Professional Practice Two - Risk Evaluation And Control Flashcards Preview

Disaster Recovery Institute > Professional Practice Two - Risk Evaluation And Control > Flashcards

Flashcards in Professional Practice Two - Risk Evaluation And Control Deck (39):
0

What is the Professional's Role in Practice Two?

1)Work with management to gain agreement on standardized risk assessment. 2) Identify, develop and implement information gathering, 3) Identify probabilities and impact of the threat/risks identified, 4) Identify and evaluate the effectiveness of current controls, 5) Identify business resiliency strategies to control, mitigate, accept the impact of the risk or reduce the vulnerabilities, 6) Document and present risk/threat/vulnerability assessment and recommendations to the entity's leadership for approval.

1

BCP demonstrates work with management to gain a standardized risk assessment methodology by (a)

Identify risk analysis methodologies and tools using Qualitative, quantitative, advantage and disadvantage, data and content reliability/confidence factors and math formulas.

2

BCP demonstrates work with management to gain a standardized risk assessment methodology by (b)

Select appropriate methodology and tool for entity-wide implementation which parallel the entity's risk tolerance level.

3

BCP demonstrates work with management to gain a standardized risk assessment methodology by (c)

Work with the entity's leadership to gain an understanding of the entity's tolerance for risk

4

BCP demonstrates work with management to gain a standardized risk assessment methodology by (d)

Work with management to select an appropriate cost benefit analysis model.

5

BCP demonstrates work with management to gain a standardized risk assessment methodology by (e)

Establish the measurement criteria necessary to quantify the risk identified and effectiveness of existing controls.

6

How would BCP identify, develop and implement information gathering activities (a)

Determine methods of information gathering

7

How would BCP identify, develop and implement information gathering activities (b)

Collaborate with security, legal counsel, IT security, and other areas to identify risk and vulnerabilities.

8

How would BCP identify, develop and implement information gathering activities (c)

Determine Information sources to be used to collect data on risk.

9

How would BCP identify, develop and implement information gathering activities (d)

Determine the credibility of the information source.

10

How would BCP identify, develop and implement information gathering activities (e)

Develop a strategy to gather information consistent with the entity's policies.

11

How would BCP identify, develop and implement information gathering activities (f)

Develop a strategy to gather information that can be managed across all of the divisions and locations.

12

How would BCP identify, develop and implement information gathering activities (g)

Create entity-wide methods of information gathering (forms, questionnaires, interviews, meetings, or some combination)

13

How would BCP identify threats/risks and the entity's vulnerabilities? (a)

Identify threats/risks and vulnerabilities to taking account frequency, probability, speed of development, severity, and reputational impact for a holistic view of risk across the entity.

14

How would BCP identify threats/risks and the entity's vulnerabilities? (B)

Identify risk exposure from both internal and external sources. Sources- Natural, technological or acts of man, Industry/business model, Accidental vs. intentional, controllable risk vs. no control risk, prior warning risk vs. no warning.

15

How would BCP identify probabilities and impact of the threat/risk identified? (a)

Develop a method to evaluate exposures/risk in terms of risk frequency, probability, speed of development, pre-incident warning, severity and entity impact.

16

How would BCP identify probabilities and impact of the threat/risk identified? (b)

Identify the impact of identified risks. Risk impacts include facility, security (physical and logical), reputational, legal, customer, procedural, IT (operational infrastructure), people, supply chain, & compliance.

17

How would BCP identify probabilities and impact of the threat/risk identified? (c)

Evaluate identified risk and classify them according to relevant criteria including risk under entities control, risk not under the control of the entity, risk with prior warning and risk with no warning.

18

How would BCP identify probabilities and impact of the threat/risk identified? (d)

Evaluate impact of risks and vulnerabilities on those factors essential for conducting the entity's operations by availability of IT, personnel, communication and status if infrastructure.

19

How would BCP identify and evaluate the effectiveness of current controls and safeguards? (a)

Identify and evaluate the effectiveness of the inherent protection afforded key assets by virtue of their location relative to sources of risk.

20

How would BCP identify and evaluate the effectiveness of current controls and safeguards? (b)

Identify and evaluate the effectiveness of business continuity capabilities for groups within and external to the entity on which the entity is dependent to conduct operations.

21

How would BCP identify and evaluate the effectiveness of current controls and safeguards? (c)

Identify and evaluate the effectiveness of actions taken to reduce the probabilities of occurrence of incidents that could impair the ability to conduct business. (Facility sightings, safety policies, training on proper use of equipment, and preventive maintenance)

22

How would BCP identify and evaluate the effectiveness of current controls and safeguards? (d)

Identify and evaluate the effectiveness of controls to inhibit impact exposure, i.e. Proactive controls (Security, IT security, employment practices, privacy practices)

23

How would BCP identify and evaluate the effectiveness of current controls and safeguards? (e)

Identify and evaluate the effectiveness of controls to compensate for impact of exposure, i.e. reactive controls (sprinkler system, fire brigade, generator, UPS system)

24

How would BCP identify and evaluate the effectiveness of current controls and safeguards? (f)

Evaluate security-related communications flow with other internal areas and external service providers.

25

How would BCP identify business resiliency strategies to control, mitigate, accept the impact of risk/threat or reduce the entity's vulnerabilities? (a)

Discuss strategies and controls for managing the identified risks.

26

How would BCP identify and evaluate the effectiveness of current controls and safeguards? (b)

Identify trigger points for key service and support areas to identify, escalate and execute strategies selected to take advantage of key risks.

27

How would BCP identify and evaluate the effectiveness of current controls and safeguards? (c)

Establish interruption worst-case scenarios based on risks to which the entity is exposed.

28

How would BCP identify and evaluate the effectiveness of current controls and safeguards? (d)

Understand options for risk management and selection of appropriate or cost-effective responses (risk avoidance, transfer, acceptance)

29

How would BCP identify and evaluate the effectiveness of current controls and safeguards? (e)

Develop formal "risk acceptance" documentation and re-evaluation practices in conjunction with the entity risk tolerance.

30

How would BCP identify business resiliency strategies to control, mitigate, accept the impact of risk/threat or reduce the entity's vulnerabilities? (b)

Identify trigger points for key service and support areas to identify, escalate and execute strategies selected to take advantage of key risks.

31

How would BCP identify business resiliency strategies to control, mitigate, accept the impact of risk/threat or reduce the entity's vulnerabilities? (c)

Establish interruption worst-case scenarios based on risks to which the entity is exposed.

32

How would BCP identify business resiliency strategies to control, mitigate, accept the impact of risk/threat or reduce the entity's vulnerabilities? (d)

Understand options for risk management and selection of appropriate or cost-effective responses

33

How would BCP identify business resiliency strategies to control, mitigate, accept the impact of risk/threat or reduce the entity's vulnerabilities? (e)

Develop formal "risk acceptance" documentation and re-evaluation practices in conjunction with the entity risk tolerance.

34

How would BCP identify business resiliency strategies to control, mitigate, accept the impact of risk/threat or reduce the entity's vulnerabilities? (f)

Make recommendations on feasible, cost-effective security measures required to prevent/reduce security-related risks and exposures.

35

How would BCP identify business resiliency strategies to control, mitigate, accept the impact of risk/threat or reduce the entity's vulnerabilities? (g)

Recommend changes to reduce impact due to risks and vulnerabilities. (Physical protection & Logical protection)

36

How would BCP document and present risk assessment to the entity's leadership for approval? (a)

Prepare a risk assessment report, standardizing the analysis across the entity

37

How would BCP document and present risk assessment to the entity's leadership for approval? (b)

Present findings of risk assessment
Information on risk, assessment of controls, recommends controls, control imporvement, appropriate risk transfer, document areas where management accepts risk.

38

How would BCP document and present risk assessment to the entity's leadership for approval? (c)

Receive approval of risk assessment recommendations.