Chapters 4-6

Question 1

What is Risk Management?

Answer 1

Identification, assessment and priotization of risks

Question 2

What are the Two Formal Processes of Risk Management?

Answer 2

• Risk Identification and Assessment
• Risk Control

Question 3

Who are the Communities of Interest in Risk Management?

Answer 3

• Information Security: leadership role in addressing risk
• Information Technology: building and maintaining secure systems
• Management: resource allocation and security prioritization
• Users: crucial in early detection and proper response to threats

Question 4

What are the Steps of Risk Management?

Answer 4

• Evaluating Risk Controls
• Determining Cost Effective Control Options
• Acquiring and Installing Appropriate Controls
• Overseeing Processes for Effectivity
• Identfying Risks
• Assessing Risks
• Summarizing Findings

Question 5

What are the Steps of Risk Identification?

Answer 5

• Plan and Organize Process
• Create System Component Categories
• Develop Inventory of assets
• Identify Threats
• Specify Vulnerable Assets
• Assign Value or Impact Rating to Assets
• Assess Vulnerability Likelihood
• Calculate Asset Relative Risk Factor
• Preliminary Review of Possible Controls
• Document Findings

Question 6

How do you Inventory Information Assets?

Answer 6

• Identify Information Assets
• Determine Which Attributes of Each Information Asset Should be Tracked

Question 7

What is Asset Ranking?

Answer 7

• Determine the Value of Assets
• Prioritizing According to Value

Question 8

What is an Asset Classification Scheme?

Answer 8

• Categorizes information assets based on sensitivity
• Each category designates level of protection
• Must be comprehensive and mutually exclusive

Question 9

What are Relative Values?

Answer 9

Comparative judgements made to ensure the most valuable information assets are given the highest priority

Question 10

What is Threat Identification?

Answer 10

Assesses IT vulnerabilities and their capacity to compromise a system

Question 11

What is Vulnerability Assessment?

Answer 11

The process of defining, Identifying, classifying, and prioritizing vulnerabilities

Question 12

What is Risk Assessment?

Answer 12

Create a method to evaluate the relative risk of each listed vulnerability

Question 13

What is the Extended Risk Formula?

Answer 13

Risk = Probability of Attack * Probability of Successful Attack * Value Lost on Successful Attack

Question 14

What are the Goals of the Risk Management Process?

Answer 14

• Identify Information Assets and their Vulnerabilities
• Rank them According to Sensitivity

Question 15

What is the Goal of the Risk Identification Process?

Answer 15

• Designate the Function of the Report
• Define who is Responsible for Preparing and Reviewing the Report

Question 16

What is Risk Control?

Answer 16

Identifying Possible Controls

Question 17

What are the Three General Categories of Control?

Answer 17

• Policies
• Programs
• Technical Controls

Question 18

What are the Four Basic Strategies of Control Risks?

Answer 18

• Avoidance: applying safeguards against risks
• Transference: shifting risk to other areas or outside entities
• Mitigation: reducing impact of vulnerabilities
• Acceptance: accepting risk without control or mitigation

Question 19

What are the Types of Mitigation Plans?

Answer 19

• Disaster Recovery Plan (DRP)
• Incident Response Plan (IRP)
• Business Continuity Plan (BCP)

Question 20

What is a Metric?

Answer 20

• A measurement of a periodic or ongoing activity
• Used by management to measure key processes for their effectivities

Question 21

What are the 3 Metrics categorizations?

Answer 21

• Key Risk Indicators (KRI): metrics associated with risk measurement
• Key Goal Indicators (KGI): metrics that portray attainment of strategic goals
• Key Performance Indicators (KPI): metrics that show the efficiency or effectivenes of security-related activities

Question 22

What is Security Control?

Answer 22

Measures that reduce risk by eliminating or preventing harm or discovering and reporting it

Question 23

What are the Types of Control Classifications?

Answer 23

• Management Controls
• Operational Controls
• Technical Controls

Question 24

What are Management Controls?

Answer 24

Focuses on the selection of operational and technical controls to reduce risk of loss

Question 25

What are Operational Controls?

Answer 25

Address control implementation and use of security policies and standards

Question 26

What are Technical Controls?

Answer 26

Involve the correct use of hardware and software security capabilities in systems

Question 27

What are the Types Control Classes?

Answer 27

- Supportive Controls - Preventative Controls - Detection and Recovery Controls

Question 28

What are Supportive Controls?

Answer 28

Pervasive, underlying technical IT security capabilities that are interrelated and used by other controls

Question 29

What are Preventative Controls?

Answer 29

Focuses on preventing security breaches by inhibiting security violation attempts

Question 30

What are Detection and Recovery Controls?

Answer 30

Focuses on security breach responses by warning security violations or attempted violations

Question 31

What is a Cost-Benefit Analysis?

Answer 31

- Identify controls that provide the greatest benefit given the available resources - Contrast the impact of implementing a control or not - A business decision

Question 32

What is an IT Security Plan?

Answer 32

Detail the actions needed to improve the identified deficiencies in the risk profile

Question 33

What details should be provided by the IT Security Plan?

Answer 33

- What will be done - What resources are needed - Who is responsible

Question 34

What should be Included in the IT Security Plan?

Answer 34

- Risks, recommended controls, priorities - Selected controls, needed resources - Responsible personnel, implementation dates - Maintenance requirements

Question 35

What are IT Security Plan Documents?

Answer 35

- What needs to be done for each selected control - Responsible personnel - Resources and time frame

Question 36

What are Identified Personnel?

Answer 36

- Implement new or enhanced controls - May need system config changes, upgrades, or installs - May involve development of new or extended procedures - Need to be encouraged and monitored by management

Question 37

How is security management a cyclic process?

Answer 37

constantly need to be repeated to respond to the changing IT systems and risk environment

Question 38

What is included in Implementation followup?

Answer 38

- Maintenance of security controls - Security compliance checking - Change and configuration management - incident management

Question 39

Why is Maintenance and Monitoring Important?

Answer 39

Ensure the continued correct functioning and appropriateness of implemented controls

Question 40

What are the Tasks of Maintenance?

Answer 40

- Periodic review of controls - Upgrade controls to meet new requirements - System changes do not impact controls - Address new threats or vulnerabilities

Question 41

What is Security Compliance?

Answer 41

- An audit process to review security process to ensure system complies with security plan - Checks if suitable policies and controls are maintained and used correctly

Question 42

What is Change Management?

Answer 42

- Process in reviewing proposed changes - May be informal or informal - Test patches to ensure no adverse affects on other applications

Question 43

What is Configuration Management?

Answer 43

- Keeps track of configurations of each system in use and the changes done to them - Know what patches or upgrades might be relevant - Lists of hardware and software versions to help with restoration following a failure