Principles & Practices 1 Flashcards
1
Q
What is Enterprise Security Risk Management (ESRM)?
A
ESRM is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally accepted and established risk management principles
2
Q
What are the three primary components of Enterprise Security Risk Management (ESRM)?
A
- The content
- The foundation
- the ESRM cycle
3
Q
This component of Enterprise Security Risk Management (ESRM) includes organizational aspects that security professionals must understand to successfully adopt ESRM.
A
The content
4
Q
This component of Enterprise Security Risk Management (ESRM) includes organizational concepts that support the ESRM approach and maximize its impact.
A
The foundation
5
Q
This component ofEnterprise Security Risk Management (ESRM) is the actual process of security risk management that emphasizes the importance of understanding assets.
A
The ESRM cycle
6
Q
What organizational aspects are included in the context of Enterprise Security Risk Management (ESRM)?
A
- Mission and vision
- Core values
- Operating Environment
- Stakeholders
7
Q
What three things comprise the operating environment of an organization?
A
- Physical
- Nonphysical
- Logic
8
Q
This operating environment includes much of what influences traditional security factors, such as the type and location of buildings, industrial control systems, and products on hand.
A
Physical
9
Q
These factors are sources of risk, and include things such as the geopolitical environment, intensity of competition, and speed required for decision making.
A
Nonphysical factors
10
Q
These factors focus on information types such as servers, workstations, and network infrastructure.
A
Logical factors
11
Q
What are the four processes in the Enterprise Security Risk Management (ESRM) cycle?
A
- Identify and prioritize assets
- Identify and prioritize risks
- Mitigate prioritized risks
- Continuous improvement
12
Q
What is an asset owner?
A
The person most directly responsible for successful operation of the asset. In Enterprise Security Risk Management (ESRM), the asset owner is assigned responsibility for the risk to an asset.
13
Q
What four concepts comprise the foundation of Enterprise Security Risk Management (ESRM)?
A
- Holistic risk management
- Partnership with stakeholders
- Transparency
- Governance
14
Q
What are two types of assets?
A
- Tangible
- Intangible
15
Q
What are four ways to manage risk?
A
- Eliminate
- Reduce
- Transfer
- Accept
16
Q
This risk mitigation strategy involves removing the risk entirely.
A
Eliminate
17
Q
This risk mitigation strategy attempts to minimize risk through protective measures.
A
Reduce
18
Q
This risk mitigation strategy is typically achieved when another entity takes the risk on the organization’s behalf.
A
Transfer
19
Q
This risk mitigation strategy allows risk if the costs of reducing, eliminating, or transferring the risk outweigh the potential losses associated with it.
A
Accept
20
Q
What is a risk assessment?
A
Risk assessment is the identification, analysis, and evaluation of uncertainties to objectives and outcomes
It provides a comparison between the desired/undesired outcomes and expected rewards/losses of organizational objectives
The risk assessment analyzes whether the uncertainty is within acceptable boundaries and within the organization’s capacity to manage risk.
21
Q
What do the results of a risk assessment inform?
A
The choices available to effectively manage risk to achieve the organization’s outcomes.
22
Q
What are the deciding factors between a qualitative or quantitative approach to a risk assessment?
A
The reliability and validity of the available data
The nature of the risk factors and if they are quantifiable
The target audience for the outputs
23
Q
What is risk appetite?
A
The total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one of more desired and expected outcomes.
24
Q
What is risk tolerance?
A
The amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unity, a particular risk category, or for a specific initiative.
25
What tasks take place at the start of the risk assessment?
1. Setting objectives
2. Identification of stakeholders
3. Identification of internal context and variables
4. Documenting assumptions
5. Defining scope and statement of work
6. Policy and management commitment
7. Commitment of resources
26
What is a gap analysis?
A technique to determine what steps might need to be taken to improve from a current state to a desired, future state.
27
A gap analysis consists of what three steps?
1. Noting currently available factors
2. Listing success factors needed to achieve future, desired objectives
3. Highlighting the gaps that exist and what gaps may need to be filled to be successful
28
What four components should be in any risk identification process, regardless of risk discipline?
1. Asset and service identification, valuation, and characterization
2. Threat and opportunity analysis
3. Vulnerability and capability analysis
4. Criticality and impact analysis
29
What comprises assessor competence?
1. Personal traits and interpersonal skills
2. Assessment skills
3. Communication skills
4. Education, training, and knowledge
5. Work experience
30
Documented criteria of an assessor's knowledge and skills provide the basis for what three things?
1. Selection of assessment team members
2. Ascertain competence enhancement required for continuous improvement
3. Determine performance indicators for assessors
31
What are two types of interactions between a risk assessment team and an organization?
1. Human interaction
2. Minimal human interactions
32
This type of interaction includes activities such as conducting interviews, document reviews with stakeholders, exercises, and undercover investigations.
Human interaction
33
This type of interaction includes activities such as conducting a document review, physical examination, observation, and sampling
Minimal human interaction
34
What are two examples of assessment paths?
1. Tracing
2. Process method
35
This assessment path tracks a process or risk event chronologically, following a path forward or backward through a process or sequence.
Tracing
36
This assessment path tests a sequence of steps and evaluates process controls, interactions, effectiveness, and opportunities for improvement.
Process method
37
What are some examples of the process method?
1. Objectives method
2. Risk source method
3. Department method
4. Requirement method
5. Discovery method
38
What is sampling?
The process or technique of selecting a representative part of a population for the purpose.
39
When is it beneficial to use a sampling method?
When it is not practical in time or cost terms to evaluate all available information.
40
What are two types of sampling methods?
1. Non-statistical
2. Statistical
41
This sampling method includes judgmental sampling, convenience sampling, and haphazard sampling.
Non-statistical
42
This sampling method includes random sampling, systematic sampling, stratified sampling, and cluster/block sampling.
Statistical sampling
43
What is terrorism?
An act of violence designed to achieve a political end
44
What is domestic terrorism?
Violent, criminal acts committed by individuals and/or groups to further ideological goals stemming from domestic influences, such as those of a political, religious, social, racial, or environmental nature.
45
What is the primary attack vector of terrorism?
To target the public's sense of security in the location that they reside or work.
46
What is cost-benefit analysis?
A method for evaluating and comparing the value and cost of risk treatment options.
47
A cost-benefit analysis should consider what two types of costs and benefits?
1. Direct
2. Indirect
48
What are examples of direct and indirect benefits?
Direct benefits - arising from reduction in the likelihood or harmful consequences of the risk
Indirect benefits - arising from collateral effects of the treatment such as reduced insurance premiums, improved management and staff confidence, and enhanced reputation.
49
What are some examples of direct and indirect costs?
Direct costs - of implementing the proposed treatment and/or that could arise if the risk eventuates.
Indirect costs - arising from the loss of productivity, business disruption, diversion of management attention, loss of reputation or brand value.
50
What are the goals of risk treatments?
1. Remove the risk source, where possible
2. Remove or reduce the likelihood of the risk event occurring
3. Remove or reduce the negative consequences
4. Share the risk with other parties
5. Accept risk through informed decision or to exploit an opportunity
6. Avoid activities that give rise to risk
51
What is the purpose of a prevention and mitigation procedure?
Define the measures to be taken by the organization to minimize the likelihood of a disruptive event or to minimize the potential for the severity of the consequence of the event.
52
What are prevention procedures?
Prevention procedures describe how the organization will take proactive steps to protect its assets by establishing architectural, administrative, design, operational, and technological approaches to avoid, eliminate, or reduce the likelihood of risks materializing.
53
What are mitigation procedures?
Mitigation procedures describe how the organization will take proactive steps to protect its assets by establishing immediate, interim, and long-term approaches to reduce the consequences of risks before they materialize.
54
What four steps are included in the risk assessment process?
1. Asset identification, valuation, and characterization
2. Risk identification
3. Risk analysis
4. Risk evaluation
55
What happens in the asset identification, valuation and characterization step of the risk assessment process?
Identify people, assets and services that provide tangible and intangible value giving consideration to financial, operational, temporal, and reputational characteristics of assets, activities, functions and services.
56
What happens in the risk identification step of the risk assessment process?
Identify sources of strategic, operational, tactical, and reputational risk to assess threats and opportunities; vulnerabilities and capabilities; and consequence and criticalities that have a potential for direct or indirect consequences on the organization's activities, assets, operations, functions and impacted stakeholdersw
57
What happens in the risk analysis step of the risk assessment process?
Systematically analyze risk to determine those risks that have significant impact on activities, functions, services, products, supply chain, subcontractors, stakeholder relationships, local populations and the environment.
58
What happens in the risk evaluation step of the risk assessment process?
Systematically evaluate and prioritize risk controls and treatments, and their related costs to determine how to bring risk within an acceptable level consistent with risk criteria.
59
What are some outputs of a risk assessment?
1. A prioritized risk register identifying treatments to manage risk
2. Justification for risk acceptance
3. Identification of critical control points
4. Requirements for supplier, distributor, outsourcing and subcontractor controls
60
What six things should be considered when assessing consequences?
1. Human cost
2. Financial cost
3. Image cost
4. Human rights impacts
5. Indirect impacts
6. Environmental impacts
61
What changes may prompt an update to a risk assessment?
Changes in:
1. Risk landscape
2. Leadership and partnerships
3. Contractual and industry trends
4. Regulatory requirements
5. Political environment
6. Conditions due to an event
7. Performance-based test/exercise results
62
What are five benefits of liaison?
1. Leverage the resources of others
2. Share best practices and lessons learned
3. Collaborate on specific cases or incidents
4. More effectively address common issues
5. Share information, equipment, and facilities
63
What is cost-effectiveness?
Producing good results for the money spent.
64
What three things maximize cost-effectiveness?
1. Ensure that the operations are conducted in the least expensive but cost effective way
2. Maintain the lowest costs consistent with required operational results
3. Ensure that the amount of money spent generates the highest return
65
What is security awareness?
Consciousness of an existing security program, its relevance, and the effect of one's behavior on reducing security risks
66
What is the purpose of a security awareness program?
To communicate to all individuals, including those working on behalf of the organization, risks within the organization's unique internal and external environments, and the technical and administrative controls implemented to effectively manage those risks.
67
When is an effective security culture established?
When people's behaviors align with the defined risk management processes and where the security technologies and methods deployed are policy based and well communicated through security awareness and training activities.
68
What is the goal of a security awareness program?
To promote compliance with security policies and procedures, as well as provide timely communications and training to guide individual and organizational attitudes and behaviors.
69
What should every awareness program be structured to reflect?
The organization's unique culture, risk environment, lifecycle management, and change control process.
70
How does clear top management support for security awareness set the tone?
By actively supporting awareness communication, training, and associated activities. Top management should also be involved in strengthening the culture that ensures individuals understand their security roles and take ownership of their personal safety and security.
71
What three program principles should be established for security awareness programs?
1. Encourage enterprisewide ownership
2. Develop a unified approach for security awareness communication and training
3. Leverage existing programs/infrastructure
72
What can be done to encourage enterprisewide ownership of security awareness programs?
Establishing an oversight, advisory, or steering group comprised of security stakeholders to influence/generate program content and to help communicate risk appetite, strategy, and content relevance.
Establishing security champions or influencers to solicit and provide input to program content
73
What is a benefit of a unified, holistic approach to security awareness program content?
Using 'one voice' simplifies the message and increases the impact to stakeholders and the organization.
74
What types of benefits may be realized by leveraging existing organizational programs for security awareness?
1. Timing
2. Resource
3. Budget
4. Logistical
75
What six factors are planning considerations when designing an effective security awareness program?
1. Security policies and procedures
2. Internal and external considerations
3. Security risks
4. Resources
5. Roles, responsibility, and authorities
6. Human resources context
76
Effective security policies contain what important characteristics?
1. Protecting individuals and organizational assets from security risks
2. Organizational relevance and maintaining compliance with legal, regulatory, and contractual obligations are clearly explained
3. Measurements for continual improvement metrics
4. Content is written to help build an engaged and alert security community
5. Instructions should help individuals reflect on the policy, consider how to respond in a situation, and take risk-based, informed, and appropriate actions
6. Policy cross-references
77
Which department plays a pivotal role as collaborator with security personnel in an organization's security awareness program?
Human resources
78
Security awareness program content should align with what three things?
1. Program goals and objectives
2. Security policies and procedures
3. Key performance indicators
79
What factors should be considered when determining how security awareness program content should be delivered?
1. Location-specific needs and requirements
2. Existing training culture and processes to be leveraged
3. Traning topic needs
4. Types of training formats available and relevant
5. Levels of training required based on security access or employment status
80
What should be included in a security awareness program evaluation?
1. Appropriateness of program goals and objectives
2. Consistency with the organization's security policies and procedures
3. Volume and frequency fo security awareness and training content
4. Effectiveness of content and delivery methods
5. Level of resources allocated to the program
81
What should security awareness program improvements be based on?
1. Individual feedback
2. Program evaluations
3. Evolving threat landscapes
4. Changes in the organization's culture
5. Audit findings
6. New or changes to legal, regulatory, or contractual obligations
7. Top management input and direction
82
What are some benefits of using a security consultant?
1. They do not promote or sell a specific product
2. Objectivity
3. Out-of-the-box thinking
4. Can be less expensive than hiring additional staff
83
What are three categories of security consultants?
1. Security management consultants
2. Technical security consultants
3. Security forensic consultants
84
This type of security consultant usually specializes in a certain discipline, which comprises the foundation of their expertise.
Security management consultants
85
This type of security consultant has specialized subject matter expertise and specializes in translating security concepts and functionality into blueprints and equipment specifications.
Technical security consultant
86
This type of security consultant deals with investigation, identification and collection of evidence, identification of vulnerabilities, mitigation strategies, and litigation.
Forensic security consultants
87
In what situation are technical security consultants likely to be used?
New construction or renovation projects
88
What are three ways technical security consultants can support construction and renovation projects?
1. Work with the architects and design engineers to ensure the needed security systems are integrated into the initial designs
2. Uncover security concerns in the plans before they are finalized
3. Recommend security hardware and software that is compatible with other building systems
89
What is a security advisory committee?
An internal rescource formed to assist corporate executives and chief security officers in their efforts to ensure that current security measures are adequate.
90
Who should serve on a security advisory committee?
Representatives of key corporate functions with stature and credibility within the organization and sufficient information about the company's operation to enable them to offer useful opinions about actions that should be taken.
91
What typically drives the decision to use a security consultant?
A specific problem, need, challenge, or goal.
92
What are five steps to use when selecting a security consultant?
1. Identify candidates
2. Invite candidates to submit an application
3. Evaluate the application
4. Interview the top two or three candidates
4. Negotiate an agreement and finalize the selection
93
How can consultant candidates be identified?
1. Suggestions from colleagues and peers
2. Industry associations
3. Online
94
What three things should be submitted by prospective security consultants looking to be hired for a project?
1. Custom application
2. Resume
3. Proof of license, in jurisdictions with this requirement
95
How can consultant applications be evaluated?
1. Compate the quality of documents and candidates' credentials
2. References from prior clients
3. Background investigations of top candidates
96
What types of questions should be asked during a consultant interview?
Questions that probe the candidate's security philosophy
97
What subjects should be negotiated with a security consultant prior to hiring?
1. Scope of work
2. Product to be delivered
3. Methodology
4. Timing
5. Related expenses
98
What are five types of fee structures for consultants?
1. Hourly fees
2. Daily fees
3. Fixed fees
4. Not-to-exceed fees
5. Retainers
99
When is paying a consultant an hourly fee applicable?
When the assignment is expected to last less than a day, but the exact amount of time needed is unclear.
100
When are fixed fee structures used with consultants?
When the number of days required to accomplish he work can be estimated accurately and controlled by the consulant.
101
What is a not-to-exceed fee?
The consultant's guarantee that the total cost or time will be limited to the parameters agreed to in the contract.
102
What is a consultant retainer agreement?
The consultant agrees to work a specified number of days each year for the client, and the client is guaranteed access to the consultant when needed.
103
What should be covered during a consultant's organizational orientation?
1. Backgrounds and responsibilities of key personnel
2. Organizational chart
3. Operating environment
4. Key assets and functions
5. Internal and external relationships relevant to the project
6. Specific legislative or regulatory control
7. History of the enterprise
8. Philosophy of top management
9. Competitive position
104
What should be outlined in a consultant's work plan?
1. Scope
2. Tasks and priorities
3. Assignments
4. Completion schedules
105
What should be included in a consultant's final report?
1. Executive summary
2. Results achieved
3. Recommendations
106
How should the recommendations section of the consultant's final report be structured?
The recommendations should be numbered for future reference and should define any additional work that needs to be done, together with suggestions on how to accomplish it.
107
What is a chief security officer?
A senior executive level function responsible for providing comprehensive integrated risk strategies to help protect an organization from wide spectrum of threats.
108
What seven categories or skills is required by a chief security officer?
1. Relationship leader
2. Executive management and leadership
3. Subject matter expertise
4. Governance team member
5. Risk executive
6. Strategist
7. Creative problem solver
109
Why is it recommended that the chief security officer report to a key senior-level executive?
To ensure a strong liaison with designated leadership bodies.
110
A chief security officer is expected to have what level of education?
Advanced education and degrees should be highly valued.
