Risk Management Flashcards Preview

CISSP > Risk Management > Flashcards

Flashcards in Risk Management Deck (52):


is a potentially harmful occurrence, such as an earthquake, a power outage, or a network-based worm such as the Conficker worm


Risk =

Threat x vulnerability x impact

A synonym for impact is consequences.

- defined as the likelihood of occurrence of threat and the corresponding loss potential.

- Risk is the probability of a threat agent to exploit vulnerability.


The goal of the Analysis Matrix is

to identify high-likelihood/high-consequence risks.

an example of Qualitative Risk Analysis


Exposure Factor (EF)

is the percentage of value an asset lost due to an incident.


Single Loss Expectancy (SLE) is

SLE = Asset Value x Exposure Factor


Total Cost of Ownership (TCO) is

the total cost of a mitigating safeguard.

combines upfront costs (often a one-time capital expense) plus annual cost of maintenance,
including staff hours, vendor maintenance fees, software subscriptions, etc.


Annualized Loss Expectancy (ALE)

SLE x ARO Cost of losses per tear


Return on Investment (ROI)

is the amount of money saved by implementing a safeguard.


All policy should contain these basic components:

• Purpose - describes the need for the policy, typically to protect the C.I.A.
• Scope - describes what systems, people, facilities, and organizations are covered by the policy.
• Responsibilities - responsibilities of information security staff, policy and management teams, and all members of the organization.
• Compliance - how to judge the effectiveness of the
policies (how well they are working) and what happens when policy is violated (the sanction).


A progressive discipline for employee termination

• Coaching
• Formal discussion
• Verbal warning meeting, with Human Resources attendance (perhaps multiple warnings)
• Written warning meeting, with Human Resources attendance (perhaps multiple warnings)
• Termination


Quantitative is more



qualitative is more



Which methodology name is the stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation, a risk management framework

o Phase 1 identifies staff knowledge, assets, and threats.
o Phase 2 identifies vulnerabilities and evaluates safeguards.
o Phase 3 conducts the Risk Analysis and develops the risk mitigation strategy.


What is the name of the methodology which focuses on the standardization and certification of an organization’s information security management system (ISMS).

ISO 27001


Who describes information security best practices (Techniques or code of practices).



Who is an international standard for how Risk Management should be carried out in the framework of an ISMS (Information Security Management standard).



Who is the control framework for employing information security governance best practices and focuses more on operational goals.

COBIT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.

Control Objectives for Information and related

There are 34 IT processes across these four domains.


COSO framework

Committee of Sponsoring Organizations of the Treadway Commission)

providing leadership with frameworks and guidance on enterprise risk management, internal control and fraud deterrence

It acts as a model for corporate governance and focuses more on strategic goals.


Explores qualitative risk assessment, which makes a base assumption that a slight risk assessment is the most efficient way to determine risk in a system, business segment, application or process.

Facilitated Risk Analysis Process (FRAP)

It allows organizations to prescreen applications, systems, or other subjects to determine if a risk analysis is needed to concentrate on subjects that truly need a formal risk analysis.


A method for determining failures, identifying functional failures and assessing the causes of failure and their effects through structured process.

Failure Mode and Effect Analysis (FMEA)

It helps to determine where exactly failure is most likely to occur.


Spanning tree analysis

“creates a ‘tree’ of all possible threats to or faults of the system.


A theoretically based, quantitative measure of information security risk.

VAR (Value at Risk)

By using VAR the best possible balance between risk and cost of implementing security controls can be achieved.


identifies the importance of choosing the best methodology based on the goals of the organization.

Security Officers Management and Analysis Project (SOMAP)


Risk analysis has three main goals

identify risks,
quantify the impact of potential threats, and
provide an economic balance between the impact of the risk and the cost of the associated countermeasure.

Choosing the best countermeasure is not part of the risk analysis.


Which security framework acts as a model for corporate governance and focuses more on strategic goals?

Committee of Sponsoring Organizations of the Treadway Commission (COSO)


What is an exposure?

an instance of being exposed to losses from a threat


What is the primary concern of procedural security?

to ensure the integrity of business information


Which security framework acts as a model for IT governance and focuses more on operational goals?

Control Objectives for Information and related Technology (CobiT)


Who has the final responsibility for the preservation of the organization's information?

senior management


What is the responsibility of the information security officer?

to oversee the day-to-day security administration


For which functions are security administrators responsible?

user account creation, initial password creation, security configuration, permission configuration, security software implementation, security patches, and components testing


What is the term for the process of identifying information assets and their associated threats, vulnerabilities, and potential risks?

risk analysis


Which component of a computer use policy indicates that data stored on a company computer is not guaranteed to remain confidential?

a no expectation of privacy policy


Which formula is used to calculate total risk?

total risk = threats x vulnerabilities x asset value

Residual risk: (Threats × vulnerability × asset value) × controls gap


Which risk response strategy involves modifying the security plan to eliminate the risk or its impact?



What are the four steps in information classification?

1) Specify the classification criteria.
2) Classify the data.
3) Specify the controls.
4) Publicize awareness of the classification controls.


Which security control type includes rotation of duties?

detective administrative controls


What is retention time?

the amount of time a tape is stored before its data is overwritten


Enterprise security architecture

a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment.


used to identify defects in processes so that the processes can be improved upon.

Six sigma


Delphi technique

a group decision method where each group member can communicate anonymously.


When choosing the right safeguard to reduce a specific risk. you need to consider the following?

cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.


Split knowledge and dual control are two aspects of

separation of duties.


Need-to-know is NOT part of

NOT part of the rule of integrity. It is part of confidentiality requirements.


Compartmentalization completes

the least privilege picture, which is the process of separating groups of people and information such that each group is isolated from the others and information does not flow between groups.

"Compartmentalization, a method for enforcing need to know."


Rotation of duties helps mitigate

collusion, where two or more people work to subvert the security of a system.

can also mitigate fraud


Mandatory leave is what type of control control

detection and deterrence of fraud. Closely related to rotation of duties.


Separation reduces what?

separation reduces the “chances of errors or fraudulent acts


ISO17799 was renamed to



Job rotation can help to mitigate



Which one acts as a deterent for possible fraud?

job rotation


what type of control Nondisclosure agreement (NDA) is considered?

directive control