Risk response and mitigation Flashcards
what does the risk response phase of risk management focus on?
focuses on decisions made regarding the correct way to respond to risk
what is the purpose of the assessment report and risk register document?
they document the risk identified during the identification and assessment phases of the risk management process.
what are the 4 types of risk response?
- risk acceptance
- risk mitigation
- risk sharing (transfer)
- risk avoidance
Describe risk acceptance
the choice to accept risk is a conscious decision made by senior management to recognize the existence of risk and knowingly decide to allow (assume) the risk to remain without (further) mitigation. the decision to accept a risk is made according to the risk appetite and risk tolerance set by senior management.
True or false. risk that falls within the organizational risk appetite should be accepted?
self insurance is a type of risk acceptance?
True for both
when will the organization choose to accept risk?
- when no controls are available
- the cost of the controls would outweigh their benefits.
- when a risk is assessed to be extremely rare
describe risk mitigation
refers to the actions that the organization takes in order to reduce a risk. Mitigation is typically achieved through security controls, which affect the frequency and/or impact of the risk
describe risk transfer
decision to reduce loss by having another organization incur the cost.
give examples of risk transfer
insurance and partnerships
describe risk avoidance
exiting the activities or conditions that give rise to risk. it is the choice that remains when no other response is adequate.
- the exposure of risk is unacceptable by management
- the risk cannot be transferred
- mitigation that would bring the risk in line with acceptable levels is either impossible or would cost more than the benefits that the organization derives from the activities.
what is the role of the risk practitioner in supporting risk based decisions?
to provide management with timely, accurate risk evaluations and solid supporting data so that informed decisions can be made.
what are factors to consider when selecting a risk response?
- the priority of the risk as indicated in the risk assessment report
- the recommended controls from the risk assessment report
- any other response alternatives that are suggested through further analysis
- cost of the response options ( acquisition cost, training cost, impact of productivity, maintenance and licensing costs)
- requirements for compliance with regulations or legislations
- alignment of the response option with the strategy of the legislation
- possibility of integrating the response with other organizational initiatives
- compatibility with other controls in place
- time, resources and budget available.
true or false
risks response are typically recommended in business cases?
True
what are the two most common forms of analysis used to prepare a business case? for risk response
- cost- benefit analysis
- return on investment
what are factors that must be included in calculating the total cost of a control?
- cost of acquisition (training, control, evaluations, rearchitect systems)
- ongoing maintenance ( license, monitor and report, impact on productivity/performance, support and technical assistance)
- cost to remove/replace control
describe ROI/ROSI
in determining ROI, the organization is trying to forecast the likelihood and impact of an incident and decides the adequate level of protection. the amount of security an organization decides to implement is dependent on its appetite for risk and the perception of exposure.
True or false
organizations should co-ordinate with stakeholders on a proactive basis and perform rigorous user acceptance testing under conditions as close to real world use as possible prior to full implementation
True
what is a business process review?
examines the effectiveness and efficiency of an organization in meeting its goals and objectives.
what is the purpose of a business process review?
- identify problems or issues with the current process
- gather information toward improving processes
- prepare a road map to implement required changes
- assign responsibility and accountability for projects
- schedule individual projects according to priority
- monitor project progress for attainment of milestones and production deliverables
- review and obtain feedback on project results.
list the steps of a business process review
- document and evaluate current business processes
- identify potential changes
- schedule and implement changes
- feedback and evaluation
what is the risk practitioners role with respect to control design and implementation?
provides advice on the selection, design, implementation, testing and operation of the controls.
what are examples of compensating controls?
layered defense, increased supervision, procedural controls, increased audits and logging of system activity
List the types of controls
- compensating: reduces likelihood of threat event
- corrective: decreases impact
- detective: triggers preventative controls, discovers threat event
- deterrent: reduces likelihood of a threat event
- preventative: reduces impact, protects vulnerability
describe the categorization of controls
- managerial (administrative): related to oversight, reporting, procedures and operations of a process. e.g policy, procedures, balancing, employee development and compliance reporting.
- technical: aka logical controls and are provided through the use of a technology, piece of equipment and device. e.g. firewalls, antivirus software.
- physical: are locks, fences, cctv and devices that are installed to physically restrict access to a facility or hardware.
how can you support the ability to monitor controls and report on risk?
ensure that processes, logs and audit hooks are placed into the control framework. this ensures regular testing and reporting
list and describe the types of risk
- inherent risk: risk level or exposure without taking into account the actions that management has taken or might take.
- residual risk: risk remaining after management has implemented a risk response, which is typically a mitigation activity, but may also include risk transfer.
- current risk: risk that exists in the moment. taking into account actions that have already been taken but not actions that are anticipated or have been proposed.
describe a consideration in control implementation
consider the impact of controls on the ability of the business to meet its objectives and of the users to accomplish their tasks in a simple, logical manner
what are the risks associated with project and program management?
- first a project may not meet its objectives, and second the failure of one or more projects may affect the performance of a program.
what is the primary objective of a BIA?
identify the impact of an incident in order to understand and prioritize steps that can be taken for effective prevention or response.
what is the purpose of testing?
provides an opportunity to uncover flaws early enough not only to prevent failure, but to do so in a cost effective manner. comprehensive testing includes testing at the unit/component, integration/system, and end-user levels.
List the types of testing
progressive testing- begins with expectations and look for flaws.
regressive testing- works backwards from known problems to identify issues.
what are good practices for testing?
- considerations for data, version control and code
lists some considerations for data as a good testing practice?
- validity of data
- masking of data
- test data should be complete and allow the testing of all possible process functions and error handling
- using distinct test data and not production data
what is fuzzing ?
testing the limit of the acceptable range of values and values beyond the allowable range in order to verify the functionality of input validation and process integrity controls
why is environmental separation important?
- development and production areas should be separated to prevent the potential for intentional and unintentional cross-population of data or application code outside of the approval process.
what is version control?
- assignment of specific version numbers of each revision of a system, making it possible for risk practitioners and engineers to distinguish between versions.
why is a third party code review valuable?
- can detect both unauthorized changes made by the programmer and implementations of error handling, input validation, or documentation that may be inadequate.
what is white box testing
- unit testing performed with the knowledge of the code
- from a vulnerability perspective
what is black box testing
testing in which the behavior of the system must be mapped out without the knowledge of how the code is written.
- from a penetration testing perspective
true or false
integration testing and unit testing is often performed in a separate area from the final system testing?
true
list and describe different test options
- recovery: checks the system’s ability to recover after a software or hardware failure
- security: verifies that the modified/new system includes provisions for appropriate access controls and does not introduce any security holes that may compromise other systems.
- stress: determines the maximum number of concurrent users/services the application can process by increasing the number of users/services on an incremental basis.
- volume: determines the maximum volume of records (data) that the application can process by increasing the volume on an incremental basis
- stress/volume: hybrid approach that uses large quantities of data to evaluate performance during peak hours
- performance: compares the performance of the subject system to similar systems using well-defined benchmarks
what is the purpose of a user acceptance testing
- may highlight problems with functionality, training or process flow not detected earlier in the process.
- purpose is to verify that the system meets user requirements and expectations, not whether it meets the stated design.
- a failure suggest flaws in the organizations process for needs analysis and requirements definition
