Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CRISC > Risk response and mitigation > Flashcards

Risk response and mitigation Flashcards

1
Q

what does the risk response phase of risk management focus on?

A

focuses on decisions made regarding the correct way to respond to risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what is the purpose of the assessment report and risk register document?

A

they document the risk identified during the identification and assessment phases of the risk management process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what are the 4 types of risk response?

A
  • risk acceptance
  • risk mitigation
  • risk sharing (transfer)
  • risk avoidance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe risk acceptance

A

the choice to accept risk is a conscious decision made by senior management to recognize the existence of risk and knowingly decide to allow (assume) the risk to remain without (further) mitigation. the decision to accept a risk is made according to the risk appetite and risk tolerance set by senior management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

True or false. risk that falls within the organizational risk appetite should be accepted?

self insurance is a type of risk acceptance?

A

True for both

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

when will the organization choose to accept risk?

A
  • when no controls are available
  • the cost of the controls would outweigh their benefits.
  • when a risk is assessed to be extremely rare
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

describe risk mitigation

A

refers to the actions that the organization takes in order to reduce a risk. Mitigation is typically achieved through security controls, which affect the frequency and/or impact of the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

describe risk transfer

A

decision to reduce loss by having another organization incur the cost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

give examples of risk transfer

A

insurance and partnerships

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

describe risk avoidance

A

exiting the activities or conditions that give rise to risk. it is the choice that remains when no other response is adequate.

  • the exposure of risk is unacceptable by management
  • the risk cannot be transferred
  • mitigation that would bring the risk in line with acceptable levels is either impossible or would cost more than the benefits that the organization derives from the activities.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

what is the role of the risk practitioner in supporting risk based decisions?

A

to provide management with timely, accurate risk evaluations and solid supporting data so that informed decisions can be made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

what are factors to consider when selecting a risk response?

A
  • the priority of the risk as indicated in the risk assessment report
  • the recommended controls from the risk assessment report
  • any other response alternatives that are suggested through further analysis
  • cost of the response options ( acquisition cost, training cost, impact of productivity, maintenance and licensing costs)
  • requirements for compliance with regulations or legislations
  • alignment of the response option with the strategy of the legislation
  • possibility of integrating the response with other organizational initiatives
  • compatibility with other controls in place
  • time, resources and budget available.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

true or false

risks response are typically recommended in business cases?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

what are the two most common forms of analysis used to prepare a business case? for risk response

A
  • cost- benefit analysis

- return on investment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

what are factors that must be included in calculating the total cost of a control?

A
  • cost of acquisition (training, control, evaluations, rearchitect systems)
  • ongoing maintenance ( license, monitor and report, impact on productivity/performance, support and technical assistance)
  • cost to remove/replace control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

describe ROI/ROSI

A

in determining ROI, the organization is trying to forecast the likelihood and impact of an incident and decides the adequate level of protection. the amount of security an organization decides to implement is dependent on its appetite for risk and the perception of exposure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

True or false
organizations should co-ordinate with stakeholders on a proactive basis and perform rigorous user acceptance testing under conditions as close to real world use as possible prior to full implementation

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

what is a business process review?

A

examines the effectiveness and efficiency of an organization in meeting its goals and objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

what is the purpose of a business process review?

A
  • identify problems or issues with the current process
  • gather information toward improving processes
  • prepare a road map to implement required changes
  • assign responsibility and accountability for projects
  • schedule individual projects according to priority
  • monitor project progress for attainment of milestones and production deliverables
  • review and obtain feedback on project results.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

list the steps of a business process review

A
  1. document and evaluate current business processes
  2. identify potential changes
  3. schedule and implement changes
  4. feedback and evaluation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

what is the risk practitioners role with respect to control design and implementation?

A

provides advice on the selection, design, implementation, testing and operation of the controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

what are examples of compensating controls?

A

layered defense, increased supervision, procedural controls, increased audits and logging of system activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

List the types of controls

A
  • compensating: reduces likelihood of threat event
  • corrective: decreases impact
  • detective: triggers preventative controls, discovers threat event
  • deterrent: reduces likelihood of a threat event
  • preventative: reduces impact, protects vulnerability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

describe the categorization of controls

A
  • managerial (administrative): related to oversight, reporting, procedures and operations of a process. e.g policy, procedures, balancing, employee development and compliance reporting.
  • technical: aka logical controls and are provided through the use of a technology, piece of equipment and device. e.g. firewalls, antivirus software.
  • physical: are locks, fences, cctv and devices that are installed to physically restrict access to a facility or hardware.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
how can you support the ability to monitor controls and report on risk?
ensure that processes, logs and audit hooks are placed into the control framework. this ensures regular testing and reporting
26
list and describe the types of risk
1. inherent risk: risk level or exposure without taking into account the actions that management has taken or might take. 2. residual risk: risk remaining after management has implemented a risk response, which is typically a mitigation activity, but may also include risk transfer. 3. current risk: risk that exists in the moment. taking into account actions that have already been taken but not actions that are anticipated or have been proposed.
27
describe a consideration in control implementation
consider the impact of controls on the ability of the business to meet its objectives and of the users to accomplish their tasks in a simple, logical manner
28
what are the risks associated with project and program management?
- first a project may not meet its objectives, and second the failure of one or more projects may affect the performance of a program.
29
what is the primary objective of a BIA?
identify the impact of an incident in order to understand and prioritize steps that can be taken for effective prevention or response.
30
what is the purpose of testing?
provides an opportunity to uncover flaws early enough not only to prevent failure, but to do so in a cost effective manner. comprehensive testing includes testing at the unit/component, integration/system, and end-user levels.
31
List the types of testing
progressive testing- begins with expectations and look for flaws. regressive testing- works backwards from known problems to identify issues.
32
what are good practices for testing?
- considerations for data, version control and code
33
lists some considerations for data as a good testing practice?
- validity of data - masking of data - test data should be complete and allow the testing of all possible process functions and error handling - using distinct test data and not production data
34
what is fuzzing ?
testing the limit of the acceptable range of values and values beyond the allowable range in order to verify the functionality of input validation and process integrity controls
35
why is environmental separation important?
- development and production areas should be separated to prevent the potential for intentional and unintentional cross-population of data or application code outside of the approval process.
36
what is version control?
- assignment of specific version numbers of each revision of a system, making it possible for risk practitioners and engineers to distinguish between versions.
37
why is a third party code review valuable?
- can detect both unauthorized changes made by the programmer and implementations of error handling, input validation, or documentation that may be inadequate.
38
what is white box testing
- unit testing performed with the knowledge of the code | - from a vulnerability perspective
39
what is black box testing
testing in which the behavior of the system must be mapped out without the knowledge of how the code is written. - from a penetration testing perspective
40
true or false integration testing and unit testing is often performed in a separate area from the final system testing?
true
41
list and describe different test options
1. recovery: checks the system's ability to recover after a software or hardware failure 2. security: verifies that the modified/new system includes provisions for appropriate access controls and does not introduce any security holes that may compromise other systems. 3. stress: determines the maximum number of concurrent users/services the application can process by increasing the number of users/services on an incremental basis. 4. volume: determines the maximum volume of records (data) that the application can process by increasing the volume on an incremental basis 5. stress/volume: hybrid approach that uses large quantities of data to evaluate performance during peak hours 6. performance: compares the performance of the subject system to similar systems using well-defined benchmarks
42
what is the purpose of a user acceptance testing
- may highlight problems with functionality, training or process flow not detected earlier in the process. - purpose is to verify that the system meets user requirements and expectations, not whether it meets the stated design. - a failure suggest flaws in the organizations process for needs analysis and requirements definition
43
what is Quality assurance
planned and systematic plan of all action necessary to provide adequate confidence that an item or product conforms to established technical requirements. purpose is to determine if a project delivered what it promised in the stated design, not whether that design actually meets user requirements and expectation. a failure suggests flaws in the organization's processes for development and execution.
44
List and describe the three common changeover methods?
1. parallel: operating new systems and old system at the same time. 2. phased: replacing individual components or modules of the old system with new or modified components. 3. abrupt: single instant movement from the old system to the new system, with the old system immediately taken offline
45
what are some risks associated with abrupt changeover
- asset safeguarding - data integrity - system effectiveness - system efficiency - change management challenges - duplicate or missing records
46
complete the following data migration or conversation of data poses a risk to.....
- availability and data integrity
47
list some considerations for data migration
1. completeness of data: 2. data integrity 3. storage and security of data under conversion: data is backed up before conversion 4. data consistency: field/record called for is consistent in old and new applications 5. business continuity: application supports newer records as appended or added
48
what is a fallback or rollback plan?
plan so that it is possible to return to the prior system or configuration.
49
what is a post implementation review?
intended to document lessons, including whether the project was properly designed, developed, implemented and managed and whether appropriate controls were built into the systems
50
what should a post implementation review consider?
1. adequacy of the system 2. projected cost versus benefits or ROI measurements 3. recommendations that address any system inadequacies and deficiencies 4. plan for implementing any recommendations 5. assessment of the development project process
51
list the steps in a project close out?
1. assign responsibility for any outstanding issues to specific individuals and related budget for addressing issues. 2. assign custody of contracts 3. conduct postimplementation review with relevant stakeholders and include content related and process related criteria. 4. document any risk that was identified in the course of the project and update risk register. 5. complete a second postimplementation review to realize the true business benefits and costs, and use this as a basis to measure the projects overall success and impact on the business.
52
list the control management procedures
- proper installation - creation of policies and procedures to support operations - implementation of change management procedures to ensure correct configurations - training of staff to monitor, manage and review controls - assignment of responsibility for monitoring and investigation - creation of a schedule for review and reporting
53
in which phase of the SDLC should the process to amend the deliverables be defined to prevent the risk of scope creep
feasibility or planning and initiation
54
what should the risk treatment strategy be if the residual risk exposure level is deemed unacceptable by management
risk avoidance
55
the best method for detecting and monitoring a hackers activities without exposing information assets to unnecessary risk is to use
honey pots: tool used for diverting a hacker away from critical files and alerts security of the hacker's presence
56
describe firewalls, bastion hosts, screened subnets
firewall: aim to keep the hacker out and is a preventative control bastion hosts: attempts to keep the hacker out and is also a preventative control screened subnets: or DMX provide a middle ground between the trusted internal network and the external, untrusted internet
57
what is the most important task in system control verification?
managing the response time to critical alerts and alarms
58
what is the control management lifecycle
business case, feasibility and cost benefit analysis, design, implementation and retirement
59
what is normalization
performed to reduce redundant data
60
what is a primary role of the system owner during the accreditation process
they select and document the security controls for the system
61
what is user provisioning?
process of granting access to an application or system.
62
what are entitlement reviews
performed to review the access of an individual to ensure that they have the proper access for their current role
63
what is the purpose of system certification
security controls and processes are assessed for effectiveness
64
which of the following best addresses the risk of data leakage?
AUP
65
what is the primary goal of certifying a system prior to implementation?
to ensure that the system meets its specified security requirements at the time of testing
66
what is a goal of risk response?
to ensure that tech used in the organization is adequately protected, secure and reliable.
67
who has responsibility for a system?
system owner who is usually a senior manager in the department for which the system was built
68
what are two common methods of providing enterprise consistency? and what are other important parts of an overall information security strategy?
change control and system authorization. asset inventory and configuration management.
69
what is change control?
formal review and approval of all requests to change systems or configurations by a dedicated committee.
70
what is the purpose of the change control board
when change request is submitted for review, they verify that - request does not unknowingly affect risk or security - change is formally requested, approved and documented. - change is scheduled at a time convenient for business and IT - all stakeholders affected by the change are advised of the change the intention of a CCB model is to provide a balance between allowing needed changes to occur and preserving system reliability and stability.
71
what is system authorization
form of objective assessment and formal acceptance of risk associated with the installation and operation of information systems, culminating in the explicit authorization of a system to operate prior to it being allowed to do so.
72
what is the purpose of system authorization
provide an enterprise approach to the management of IT risk by ensuring that all information systems are reviewed to identify their associated risk and that this risk is either flagged or accepted prior to granting the system approval to operate
73
List the two parts of a system authorization and describe
- evaluation: process of reviewing an information system to determine the security of its design, development ,testing, deployment and operations. examination of the technical and non technical aspects of a system operations to ensure that the risk associated with the system has been identified and to document any mitigating controls that may be in place. - authorization: official decision by senior manager to approve an information system for operational use.
74
what should an assessment inventory include
all equipment, supplier ,acquisition date, original cost, actual cost, location, owner of the equipment and other data required for maintenance, insurance and warranty purposes.
75
what is the goal of configuration management?
have a single approved way in which particular systems or devices intended for a particular role should be configured for use by the organization. use of a common configuration makes it easier to deploy new system, test patches and upgrades, identify the presence of malware and manage the enterprise.
76
what are best practices for configuration management
- hardening the system - policies and procedures in place for config management - backup of standard configuration available
77
list some third party management strategies
- ensuring that security requirements and regulation for handling information has been written into the outsourcing agreement and are followed. - right to audit the process of the outsource supplier or an attestation from the supplier that validates compliance - attestation by external auditors of the supplier or an independent review
78
describe the process of data validation
- range checks = e.g. allowable data values - format checks = e.g. configuration of date - special character checks = e.g. prevent script commands - size : e.g. prevent buffer overflows or incomplete data - likelihood: entries of correct form that are statistically unlikely and suggest an error.
79
how can data validation be accomplished
e.g. with a white list of allowed data or a blacklist of prohibited data. white list = preferred when environment is based on static or infrequently changing values. blacklist = useful in environments in which the range of valid is extremely broad but in which only a few known values should be prohibited.
80
describe data protection strategies that will ensure change will not affect the integrity, precision or accuracy of the data or of data processing options
- data checks and balances of input compared to output - checks of normal compared to abnormal levels of processing - anti malware detection software - SoD defined at every level of a system or application - processes requiring approval for transactions
81
what is identity management?
- the process of managing the identities of the entities (users, processes, etc) that require access to information or information systems. e.g least privilege
82
what is SoD
basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets.
83
describe how access control is managed
- identification, authentication, authorization and accountability
84
describe identification
unique identifier to every individual and process that has access to a system and allows for tracking and logging of the activity by the user and the possibility to investigate a problem if it were to arise. usually provided through a user id , account number.
85
describe authentication
process of validating an identity. authentication is done using three methods - knowledge: know password - ownership; use of an ID badge - characteristics; biometrics, eg, fingerprints
86
what is node authentication
authentication of a device or location
87
what is authorization?
refers to the privileges or permissions the person will have, including read-only, write only, etc
88
describe accountability/auditing
action logs or records the activity on a system and indicates the user ID responsible for the activity
89
what are the benefits of encryption?
- confidentiality: makes data unreadable to anyone who is unauthorized. - integrity: prove that the content has not been changed, the identity of the sender or both - proof or origin - access control - authentication
90
list the type of encryption and describe?
- symmetric : uses the same secret key to encrypt and decrypt . less complicated and uses less processing power. good for bulk data encryption. - asymmetric : uses public and private key to encrypt and decrypt data.
91
what are disadvantages of symmetric encryption?
- not easy for party A to deliver keys to party B. | - no way to be sure which participant in a given key network originated a particular message
92
what is a disadvantage of symmetric encryption ?
- computationally intensive and slow. common to use this method to distribute symmetric keys
93
list some methods used to detect accidental errors in data transmission?
- parity bits, checksums and cyclic redundancy checks
94
what is hashing?
mathematical transformation of data using an algorithm whose result is predictable, repeatable and entirely dependent upon the content of the message and of a fixed length. it provides effective protection against accidental changes in a message, such as those caused by interference.
95
what is a digest?
the value created by a hash algorithm
96
what is a digital signature
combines a hash function with the asymmetric encryption ability to verify the authors identity. promotes non repudiation . however, only a message that is both signed and encrypted is simultaneously afforded CI and non repudiation.
97
what is the purpose of certificates
to link a public key with a specific owner by relying on the verification of a trusted third party known as the CA authority.
98
what is a PKI?
refers to the overall implementation of public key cryptography, including certifications and the CA's needed to issue or verify them.
99
list some ways to manage vulnerabilities associated with platforms and operating systems
- use trusted vendors or suppliers - purchasing equipment that has been tested and evaluated by an external entity - validate that maintenance hooks or back doors have been secured - reset all passwords and change default accounts - implement strict controls over changes, patches and configurations - devices should be hardened
100
describe application risk
due to flaws or bugs in the coding of the application.
101
describe network security
- network security includes ensuring that what is sent matches what is received (integrity). - that no unauthorized party has gained access to the information in transit (confidentiality) - that communication channels are available whenever needed (availability)
102
how can network integrity be achieved
- parity bits, checksums, hashing and digital signatures. - integrity tends to be important when dealing with data intended for use in transaction processing and is less important in time-sensitive processes such as voice and video traffic
103
how is confidentiality of a network achieved
1. encryption - encryption at the datalink layer used in cases of open air transmission = WIFI protected access 2 - at the network layer = encapsulating security payload. - at the transport layer encryption = common for web based traffic. secure shell is another mechanism for transport layer security. - application layer encryption may be used if confidentiality is paramount. 2. architecture of the network
104
how is network segmentation achieved
- firewall and gateway deployed in layers
105
give some examples of devices used for layered defense
- intrusion detection system and intrusion prevention systems - virtual area lan - bastion hosts
106
what is a dmz
screened firewalled network segment that acts as a buffer zone between a trusted and untrusted network.
107
how is network availability achieved?
- providing multiple paths for data to travel so that communications remains possible even in the event of a partial network failure - e.g. alternate routing, redundancy of cables and network devices, load balancing

CRISC (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions