Lecture 10

Question 2

What is managing risk?

Answer 2

Managing risk is to create a level of protection that mitigates vulnerabilities to threats and reduces potential consequences

Question 3

What does managing risk involve?

Answer 3

Defining what it is understanding risk types knowing different methods of risk analysis realizing how to manage risk

Question 4

What is an asset in risk management?

Answer 4

Any item that has a positive economic value

Question 5

What is asset value?

Answer 5

The relative worth of an asset

Question 6

What is a threat?

Answer 6

A type of action that has the potential to cause harm to an asset

Question 7

How is risk defined?

Answer 7

A situation that involves exposure to some danger

Question 8

How can risk also be described?

Answer 8

A function of threats consequences of those threats and the resulting vulnerabilities

Question 9

What are the five threat categories?

Answer 9

Strategic compliance financial operational technical managerial

Question 10

What is an example of a strategic threat?

Answer 10

Theft of intellectual property not pursuing a new opportunity loss of a major account competitor entering the market

Question 11

What is a compliance threat?

Answer 11

Following or not following a regulation or standard such as breach of contract or not responding to new laws

Question 12

What is a financial threat?

Answer 12

Impact of financial decisions or market factors like increase in interest rates or global financial crisis

Question 13

What is an operational threat?

Answer 13

Events impacting daily business such as fire hazardous chemical spill or power blackout

Question 14

What is a technical threat?

Answer 14

Events affecting IT systems such as denial of service attack SQL injection or virus

Question 15

What is a managerial threat?

Answer 15

Actions related to management such as long-term illness of company president or key employee resigning

Question 16

How can risk types be grouped?

Answer 16

Internal and external legacy systems multiparty intellectual property software compliance and licensing

Question 17

What is risk analysis?

Answer 17

A process to identify and assess factors that may jeopardise success of a project or goal

Question 18

Why is following a methodology important in risk analysis?

Answer 18

It helps minimise human bias and involves many individuals in identifying risk

Question 19

What is Risk Control Self-Assessment RCSA?

Answer 19

A methodology where management and staff collectively identify and evaluate risks

Question 20

What are the two approaches to risk assessment?

Answer 20

Qualitative risk assessment using educated guesses and quantitative risk assessment using hard numbers

Question 21

How does qualitative risk assessment work?

Answer 21

Assigns numeric value or label like high medium or low based on observation

Question 22

What is quantitative risk assessment?

Answer 22

Attempts to create hard numbers using historical data divided into likelihood and impact of risk

Question 23

Name some quantitative tools used to predict risk likelihood.

Answer 23

Mean time between failure MTBF mean time to recovery MTTR mean time to failure MTTF failure in time FIT

Question 24

What is Annualized Rate of Occurrence ARO?

Answer 24

Historical data used to determine likelihood of risk occurring within a year

Question 25

What sources provide data for risk analysis?

Answer 25

Law enforcement insurance companies computer incident monitoring organisations

Question 26

What does risk impact involve?

Answer 26

Determining monetary loss associated with an asset if risk occurs

Question 27

What is Single Loss Expectancy SLE?

Answer 27

Expected monetary loss every time a risk occurs

Question 28

What is Annualized Loss Expectancy ALE?

Answer 28

Expected monetary loss for an asset due to risk over one year

Question 29

What is a risk register?

Answer 29

A list of potential threats and associated risks

Question 30

What is a risk matrix or heatmap?

Answer 30

A visual colour-coded tool listing impact and likelihood of risks

Question 31

What does risk appetite involve?

Answer 31

Reducing risk to an acceptable level for the organisation

Question 32

What are the four strategies for dealing with risks?

Answer 32

Acceptance transference avoidance mitigation

Question 33

What is a security control?

Answer 33

A safeguard or countermeasure used to protect confidentiality integrity and availability of technology and data

Question 34

What are the three categories of controls?

Answer 34

Managerial operational technical

Question 35

Give an example of managerial control related to phishing.

Answer 35

Acceptable use policy specifying users should not visit malicious websites

Question 36

Give an example of operational control related to phishing.

Answer 36

Conducting workshops to train users to identify and delete phishing messages

Question 37

Give an example of technical control related to phishing.

Answer 37

Unified threat management device performing packet filtering anti-phishing and web filtering

Question 38

Name six types of controls.

Answer 38

Deterrent preventative physical detective compensating corrective

Question 39

What is a deterrent control?

Answer 39

Discourages attack before it happens like posting video surveillance signs

Question 40

What is a preventative control?

Answer 40

Prevents attack before it happens like security awareness training

Question 41

What is a physical control?

Answer 41

Prevents attack by physical means like building fences around perimeter

Question 42

What is a detective control?

Answer 42

Identifies attack during attack like installing motion detection sensors

Question 43

What is a compensating control?

Answer 43

An alternative during attack like isolating an infected computer on a different network

Question 44

What is a corrective control?

Answer 44

Lessens damage after attack like cleaning a virus from infected server

Question 45

What are some risks associated with using third parties?

Answer 45

Difficulty coordinating diverse activities network access risks onboarding offboarding privacy and data considerations

Question 46

What are interoperability agreements?

Answer 46

Formal contracts related to security policy and procedures between parties

Question 47

Name some types of interoperability agreements.

Answer 47

Service level agreement business partnership agreement memorandum of understanding nondisclosure agreement

Question 48

What is a Service Level Agreement SLA?

Answer 48

A contract specifying services provided and responsibilities of each party

Question 49

What is a Business Partnership Agreement BPA?

Answer 49

A contract establishing rules and responsibilities of each partner

Question 50

What is a Memorandum of Understanding MOU?

Answer 50

An agreement between two or more parties

Question 51

What is a Non-Disclosure Agreement NDA?

Answer 51

A legal contract restricting sharing of confidential material

Question 52

What is End of Life EOL?

Answer 52

A term indicating a product has reached end of its useful life

Question 53

What is End of Service EOS?

Answer 53

Indicates the end of support for a product

Question 54

Why is user training important in risk management?

Answer 54

It results in risk awareness helping users understand risks impacts and how to manage them

Question 55

What are some techniques used for user training?

Answer 55

Computer-based training role-based awareness training gamification capture the flag phishing simulations

Question 56

How is privacy defined?

Answer 56

The state or condition of being free from public attention observation or interference to the degree a person chooses

Question 57

What are common user concerns about private data?

Answer 57

Individual inconveniences identity theft association with groups statistical inferences

Question 58

What is a common issue with data gathering?

Answer 58

Data is gathered and kept in secret without users knowing what is collected or how it is used

Question 59

Why is data accuracy a concern?

Answer 59

Users cannot verify or correct their data which may lead to erroneous decisions

Question 60

How can identity theft affect data accuracy?

Answer 60

Victims have inaccurate info added by thieves and cannot correct it

Question 61

What are unknown factors in data ratings?

Answer 61

Many combined data points create ratings but how they affect overall rating is unknown

Question 62

What is informed consent in data privacy?

Answer 62

User permission to collect and use data which is often missing or misunderstood

Question 63

What important decisions use private data?

Answer 63

Jobs consumer credit insurance identity verification

Question 64

What consequences can a data breach cause to an organisation?

Answer 64

Reputation damage intellectual property theft fines

Question 65

Name some data types requiring protection.

Answer 65

Confidential private sensitive critical proprietary public personally identifiable information protected health information

Question 66

What is data minimisation?

Answer 66

Limiting collection of personal information to what is directly relevant and necessary

Question 67

What is data masking also called?

Answer 67

Data anonymisation it obfuscates sensitive elements of data

Question 68

What is tokenisation?

Answer 68

Replacing sensitive data elements with random strings called tokens

Question 69

What is data sovereignty?

Answer 69

Country-specific legal requirements applied to data

Question 70

What is the information life cycle?

Answer 70

The flow of data from creation to becoming obsolete

Question 71

How should paper media data be destroyed?

Answer 71

Burning shredding pulping pulverising

Question 72

Why should electronic data not be deleted with OS delete command?

Answer 72

Because data can still be retrieved with third-party tools

Question 73

What methods securely remove electronic data?

Answer 73

Data sanitation wiping with zeros or random data and degaussing magnetic drives

Question 74

What is wiping in data destruction?

Answer 74

Overwriting disk space with zeros or random data

Question 75

What is degaussing?

Answer 75

Permanently destroying magnetic drive by eliminating its magnetic field

Question 76

What is the importance of regularly performing risk analysis?

Answer 76

To identify and assess factors that may jeopardise success of projects or goals

Question 77

What are the two approaches to risk calculation?

Answer 77

Qualitative risk calculation and quantitative risk calculation

Question 78

What is often overlooked in risk management?

Answer 78

The importance of providing training to users

Question 79

What must an organisation do once a data breach occurs?

Answer 79

Take specific actionable steps to address the breach

Question 80

Why should data no longer useful be destroyed?

Answer 80

To protect privacy and prevent unauthorized access