
Involvement of risk principles and personnel in IT projects
Gathering feedback from users and stakeholders
Validating the risk appetite and risk acceptance levels
Tome to detect/resolve a security incident
100
The impact of risk is a measure of the
Impact on the business
101
The risk response would have to be chosen based on
Business-related considerations more than on IT factors
102
IT management must play an active role in
Mitigating risk and supporting risk management activities
103
It focuses on producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there
Enterprise Architecture (EA)
104
What should the Enterprise Architecture answer? (4 questions)
1. Are we doing the right things?
2. Are we doing them the right way?
3. Are we getting the benefits?
4. Are we getting them well done?
105
The risk associated with an IT system is a combination of
the risk associated with each element that makes up an IT system
106
Examples of hardware
```
CPU
Motherboards
RAM
ROM
Networking components
Firewalls and gateways
Keyboards
Monitors
```
107
Examples of risk associated with hardware
```
Outdated hardware
Poorly maintained hardware
Misconfigured hardware
Poor architecture
Lack of documentation
Lost, misplaced, or stolen hardware
Hardware that is not discarded in a secure manner
Sniffing or capturing traffic
Physical access
Hardware failure
Unauthorized hardware
```
108
Software includes
applications, operating systems, utilities, drivers, middleware, application program interfaces (APIs), database management systems (DBMS) and network operating systems that manage data, interface between systems, provide a user interface to hardware, and process transactions on behalf of the user
109
Risk associated with software
```
Logic flaws or semantic errors
Bugs (semantic errors)
Lack of patching
Lack of access control
Disclosure of sensitive information
Improper modification of information
Loss of source code
Lack of version control
Lack of input and output validation
```
110
What is an operating system?
It is the core software that allows the user to interface with hardware and manages all system operations
111
Risk associated with operating systems
```
Unpatched vulnerabilities
Poorly written code (buffer overflows, etc.)
Complexity
Misconfiguration
Weak access controls
Lack of interoperability
Uncontrolled changes
```
112
IT management must play an active role in
Mitigating risk and supporting risk management activities
113
It focuses on producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there
Enterprise Architecture (EA)
114
What should the Enterprise Architecture answer? (4 questions)
1. Are we doing the right things?
2. Are we doing them the right way?
3. Are we getting the benefits?
4. Are we getting them well done?
115
The risk associated with an IT system is a combination of
the risk associated with each element that makes up an IT system
116
Examples of hardware
```
CPU
Motherboards
RAM
ROM
Networking components
Firewalls and gateways
Keyboards
Monitors
```
117
Examples of risk associated with hardware
```
Outdated hardware
Poorly maintained hardware
Misconfigured hardware
Poor architecture
Lack of documentation
Lost, misplaced, or stolen hardware
Hardware that is not discarded in a secure manner
Sniffing or capturing traffic
Physical access
Hardware failure
Unauthorized hardware
```
118
Software includes
applications, operating systems, utilities, drivers, middleware, application program interfaces (APIs), database management systems (DBMS) and network operating systems that manage data, interface between systems, provide a user interface to hardware, and process transactions on behalf of the user
119
Risk associated with software
```
Logic flaws or semantic errors
Bugs (semantic errors)
Lack of patching
Lack of access control
Disclosure of sensitive information
Improper modification of information
Loss of source code
Lack of version control
Lack of input and output validation
```
120
What is an operating system?
It is the core software that allows the user to interface with hardware and manages all system operations
121
Risk associated with operating systems
```
Unpatched vulnerabilities
Poorly written code (buffer overflows, etc.)
Complexity
Misconfiguration
Weak access controls
Lack of interoperability
Uncontrolled changes
```
122
What is an application?
The face of the information system and is the mechanism by which users can access information, perform transactions and use system features
123
Risk associated with applications
```
Poor or no data validation
Exposure of sensitive data
Improper modification of data
Logic flaws
Lack of version control
Loss of source code
Weak or lack of access control
Lack of operability with other software
Back doors
Poor coding practices
```
124
Utilities can include two separate areas of concern:
1. environmental control
| 2. those that support the use of system resources
125
Environmental controls include:
power
| heating, ventilation, and air conditioning systems (HVAC)
126
Risks associated with environmental control utilities
```
Power interruptions
- Loss of power
- Surge
- Spikes
- Sags
- Brownouts
- Faults
- Generators are poorly maintained and outdated
HVAC
- Overheating
- Humidity problems
- Corrosion and condensation (high humidity)
- Static (low humidity)
- Clogged filters
- Lack of maintenance
Water
- Loss of water (needed for cooling systems)
- Health and safety issues
Secure operational areas
- Restricted access to server rooms
- Secure access to power supplies, generators, elevator shafts
```
127
Risk associated with software utilities
```
Use of outdated drivers
Unavailability of drivers
Unpatched drivers
Use of insecure components
Unpatched vulnerabilities
```
128
Samples of network devices
```
cablings
repeaters
switches
routers
firewalls
gateways
wireless access points
```
129
What is a network?
A system of interconnected computers and the communication equipment used to connect them
130
Uses of a network
```
transferring data between individuals
transferring data between applications
controlling and monitoring of remote equipment
backing up data
enabling communication between devices
```
131
When assessing network-based risk, risk associated with the following must be examined
```
network configuration and management
network equipment protection
the use of layered definition
suitable levels of redundancy
availability of bandwidth
use of encryption for transmitting data
encryption key management
use of certificates to support PKI
damage to cabling and network equipment
tapping network communications and eavesdropping on communications
choice of network architecture
documentation of network architecture
```
132
Types of cabling
UTP
coaxial
fiber
133
Concerns with regards to cabling
Physical security of cabling
Cable exceeded approved length of the cable runs
Protection from damage to cabling (conduit)
Use in an area of high radio frequency interference (may require shielding)
Use of cable that is not of suitable standard
Ensuring use of plenum-rated cable where required
Improper terminations of cable on connectors
Lack of cabling records
134
What are repeaters?
Devices used to extend the length of a signal being transmitted over cable or wireless networks
135
Advantage of a repeater
it can filter out some noise or errors that may be affecting traffic
136
Risk with repeaters
ensuring that there are enough repeaters in use to provide a clean, error-free signal
a wireless repeater providing a strong signal into areas outside the perimeter of the organization's facilities could allow unauthorized access
137
What are switches?
they are used to connect devices together
138
What can switches do?
```
forward packets to a destination
divide networks through configuration
perform routing functions
address translation and balancing
perform load balancing
```
139
Risks associated with switches
Physical protection of the switch
Ensuring proper configuration of the switch
Documentation
Being a single point of failure
140
What is the purpose of a router?
To connect multiple networks together and forward incoming packets in the direction of the destination IP address that is in the packet header
141
What is the delay in processing called?
Latency
142
What are the risks associated with routers?
```
Improper configuration
Use of weak protocols
Software bugs
Unpatched systems
Physical security
```
143
What is a firewall?
A system or combination of systems that enforces a boundary between two or more networks
144
A simple packet filtering router that examines individual packets and enforces rules based on addresses, protocols, and ports
First generation
145
Keeps track of all connections in a state table. this allows it to enforce rules based on packets in the context of the communications session
Second generation
146
Operates at layer seven and is able to examine the actual protocol being used for communications. This is much more sensitive to suspicious activity related to the content of the message itself
Third generation
147
Sometimes called deep packet inspection and is an enhancement to the third generation firewalls and brings in the functionality of an intrusion prevention system
Next generation
148
Firewall logs must be
reviewed regularly to detect any suspicious activity
149
What is a proxy?
A proxy is a device that acts as intermediary between two communicating parties.
150
What is a Domain Name System?
It is a mechanism that makes the Internet work. It is a simple cross-reference used to associate a normal name with an IP address used by network devices
151
Risks with DNS
False DNS replies
Cybersquatting
Exploiting the DNS
152
What is the risk with wireless access points?
Unauthorized people are able to login
| Installation of rogue or unauthorized wireless access points
153
How to address risks with wireless access points?
Segmenting the wireless access points in a location that us not subject to interference from other devices or near a window
Strong password requirements
154
This topology connects every device onto one bus or communication path
bus network topology
155
what is the risk with a bus network topology?
A cut cable may result in total network failure and it is relatively easy to sniff a bus network
156
What control can be used for a bus network topology?
Encrypted VPN must be used on cable modem Internet access
157
In this topology, every device is connected to a central switch
Star topology
158
What is the risk with the star topology?
The central switch is a single point of failure
159
In this topology, it is a series of star networks arranged with branches to other star networks in a tree type structure
Tree network topology
160
What is the risk with the tree network topology?
A cut link between the branches of the tree can cause isolation of that branch
161
What is a ring network topology?
A ring connect every device into one ring and passes traffic from device to device around the ring
162
What is a mesh network topology?
Many devices are connected to many other devices in a mesh, so that traffic can route around a failure in any part of the network
163
What is a LAN?
A communication network that serves several users within a specified geographical area, such as a building or a department
164
What is a WAN?
A computer network connecting different remote locations that may range from short distances, such as a floor or a building, to extremely long transmissions that encompass a large region or several countries
165
What is a leased line?
A leased or rented line from a supplier provided for the sole use of the organization that leases the line. It is a private network.
166
What is a packet-switching network?
This allows a communications network to be shared by multiple organizations, thereby reducing the cost considerably
167
What is a microwave?
A line-of-sight technology where the sending and receiving stations need a clear line of sight between each other
168
What is optical?
Similar to the microwave but built on laser technology. Optical communications and is also line of sight
169
What is satellite communications?
It has enabled communications from remote areas where it was not previously possible to provide other forms of communications
170
What is VPN?
It is secure private network that uses the public telecommunications.
171
What are the risks in network implementation?
risks on the:
suitability of the network architecture
the proper configuration and management of the network devices
the ongoing monitoring of network performance
172
What is the DMZ?
The area of the network that is accessible to outsiders through the Internet
173
What is the extranet?
A network that is accessible to outsiders and used for trusted communications such as communicating with business partners
174
What is UI (user interface)?
The way a user interfaces with an application or a system.
175
What are risks to data management?
Lack of clear ownership
Improper data management/ data leakage
Compliance with data management policies and procedures
176
What must the risk practitioner do regarding new threats and vulnerabilities?
Must ensure that new and emerging risk is identified and evaluated and that the organization is aware of and watching new for emerging threats and vulnerabilities. The risk practitioner should work with the business and system owner to perform a threat analysis and determine if and how the organization should respond
177
What must the risk practitioner do regarding emerging technologies?
To consider potential risk and controls for the application of these technologies that may present value to the organization to accepting new technologies that may present value to the organization
Assess and evaluate the approach of the organization to accepting new technologies and the attitude of the security team and IT operations toward reviewing and securing new technologies as they become available
178
What must the risk practitioner do regarding industry trends?
Assess the maturity of the IT department and the organization as a whole toward monitoring and adapting to new market trends
179
What are relevant contractual requirements for outsourcing?
```
right to audit clauses
security and bcp/drp reviews
staffing reviews
regulatory reviews
outsourcers and third party affiliate reviews
right for early termination
security and continuity requirements
service level agreements
```
180
What are the reasons for failure of IT projects?
```
Unclear or changing requirements
Scope creep
Lack of budget
Lack of skilled resources
Problems with technology
Delays in delivery of supporting elements/ equipment
Unrealistic timelines
Lack of progress reporting
```
181
Lack of good project management can lead to:
Loss of business
Loss of competitive advantage
Low morale among staff members
Inefficient processes
Lack of testing of new systems or changes to existing systems
Impact on other business operations
Failure to meet SLAs or contractual requirements
Failure to comply with laws and regulations
182
What are the key tasks to be performed during the SDLC?
Security categorization of the system
BIA
Privacy impact assessment
Use of a secure information systems development policy
Awareness of vulnerabilities with selected technology or operational environment
183
What is the purpose of BCPs and DRPs?
To enable a business to continue offering critical services in the event of a disruption and to survive a disastrous interruption to activities
184
What is the first step in preparing a new BCP?
To identify business processes of strategic importance
185
Based on the key processes, the risk assessment should identify the following:
The human resources, data and infrastructure elements, and other resources that support the key processes
A list of potential vulnerabilities - dangers and threats
The estimated probability of the occurrence of these threats
The efficiency and effectiveness of existing risk mitigation controls
186
Business continuity planning is primarily the responsibility of
the senior management, because they are entrusted with safeguarding the assets and the viability of the organization
187
Business continuity planning takes into consideration:
those critical operations that are necessary to the survival of the organization
the human/material resources supporting them
188
Besides the plan for the continuity of operations, the BCP should also include
the DRP that is used to recover a facility rendered inoperable, including relocating operations
the restoration plan that is used to return operations to normality
189
A single integrated plan ensures that:
there is proper coordination among various plan components
resources committed are used in the most effective way and there is reasonable confidence that the organization will survive a disruption
190
Incident management starts with
the preparation and planning that build an incident response plan (IRP)
191
The primary focus of incident management is
to get the organization's affected systems and operations back into normal service as quickly as possible
192
RTO
recovery time objective
193
RPO
recovery point objective
194
The recovery of critical business processes may be through an alternate process, including
manual process or outsourced support
having sufficient inventory on hand
using facilities available at another office or location
displacing less critical work with more critical functions
195
The core source of data used in business continuity planning is a
BIA
196
The BIA examines the
impact of an outage on the business over the length of time of the outage
197
Disaster recovery planning is
the recovery of business and IT services following a disaster or incident within a predefined schedule and budget
198
The risk practitioner should review the BCP/DRP to ensure that
they are up to date, reflect risk scenarios and business priorities, and have been tested
199
Exceptions should only be allowed through a
documented, formal process that requires approval of the exception from a senior manager
200
After an exception is no longer needed
the exception should be removed
201
Who is tasked with making the decision of what the best response is to the identified risk?
Risk owner
202
To ensure accountability, the ownership of risk must be
with an individual, not with a department or the organization as a whole
203
The results of the risk assessment should be compiled into a
risk assessment report for submission to senior management
