Risk Management

Question 1

What is the definition risk in regards to cybersecurity?

Answer 1

A probability that a threat will be realized

Question 2

What is a vulnerability in regards to cybersecurity

Answer 2

Weakness in design or implementation of a system

Question 3

What is a threat in regards to cybersecurity?

Answer 3

A condition that could cause harm, loss, damage or compromise IT systems

Question 4

where does risk fit in with threat and vulnerability

Answer 4

Risk lives between threat and vulnerability

Question 5

What is risk avoidance? Give an example….

Answer 5

Stopping the activity that has the risk or choosing an alternative

Example: your office computers run on outdated Windows XP. You either take those computers offline or upgrade to a current (more secure) OS

Question 6

What is risk transfer? Give an example…

Answer 6

Passing the risk to a third party.
Example: Getting insurance

Question 7

What is risk mitigation? Give an example…

Answer 7

Seeking to minimize the risk to an acceptable level
Example: Regularly scan and take inventory of your network devices and software. Remove unnecessary or unexpected hardware and software from the network.

Question 8

What is risk acceptance? Give an example…

Answer 8

Accepting the current level of risk and the costs associated with it
Example: Keeping legacy systems active if they are not connected to sensitive data environments. Allowing employees to connect their own devices to an organization’s networks if traffic from these devices is segmented from sensitive networks.

Question 9

What is usually the deciding factor in risk acceptance

Answer 9

Cost

Question 10

What is residual risk ?

Answer 10

What is leftover after avoiding, transferring and mitigating the risk

Question 11

What are the risk assessment steps?

Answer 11

1. Identify assets
2. Identify vulnerabilities
3. Identify threats
4. Identify the impact of the risk

Question 12

What is qualitative risk?

Answer 12

Using intuition, experience, judgement and other non-numerical and non-monetary methods to assign a relative value to risk

Question 13

What is the critical factor in qualitative analysis?

Answer 13

Experience since it is highly subjective

Question 14

What is quantitative risk?

Answer 14

Using numerical and monetary values to calculate risk

Question 15

What is the magnitude of impact?

Answer 15

An estimate of the amount of damage that a negative risk might achieve

Question 16

What methods are used in calculating magnitude of impact?

Answer 16

SLE, ARO, ALE

Question 17

What is SLE? How do you calculate it?

Answer 17

Single Loss Expectancy - cost associated with the realization of each individual threat that occurs.

Asset Value x Exposure Factor = SLE

Question 18

What is ARO?

Answer 18

Annualized Rate of Occurrence - number of times per year that a threat is realized

Question 19

What is ALE? How do you calculate it?

Answer 19

Annualized Loss Expectancy - expected cost of a realized threat over a year

ALE = SLE x ARO

Question 20

What is a security assesment?

Answer 20

A process to verify that an organization’s security posture is designed properly to help thwart different types of attacks

Question 21

What is an active assessment?

Answer 21

Utilizing more intrusive techniques to determine vulnerabilities such as scans, probing the network, hands on testing

Question 22

What is a passive assessment?

Answer 22

Utilizing non intrusive techniques such as open source information, passive collection and analysis of network data, identifying open ports etc

Question 23

What are physical controls?

Answer 23

Controls designed to prevent/deter unauthorized access

Question 24

What are technical controls?

Answer 24

Controls used to avoid, detect, counteract or minimize security risks to our systems and info

Question 25

What are administrative controls?

Answer 25

Controls that are focused on changing the behavior of people instead of removing the actual risk

Question 26

What are the NIST categories of controls?

Answer 26

management, operational and technical

Question 27

What are management controls?

Answer 27

Controls that are focused on things done by people

Question 28

What are NIST technical controls?

Answer 28

Logical controls that are put into a system in order to secure it

Question 29

What are operational controls?

Answer 29

Controls focused on things done by people

Question 30

What are preventative controls?

Answer 30

Controls that are installed before an event happens

Question 31

What are detective controls?

Answer 31

Controls that are used during the event to find out whether something happened

Question 32

What are corrective controls?

Answer 32

Controls that are used after an event occurs

Question 33

What is external risk?

Answer 33

Risk produced by non human source and beyond human control. Example: natural disaster, blackout, hackers

Question 34

What is internal risk?

Answer 34

Risk formed within the organization often forecastable Example: server crash, disgruntled employees

Question 35

What are legacy systems?

Answer 35

Old tech, methods or systems that are past their service life and usually not secure due to lack of patching and discovered vulnerabilities

Question 36

What is multiparty risk?

Answer 36

Risk involving the connection of multiple systems or organizations with each bringing risks Example: two companies merging systems

Question 37

What is IP theft?

Answer 37

Business assets and property being stolen

Question 38

What is a good way to mitigate IP theft

Answer 38

DLP (Data Loss Prevention)

Question 39

What acronym refers to the maximum tolerable length of time that a computer, system, network or application can be down after a failure or disaster occurs.

Answer 39

RTO - Recovery Time Objective