Lesson 15: Explain Risk Management Processes

Question 1

Define ‘risk management’

Answer 1

Identifying potential issues, assessing their potential impact on the organization, and implementing controls to mitigate them.

Question 2

What are key concepts of effective risk management?

Answer 2

Risk identification, risk assessment, mitigation, and monitoring.

Question 3

What is the purpose of audits?

Answer 3

To provide an independent and objective evaluation of processes, controls, and compliance, ensuring adherence to standards and identifying gaps that pose risks.

Question 4

What is the purpose of an assessment?

Answer 4

To evaluate the effectiveness of risk management strategies, identify potential vulnerabilities, and prioritize mitigation efforts.

Question 5

What is the importance of audits and assessments?

Answer 5

To understand risks, implement controls, and continuously monitor and adapt risk management strategies.

Question 6

Define ‘risk identification’

Answer 6

Process of listing sources of risk due to threats and vulnerabilities.

Question 7

What are common risk identification methods?

Answer 7

Vulnerability assessments, penetration testing, security audits, threat intelligence.

Question 8

Define a ‘risk assessment’

Answer 8

Process of identifying risks, analyzing them, developing a response strategy for them, and mitigating their future impact.

Question 9

What are the different risk assessment methods?

Answer 9

Ad hoc, recurring, one-time, or continuous.

Question 10

Define ‘risk analysis’ relative to risk assessment

Answer 10

The distinct process of identifying and evaluating potential risks and the nature and scope of risks by examining their causes, consequences, and concerns.

Question 11

Define ‘risk assessment’ relative to risk analysis

Answer 11

Risk assessment considers the likelihood of an event occurring and the severity of its consequences by interpreting data collected during risk analysis.

Question 12

Define ‘Quantitative risk analysis’

Answer 12

A numerical method that is used to assess the probability and impact of risk and measure the impact.

Question 13

Define ‘Single Loss Expectancy (SLE)’

Answer 13

The amount that would be lost in a single occurrence of a particular risk factor.

Question 14

Define an ‘exposure factor (EF)’

Answer 14

The percentage of an assets value that would be lost in an event.

Question 15

How is Single Loss Expectancy (SLE) calculated?

Answer 15

By multiplying the value of the asset by the exposure factor (EF).

Question 16

Define ‘Annualized Loss Expectancy (ALE)’

Answer 16

The total cost of a risk to an organization on an annual basis.

Question 17

Define an ‘annualized rate of occurrence (ARO)’

Answer 17

The number of times an event could occur in a year in terms of probability/likelihood.

Question 18

How is Annualized Loss Expectancy (ALE) calculated?

Answer 18

By multiplying the SLE by the annual rate of occurrence (ARO).

Question 19

Define ‘Qualitative risk analysis’

Answer 19

Assess risks based on subjective judgment and logic rather than precise numerical data.

Question 20

How is qualitative risk analysis performed?

Answer 20

Qualitative risk analysis frames risks by considering their causes, consequences, and potential interdependencies.

Question 21

Define ‘inherent risk’

Answer 21

Risk that an event will pose if no controls are put in place to mitigate it; The level of risk before any type of mitigation has been attempted.

Question 22

Is it possible to eliminate risk?

Answer 22

It is not possible to eliminate risk.

Question 23

What is the ultimate goal of risk management?

Answer 23

To mitigate risk factors to the point where the organization is exposed only to a level of risk that it can tolerate.

Question 24

What term is used to describe an organizations overall status of risk management?

Answer 24

Risk/security posture.

Question 25

Define ‘risk mitigation’

Answer 25

Overall process of reducing exposure to or the effects of risk factors.

Question 26

Define ‘risk deterrence/reduction’

Answer 26

The response to risk identification/analysis by deploying security controls to reduce the likelihood and/or impact of a threat scenario.

Question 27

Define ‘risk avoidance’

Answer 27

The practice of ceasing activity that presents risk.

Question 28

Define ‘risk transference/sharing’

Answer 28

Moving or sharing the responsibility of risk to another entity; typically cyber insurance.

Question 29

Define ‘risk acceptance’

Answer 29

Risk tolerance; Determining that a risk is within the organization’s appetite and no countermeasures other than ongoing monitoring is needed.

Question 30

Define ‘risk exception’

Answer 30

Describes a situation where a risk cannot be mitigated using standard risk management practices or within a specified time frame due to financial, technical, or operational conditions.

Question 31

Define ‘risk exemption’

Answer 31

A condition where risk can remain without mitigation, usually due to a strategic business decision.

Question 32

Define ‘residual risk’

Answer 32

Risk that remains even after controls (mitigation/transference/exemption/exception) are put into place.

Question 33

Define ‘risk appetite’

Answer 33

How much risk and what types of risk an organization is willing to take to fulfill its organizational goals and objectives.

Question 34

In order, list the 5 phases of risk management

Answer 34

1. Identify Mission Essential Functions
2. Identify Vulnerabilities
3. Identify Threats
4. Analyze Business Impacts
5. Identify Risk Response

Question 35

What are the two main variables when calculating risk?

Answer 35

Likelihood and Impact.

Question 36

Define ‘risk likelihood’

Answer 36

Qualitative analysis used to describe the chance of a risk event happening; Low/Med/High or on some form of a numeric scale.

Question 37

Define ‘risk impact’

Answer 37

The severity of the risk if realized as a security incident.

Question 38

Define ‘risk probability’

Answer 38

Quantitative measure typically expressed as a numerical value to precisely measure the chance of a risk event occurring based on statistical methods.

Question 39

What are NIST’s Risk Management Framework (RMF) or ISO 31K?

Answer 39

They are enterprise risk management (ERM) policies and procedures.

Question 40

Define a ‘risk register’

Answer 40

A document showing the results of risk assessments that includes information regarding risks, their severity, the associated owner of the risk, and all identified mitigation strategies.

Question 41

Define a ‘risk threshold’

Answer 41

Determines risk acceptance; defines the limits or levels of acceptable risk an organization is willing to tolerate.

Question 42

What are factors that define a risk threshold?

Answer 42

Regulatory requirements, organizational objectives, stakeholder expectations, and the organization’s risk appetite.

Question 43

Define ‘Key Risk Indicators (KRIs)’

Answer 43

Metrics that provide an early indication of increasing risk exposures in different areas of the organization.

Question 44

Define a ‘risk owner’

Answer 44

An individual who is accountable for developing and implementing a risk response strategy for a risk documented in a risk register.

Question 45

Define ‘risk tolerance’

Answer 45

The maximum risk the organization is willing to take for a risk.

Question 46

What is the difference between risk tolerance and risk appetite?

Answer 46

Risk appetite is what drives the willingness of the company to take risks. Risk tolerance then defines the boundaries and standards for assessing and responding to those risks.

Question 47

What are the 3 levels of risk appetite?

Answer 47

1. Expansionary
2. Conservative
3. Neutral

Question 48

Define an expansionary risk appetite

Answer 48

Willingness to take on higher levels of risk in the pursuit of high returns or aggressive growth.

Question 49

Define a conservative risk appetite

Answer 49

Prioritizes risk avoidance.

Question 50

Define a neutral risk appetite

Answer 50

Balances expansionary and conservative approaches and is willing to take on risks if they align with strategic objectives and can be managed effectively.

Question 51

Define ‘risk reporting’

Answer 51

A summarized overview of known risks, realized risks, and their impact on the organization.

Question 52

What is the purpose of risk reporting?

Answer 52

Supports decision-making, highlights concerns, and ensures stakeholders understand the organization’s risks.

Question 53

When assessing mission critical functions, what is an important component of advancing operatoins?

Answer 53

By reducing the number of dependencies between components.

Question 54

How are dependencies between mission critical functions identified?

Answer 54

By performing a business process analysis (BPA) for each function.

Question 55

What are the 5 factors to identify when performing a business process analysis (BPA) for a function/process?

Answer 55

1. Inputs
2. Outputs
3. Process Flow
4. Hardware
5. Staff

Question 56

What are business process inputs?

Answer 56

Sources of information for performing the function (including the impact if these are delayed or out of sequence).

Question 57

What are business process outputs?

Answer 57

Data or resources produced by the function.

Question 58

What are business process ‘process flows’?

Answer 58

A step-by-step description of how the function is performed.

Question 59

What defines business process hardware?

Answer 59

Server(s) or data center that performs the processing.

Question 60

How does an organization’s staff impact business processes

Answer 60

Needing sufficient staff and resources to support the function.

Question 61

Define ‘Business impact analysis (BIA)’

Answer 61

A process that helps businesses understand the potential effects of disruptions on their operations.

Question 62

How is business impact analysis (BIA) performed?

Answer 62

Identifying and assessing the impact of various unplanned threat scenarios on the business, such as accidents, emergencies, and disasters.

Question 63

What is the outcome of performing business impact analysis (BIA)?

Answer 63

To proactively create recovery strategies to minimize the impact of disruptions and ensure operational resilience.

Question 64

What four metrics help determine mission critical functions?

Answer 64

1. Maximum tolerable downtime (MTD)
2. Recovery time objective (RTO)
3. Work Recovery Time (WRT)
4. Recovery point objective (RPO)

Question 65

Define the ‘Maximum tolerable downtime (MTD)’ metric

Answer 65

The longest period that a process can be inoperable without causing irrevocable business failure; Max amount of recovery time that system and asset owners have to resume operations.

Question 66

What is a typical maximum tolerable downtime (MTD) for a mission critical process?

Answer 66

Could be 24hrs or less.

Question 67

Define the ‘Recovery time objective (RTO)’ metric

Answer 67

Represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch to an alternative system, for instance).

Question 68

Define the ‘Work Recovery Time (WRT)’ metric

Answer 68

In disaster recovery, time additional to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event.

Question 69

When considering the Recovery time objective (RTO) and the Work Recovery Time (WRT), what must be kept in mind determining Maximum tolerable downtime (MTD)?

Answer 69

RTO+WRT must not exceed MTD.

Question 70

Define the ‘Recovery point objective (RPO)’ metric

Answer 70

The amount of data loss that a system can sustain, measured in time.

Question 71

What does determining Recovery point objective (RPO) impact?

Answer 71

Impacts the frequency of data backups, data replication requirements, recovery site selection, and technologies that support failover and high availability.

Question 72

How does Recovery point objective (RPO) impact data backups/replication or failover/high availability mechanisms?

Answer 72

The RPO can determines backup frequency or replication for applicaitons/services or a recovery sites/high availability based on RPO.

Question 73

Define ‘key performance indicators (KPIs)’

Answer 73

Metrics used to measure the reliability and efficiency of systems, processes, and equipment.

Question 74

What are the two key performance indicators (KPIs)?

Answer 74

1. Mean time between failures (MTBF)
2. Mean time to repair (MTTR)

Question 75

What do key performance indicators (KPIs) help make decisions in?

Answer 75

Risk management processes, providing measurable insights into potential risks and supporting risk mitigation strategies.

Question 76

Define ‘Mean time between failures (MTBF)’

Answer 76

Represents the expected lifetime of a device/component; Predicts the expected time between failures.

Question 77

How is Mean time between failures (MTBF) calculated?

Answer 77

The number of devices/components multiplied by the lifetime of the device before failure, and the sum of that divided by the number of failures; (n*t)/f

Question 78

Define ‘Mean time to repair (MTTR)’

Answer 78

Represents the average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.

Question 79

How is Mean time to repair (MTTR) calculated?

Answer 79

The total number of hours of unplanned maintenance divided by the number of failure incidents.

Question 80

What does a low Mean time to repair (MTTR) indicate?

Answer 80

Indicates quicker restoration of functionality, reducing downtime and potential disruptions to operations.

Question 81

What is the purpose of calculating Mean time between failures (MTBF)?

Answer 81

To identify the average time between system or equipment failures.

Question 82

What does a high Mean time between failures (MTBF) indicate?

Answer 82

Suggests greater reliability and longer intervals between failures.

Question 83

What metric(s) could be used to make a quantitative calculation of risk due to a specific threat to a specific function or asset?

Answer 83

Single Loss Expectancy (SLE) or Annual Loss Expectancy (ALE).

Question 84

What are the components of ‘3rd party risk assesments’

Answer 84

Vendor due diligence, risk identification and assessment, ongoing monitoring, and incident response planning.

Question 85

Define ‘vendor due diligence’

Answer 85

Involves evaluating and selecting vendors based on their security practices, financial stability, regulatory compliance, and reputation.

Question 86

Define a ‘right-to-audit clause’

Answer 86

A contractual provision that grants an organization the authority to conduct audits or assessments of vendor operational practices, information systems, and security controls.

Question 87

Define a ‘Memorandum of Understanding (MOU)’

Answer 87

A preliminary, nonbinding agreement that outlines the intentions, shared goals, and general terms of cooperation between parties.

Question 88

Define a ‘Memorandum of Agreement (MOA)’

Answer 88

A formal, legally blinding, agreement that defines the parties’ specific terms, conditions, and responsibilities.

Question 89

Define a ‘Business Partnership Agreement (BPA)’

Answer 89

Agreement by two companies to work together closely for governing collaborative and mutually beneficial relationships.

Question 90

Define a ‘Master Service Agreement (MSA)’

Answer 90

Outlines the overall terms and conditions of a specific contract.

Question 91

Define a ‘Statement of Work (SOW)/Work Order (WO)’

Answer 91

Details a vendor project or engagement’s scope, deliverables, timelines, and responsibilities.

Question 92

Define ‘Rules of Engagement (RoE)’

Answer 92

Rules defining what vendors must adhere to.

Question 93

What are important elements of a Rules of Engagement (RoE)?

Answer 93

Roles and Responsibilities; Security Requirements; Compliance Obligations; Reporting and Communication; Change Management; Contractual Provisions (liability, insurance, and termination).

Question 94

Define an ‘attestation’

Answer 94

Formal declaration that an organization’s security controls and practices comply with specific standards, regulations, or best practices.

Question 95

What is the purpose of an attestation?

Answer 95

Provides assurance to stakeholders that an organization’s security measures are adequate.

Question 96

What is the function of internal audits?

Answer 96

To enable continuous monitoring, early detection of issues, and timely remediation.

Question 97

What is the function of external audits?

Answer 97

To validate the organization’s controls, compliance, and risk mitigation efforts.

Question 98

What are likely procedures in a pen test?

Answer 98

Verify a Threat Exists; Bypass Security Controls; Actively Test Security Controls; Exploit Vulnerabilities.

Question 99

Define ‘Active reconnaissance’

Answer 99

Penetration testing techniques involving actively probing and interacting with target systems and networks to gather information.

Question 100

What are forms of active reconnaissance?

Answer 100

Port scanning; service enumeration; OS fingerprinting; DNS enumeration; Web application crawling.

Question 101

Define ‘Service enumeration’

Answer 101

Interacting with identified services to gather information about their versions, configurations, and potential vulnerabilities.

Question 102

Define ‘DNS enumeration’

Answer 102

Gathering information about the target’s DNS infrastructure, such as domain names, subdomains, and IP addresses.

Question 103

Define ‘web application crawling’

Answer 103

Exploring web applications to identify pages, directories, and potential vulnerabilities.

Question 104

Define ‘passive reconnaissance’

Answer 104

Gathering information about target systems and networks without directly interacting with them by focusing on collecting publicly available data and passively observing network traffic.

Question 105

What are forms of passive reconnaissance?

Answer 105

Open-Source Intelligence (OSINT) Gathering; Network Traffic Analysis; Social Engineering.

Question 106

Define ‘Open-Source Intelligence (OSINT) Gathering’

Answer 106

Collecting publicly available information from various sources like search engines, social media, public databases, and websites.

Question 107

Define ‘Offensive penetration testing/red team’

Answer 107

Identify vulnerabilities, weaknesses, and potential attack vectors that malicious actors could exploit.

Question 108

Define ‘Defensive penetration testing/blue team’

Answer 108

Evaluates an organization’s defensive security measures, detection capabilities, incident response procedures, and overall resilience against cyber threats.

Question 109

Define ‘Physical penetration testing’

Answer 109

Assessments of an organization’s physical security practices and controls by simulating real-world attack scenarios to identify vulnerabilities and weaknesses in physical security systems.

Question 110

What is the point of the string “../../../../../../” used in an injection attack?

Answer 110

To use directory traversal to reach the root directory.

Question 111

Injecting a web shell can be accomplished by taking advantage of what discovered vulnerability?

Answer 111

File upload.