Managing Risk

Question 1

Risk Calculations

Answer 1

Weigh the potential threat against the likelihood of it occurring

Question 2

Residual Risk

Answer 2

Risk that will and must remain

Question 3

Annual Loss Expectancy (ALE)

Answer 3

A calculation used to identify risks and calculate the expected loss each year

Question 4

ALE

Answer 4

Annual Loss Expectancy

Question 5

Annualized Rate of Occurrence (ARO)

Answer 5

A calculation of how often a threat will occur

Question 6

ARO

Answer 6

Annualized Rate of Occurrence

Question 7

Asset Value (AV)

Answer 7

The assessed value of an item

Question 8

AV

Answer 8

Asset Value

Question 9

Exposure Factor (EF)

Answer 9

The potential percentage of loss to an asset if a threat is realized

Question 10

MTD

Answer 10

Maximum Tolerable Downtime

Question 11

MTBF

Answer 11

mean time between failure

Question 12

MTTF

Answer 12

mean time to failure

Question 13

MTTR

Answer 13

mean time to restore

Question 14

Recovery point objective (RPO)

Answer 14

The point last known good data prior to an outage that is used to recover systems

Question 15

RPO

Answer 15

Recovery point objective

Question 16

Recovery time objective (RTO)

Answer 16

The max amount of time that a process or service is allowed to be down and the consequences still be considered acceptable

Question 17

RTO

Answer 17

recovery time objective

Question 18

Redundant Array of Independent Disks (RAID)

Answer 18

A configuration of multiple hard disks used to provide fault tolerance should a disk fail

Question 19

RAID

Answer 19

Redundant Array of Independent Disks

Question 20

single loss expectancy (SLE)

Answer 20

The cost of a single loss when it occurs

Question 21

SLE

Answer 21

single loss expectancy

Question 22

SLA

Answer 22

service level agreement

Question 23

SPOF

Answer 23

single point of failure

Question 24

Risk calculation formula

Answer 24

SLE x ARO = ALE

Question 25

threat

Answer 25

anything that can harm your resources

Question 26

Types of threats

Answer 26

Environmental
Manmade
Internal vs External

Question 27

vulnerability

Answer 27

a weakness that could be exploited by a threat

Question 28

Chief components of a risk assessment process

Answer 28

• Risks to which the organization is exposed
• Risks that need addressing
• Coordination with the business impact analysis (BIA)

Question 29

BIA

Answer 29

business impact analysis

Question 30

Threat Vector

Answer 30

the way in which an attacker poses a threat (particular tool or means of exploiting)

Question 31

A privacy impact assessment (PIA) requires what three things?

Answer 31

• To ensure conformance with applicable legal, regulatory, and policy requirements for privacy
• Determine risks and effects
• Evaluate protections and alternative processes to mitigate potential privacy risks

Question 32

The four possible responses to identifying and assessing the risks that exist

Answer 32

Risk Avoidance
Risk Transference
Risk Mitigation
Risk Acceptance

Question 33

Audits used in risk mitigation

Answer 33

• user rights
• permission reviews
• change management
• incident management

Question 34

cloud computing

Answer 34

hosting services and data on the Internet instead of hosting it locally

Question 35

Three ways of implementing cloud computing

Answer 35

• Platform as a Service
• Software as a Service
• Infrastructure as a Service

Question 36

Platform as a Service (PaaS)

Answer 36

Vendors allow apps to be created and run on their infrastructure.

Known as ‘cloud platform service’

Question 37

PaaS

Answer 37

Platform as a Service

Question 38

Software as a Service (SaaS)

Answer 38

Applications are remotely run over the web

Costs are usually computed on a subscription basis

Question 39

SaaS

Answer 39

Software as a Service

Question 40

Infrastructure as a Service (IaaS)

Answer 40

Clients pay a cloud service provider for the resources used

Resembles the traditional utility model

Question 41

Risks associated with virtualization

Answer 41

• Breaking out of the virtual machine
• Intermingling network and security controls
• Hypervisor exploits

Question 42

Hypervisor

Answer 42

the virtual machine monitor; the software that allows virtual machines to exist

Question 43

SOP

Answer 43

Standard Operating Procedure

Question 44

Mandatory Vacation Policy

Answer 44

Personnel policy
Requires employees to take time away from work to refresh. It also allows the company to ensure it can fill skill gaps and can help to detect fraud

Question 45

Job Rotation Policy

Answer 45

Personnel policy
Defines intervals at which employees must rotate through positions. It prevents a company from being too dependent on a single person for a job.

Question 46

Separation of Duties Policies

Answer 46

Personnel policy
Requires more than one person to complete key processes. Requires employees committing fraud to collude with others, thus reducing the possibility of it happening. This policy also reduces overall errors of processes.

Question 47

collusion

Answer 47

an agreement between two or more parties established for the purpose of committing deception or fraud

Question 48

Clean Desk Policy

Answer 48

Personnel Policy

Limits employees to only having current work on their desk. This increases overall security.

Question 49

Background Check Policy

Answer 49

Personnel Policy

Since all employees will handle data that is sensitive, they must have reason to be trusted

Question 50

Nondisclosure Agreements Policy

Answer 50

Personnel Policy

NDA policy is used to allow employees to work with sensitive public or proprietary data

Question 51

Onboarding Policies

Answer 51

Personnel Policy

The onboarding policies used allow for well-trained employees who feel they are of value to the company

Question 52

Continuing Education Policies

Answer 52

Personnel Policy
Continuing education policies are important as they allow employees to rise in value and is required to allow for the maintenance of necessary certifications

Question 53

Exit Interview Policies

Answer 53

Personnel Policy

Allow the company to learn and gain honest feedback

Question 54

Role-Based Awareness Training Policy

Answer 54

Personnel Policy

Training employees to the level of their privilege adheres to the ‘least privilege principle’

Question 55

Acceptable Use Policies (AUP)

Answer 55

Personnel Policy

Describe how the employees in an organization can use company systems and resources

Question 56

pod slurping

Answer 56

When portable devices are plugged directly into a machine, they bypass the network security measures (such as a firewall) and allow data to be copied

Question 57

Adverse Actions Policy

Answer 57

Personnel Policy
Details what must be done in the event of termination, administrative leave, or any other reprimanding of employees. Includes suspending accounts, revoking privileges, etc

Question 58

General Security Policies

Answer 58

Personnel Policy

Define what controls are required to implement and maintain the security of systems, users, and networks

Question 59

False Positive

Answer 59

Type I error;

Alert to an event which is not an incident

Question 60

False Negative

Answer 60

Type II error;

Lack of an alert for an event which is an incident or any other event which should require an alert

Question 61

Type I error

Answer 61

False Positive

Question 62

Type II error

Answer 62

False Negative

Question 63

Type III error

Answer 63

An error in which you came to the correct conclusion but for all the wrong reasons

Question 64

Leading ways to address business continuity

Answer 64

Do a BIA and implement ‘best practices’

Question 65

Business impact analysis (BIA)

Answer 65

Business Continuity Best Practice
The process of evaluating all of the critical systems in an organization to define impact and recovery plans. Focuses on the impact a loss would have on the company.

NOT concerned with external threats or vulnerabilities

Question 66

Key components of a BIA

Answer 66

• Identifying critical functions
• Prioritizing critical business functions
• Calculating a timeframe for critical systems loss
• Estimating the tangible and intangible impact on the organization

Question 67

Variables that affect ‘impact’

Answer 67

• Life
• Property
• Saftey
• Finance
• Reputation

Question 68

Identifying Critical Systems and Components

Answer 68

Business Continuity Best Practice

Involves identifying points of failure and maintaining contingency plans

Question 69

Automation/Scripting

Answer 69

Business Continuity Best Practice

Automate courses of action for a range of scenarios that do not require human detection and reaction

Question 70

Frameworks and Templates

Answer 70

Business Continuity Best Practice

Includes scales for evaluating threats and deciding the best responses to them

Question 71

Master Image

Answer 71

Business Continuity Best Practice

Allows the administrator to more easily restore a system if a failure occurs

Question 72

Nonpersistence

Answer 72

• Business Continuity Best Practice*
• Allows for a ‘snapshot’ of an operating system in an exploited stat to inspect it
• Allows for rolling back to a known configuration
• Allows for booting a system with ‘live boot media’

Question 73

Elasticity

Answer 73

Business Continuity Best Practice

Ability to scale up (and scale down) resources as needed. Includes ability to pool resources

Question 74

Scalability

Answer 74

Business Continuity Best Practice

Allows for elasticity and only utilizing the resources required

Question 75

Distributive Allocation

Answer 75

Business Continuity Best Practice

Distributing the load (file requests, data routing, etc) so that no device is overly burdened

Question 76

High Availability (HA)

Answer 76

Business Continuity Best Practice
Refers to measures such as redundancy, failover, and mirroring, used to keep services and systems operational during an outage.

Question 77

Planning for Resiliency

Answer 77

Business Continuity Best Practice

Capacity to recover quickly from difficulties

Question 78

Redundancy

Answer 78

Business Continuity Best Practice

Refers to systems that either are duplicated or ‘fail over’ to other systems in the event of a malfunction

Question 79

Clustering

Answer 79

involves multiples systems connected together in such a way that if any of the systems fail, the others take up the slack

Question 80

The major cost of failover systems

Answer 80

They can become prohibitively expensive

Question 81

Fault Tolerance

Answer 81

Business Continuity Best Practice

The ability of a system to sustain operation even though a critical component has failed

Question 82

Two key components of fault tolerance

Answer 82

• Spare parts

- Electrical power

Question 83

UPS

Answer 83

uninterruptible power supply

Question 84

Redundant Array of Independent Disks (RAID)

Answer 84

A technology that uses multiples disks to provide fault tolerance

Question 85

RAID

Answer 85

Redundant Array of Independent Disks

Question 86

RAID Level 0

Answer 86

disk striping; does not include any fault tolerance

Question 87

RAID Level 1

Answer 87

disk mirroring; can be implemented as mirroring or duplexing

Question 88

RAID Level 3

Answer 88

disk striping with a parity disk

Question 89

RAID Level 5

Answer 89

disk striping with parity

Question 90

The focus of ‘change management’

Answer 90

How to document and control for a change

Question 91

PIA

Answer 91

privacy impact assessment