1
Q
IT Risk Management Good Practices
A
- COBIT 5
- ISO/IEC 27005: 2011 - IT - Security techniques-Information security risk management
- ISO31000:2009- Risk Management Principles and Guidelines
- NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments
- NIST Special Publication 800-39: Managing Information Security Risk
2
Q
Enumerate the ISO/IEC27005 Process Steps
A
- Context Establishment
- Risk Assessment
- Risk Identification
- Risk Analysis
- Risk Evaluation
- Risk Treatment
- Risk Acceptance
- Risk Communication and Consultation
- Risk Monitoring and Review
3
Q
The IT Risk Management program should be:
A
- Comprehensive
- Complete
- Auditable
- Justifiable
- Legal
- Monitored
- Up to date
- Managed
4
Q
Ways to identify risk
A
- Historical or evidence-based methods
- Systematic approach (expert opinion)
- Inductive approach (theoretical analysis)
5
Q
Enumerate the business related IT risk types
A
- Investment or expense risk
- Access or security risk
- Integrity risk
- Relevance risk
- Availability risk
- Infrastructure risk
- Project ownership risk
6
Q
Investment or expense risk
A
Risk that the IT investment fails to provide value for money or is otherwise excessive or wasteful
7
Q
Access or security risk
A
Risk that confidential or otherwise sensitive information may be divulged or made available to those without appropriate authority
8
Q
Integrity risk
A
Risk that data cannot be relied on because they are unauthorized, incomplete, or inaccurate
9
Q
Relevance risk
A
Risk associated with not getting the right information to the right people at the right time to allow the right action to be taken
10
Q
Availability risk
A
Risk of loss of service or risk that data are not available when needed
11
Q
Infrastructure risk
A
Risk that the enterprise does not have an IT infrastructure and systems that can effectively support the current and future needs of the business in an efficient,cost - effective, and well-controlled fashion
12
Q
Project ownership risk
A
Risk of IT projects failing to meet objectives due to lack of accountability and commitment
13
Q
Challenges in conducting interviews:
A
- Exaggeration
2. Inaccuracies
14
Q
Important detail to obtain during the interview
A
the level of impact that previous incidents have had on the organization including how the incident was handled, results of post incident review and root cause analysis and current status of any noted remediation activities from prior activities
15
Q
Risk culture
A
Reflects the balance between weighing the negative, positive, and regulatory elements of risk
16
Q
Risk culture elements
A
- Behavior toward taking risk
- Behavior toward policy compliance
- Behavior toward negative outcomes
17
Q
Symptoms of inadequate or problematic risk culture
A
- Misalignment between real risk appetite and translation into policies
- Existence of a blame culture
18
Q
Consequences of poor communication on risk:
A
- A false sense of confidence at all levels of the enterprise
- Lack of direction or strategic planning
- Unbalanced communication to the external world on risk
- The perception that the enterprise is trying to cover up known risk from stakeholders
19
Q
IT Risk is…
A
the IT-enabled business risk that stems from the use of IT
20
Q
Senior management support
A
An important part of the risk management process
21
Q
Risk management depends on
A
business goals and objectives
22
Q
What is a critical component of risk management?
A
History
23
Q
Merger or acquisition results in
A
emergence of new risks that creates uncertainty and stress. This can further result in poor judgment or inappropriate actions by personnel
24
Q
What influences the effectiveness of the risk management effort?
A
The positioning of risk management function within the organizational structure.
25
In a large organization, the organization of the risk management group should follow...
the same model and the organization of the business continuity management team
26
RACI
Responsible
Accountable
Consulted
Infromed
27
4 Main Types of Roles involved in the risk management process:
1. Individuals responsible for managing risk
2. Individuals accountable for the risk management effort
3. Individuals who provide support and assistance to the risk management effort (consulted)
4. Individuals who evaluate or monitor the effectiveness of the risk management effort
28
How does the RACI model help?
It can assist in outlining the roles and responsibilities of the various stakeholders. The purpose of the RACI model is to clearly show the relationships between the various stakeholders, the interaction between the stakeholders and the roles that each stakeholder plays in the successful completion of the risk management effort.
29
What is risk culture?
Set of shared values and beliefs that govern attitudes toward risk taking, care and integrity, and determines how openly risk and losses are reported and discussed.
30
Ethics are related to...
An individual's perception of right and wrong and are not necessarily linked to the law
31
Ethics also applies to...
How people believe they have been treated
32
Failure to comply with regulations may result in...
Financial penalties or loss of a license to operate as well as damage to the reputation of the organization
33
To ensure compliance, an organization must...
Have the ability to monitor and measure controls in use
34
In cases where there is noncompliance,
A justification for the reasons of noncompliance should be provided
35
When risk is considered on a system-by-system or project-by-project basis,
The result is a spotty risk solution that has many individually good efforts but no consistency or interoperability among the risk solutions that are implemented
36
The risk practitioner must be sensitive to the following before recommending a risk management approach or framework
- local departmental cultures
- priorities
- regulations
- restraints
- goals
37
A critical part of establishing the risk management process is
The development and approval of a risk management policy
38
What is information security?
Protecting of information and information systems (including technology) from risk events
39
What is likelihood?
Likelihood = Probability. The measure of frequency of which an event may occur and is used to calculate the level of risk facing an organization based on the number of risk events that may occur within a time period and is often measured on an annual basis
40
What are the factors that can affect likelihood?
- volatility
- velocity
- proximity
- interdependency
- motivation
- skill
- visibility
41
What is the relation of volatility to risk?
Volatility=how much the situation varies. Varies greatly, harder to predict likelihood. Risk will be higher priority because of higher unpredictability (dynamic range)
42
What is risk velocity?
Speed of onset. A measure of how much prior warning and preparation time an organization may have between the event's occurrence and impact. Can be split into speed of reaction and speed of recovery.
43
What is proximity?
The time from the even occurring and the impact on the organization
44
What is interdependency?
Consideration of risk in various combinations. Materialization of two or more risks and their impact on the organization.
45
What is the relation of motivation to risk?
More motivated attacker = higher risk
46
What is the relation of skill to risk?
More skillful attacker = higher risk
47
What is visibility?
How well known a vulnerability is
48
What is risk impact?
The calculation of the amount of loss or damage that an organization may incur due to a risk event
49
How is loss measured?
- quantitative
- semi quantitative
- qualitative
50
Risk management should be based on
Calculated actions and justified controls, not on emotion and perception
51
One method of calculating risk is evaluating the impact of the event on...
The confidentiality, integrity, and availability (CIA) of information or information systems
52
Risk associated with information system is primarily about
Business risk and the impact that the failure or compromise of a system or information would have on the overall business
53
The factors that affect the impact of an event may be measured in two ways:
1. The impact due a compromise or loss of information
| 2. The impact due to the loss or compromise of an information system
54
What will evaluate the impact of a breach according to a range of levels?
Qualitative risk assessment approach
55
What is confidentiality?
The requirement to maintain the secrecy and privacy of data
56
What is a breach of confidentiality?
Improper disclosure of information to an unauthorized party
57
What are some factors that could lead to disclosure of data?
- improperly managed access controls
- social engineering
- aggregation of data
58
What does need to know mean?
It means that individuals are given access only to information that is needed in order for them to perform their job functions
59
What is least privilege?
Restriction of data access of an individual or process to only the minimum level of access needed to perform their functions
60
What is integrity?
The guarding against improper information modification, exclusion, or destruction and includes ensuring information nonrepudiation and authenticity
61
Maintaining integrity requires the protection of information from:
improper modification by internal authorized users, unauthorized users, or other processes or activities operating on the system
62
How is the authenticity of information protected?
By identifying the sources of the data and ensuring that it has not been tampered with or destroyed
63
What is authenticity?
Often called nonrepudiation. Ensures that a link can be made between an action and the source of the action
64
What is availability?
Providing timely and reliable access to information
65
How do you measure availability?
Using a gap analysis
66
Where is the required level of availability usually found?
In the BIA (business impact analysis)
67
What is Segregation of Duties?
The principle of ensuring that no one person controls an entire transaction or operation that could result to fraudulent acts or errors
68
How do you circumvent SOD?
Through collusion, when two people agree to bypass the SOD control
69
What is mutual exclusivity?
Means that a person cannot execute both parts of the same transaction
70
What is job rotation?
The process of cross-training and developing personnel with various skills that can step up when needed
71
What is secure state?
The principle that a transaction or process should be in and maintain a secure condition at all times as it goes through its various activities
72
Access control is usually addressed through the following concepts:
- identification
- authentication
- authorization
- accountability
73
How is identification performed?
Through checking of a user ID or other unique element that identifies a person or process
74
What is authentication?
The process of validating an identity and ensures that one person cannot spoof an identity or masquerade as or impersonate another user
75
What are the three methods of performing authentication?
- knowledge
- ownership
- characteristics
76
What is the risk in using knowledge (passwords)?
Passwords are often subject to replay attacks and can be learned by another user
77
What is the problem with using ownership (possession) for authentication?
Cost of installing the system, issuing the cards, and operating and maintaining the system
78
What is authorization?
The privileges or permissions the person will have in the system
79
What is temporal isolation?
A person's authorization that is only granted for a period of time that the permissions are required
80
What is accountability/auditing?
This action logs or records all activity on a system and indicates the user ID responsible for the activity
81
What is identity management?
The process of managing identities of the entities requiring access to information or information systems
82
What is an asset?
Something of either tangible or intangible value that is worth protecting
83
What is an asset value?
An asset may be valued according to what another person would pay for it, or by its measure of value to the company
84
What is impact?
The magnitude of loss resulting from a threat exploiting a vulnerability
85
What is impact analysis?
A study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events. In an impact analysis, threats to assets are identified and potential business losses determined for different time periods.
86
What is impact assessment?
A review of the possible consequences of a risk
87
What is likelihood?
The probability of something happening
88
What is threat?
Anything that is capable of acting against an asset in a manner that can cause harm
89
What is a threat agent?
Methods and things used to exploit a vulnerability
90
What is a threat analysis?
An evaluation of the type, scope, and nature of events and actions that can result in adverse consequences; identification of threats against an enterprise
91
What is a threat vector?
The path or route used by the adversary to gain access to the target
92
What is a vulnerability?
A weakness in the design, implementation, operation, or internal control of a process that could expose the system to threats from threat events
93
What is a vulnerability analysis?
Process of identifying and classifying vulnerabilities
94
What is a vulnerability scanning?
An automated process to proactively identify security weaknesses in a network or individual system
95
Risk is influenced more by
Lack of training than by lack of equipment
96
The risk environment includes:
- the context, criticality, and sensitivity of the system or process being reviewed
- the dependencies and requirements of the system or process being reviewed
- The operational procedures, configuration, and monitoring of the system or business process
- The training of users and administrators
- the effectiveness of the controls and monitoring of the system or business process
- the manner in which data and system components are decommissioned
97
Risk only occurs if
The adversary has intent (motivation) and capability
98
To implement a justifiable risk strategy, start with
Identifying the organization's assets and determining the value of those assets
99
When calculating asset value, one technique is to base it on
Impact of a loss of CIA
100
What are contributing factors to calculating asset value?
- financial penalties for legal noncompliance
- impact on business processes
- damage to reputation
- additional costs of repair/replacement
- effect on third parties/ business partners
- injury to staff or other personnel
- violations of privacy
- breach of contracts
- loss of competitive advantage
- legal costs
101
Threats can be...
Intentional or unintentional
| External or internal
102
Categories of threats
```
Physical
Natural events
Loss of essential services
Disturbance due to radiation
Compromise of information
Technical failures
Unauthorized actions
Compromise of functions
```
103
What are sources of information on threats?
```
Service providers
threat monitoring agencies
Security companies
Audits
Management
Business continuity
Finance
Insurance companies
Product vendors
Government publications
Assessments
Users
Human resources
Media
```
104
The trusted or malicious insider threat to an organization can be...
A current or former employee
Contractor
Business partner
Who has or had authorized access to an organization's system, network, or data and intentionally infiltrated, interrupted, modified, or fabricated data on an organization's information system
105
Samples of external threats
```
Espionage
Theft
Sabotage
Terrorism
Criminal acts
Software errors
Hardware flaws
Mechanical failures
Lost assets
Data corruption
Facility flaws
Supply chain interruption
Industrial accidents
Disease
Seismic activity
Flooding
Power surge / utility failure
Severe storms
```
106
What are indications of emerging threats?
Unusual activity on a system, repeated alarms, slow system or network performance, new or excessive activity in logs
107
Why are new technologies a new threat source?
Because most technologies are built with an emphasis on function and purpose without due consideration for the security implications associated with the new technology
108
What are network vulnerabilities?
Related to misconfiguration of equipment, poor architecture, or traffic interception
(network equipment should be hardened to disable unneeded services, ports, or protocols)
109
Testing for physical security vulnerabilities include testing
```
Locks
Security guards
Fire suppression systems
Heating ventilation
Air conditioning controls
Lighting
Cameras
Motion sensors
```
110
What are common application vulnerabilities?
```
Buffer overflows
Logic flaws
Injection attacks
Bugs
Incorrect control over user access
```
111
OWASP
Open Web Application Security Project
112
What are the different cloud deployment models?
Private
Public
Hybrid
Community
113
Characteristics of a private cloud
Operated solely for an enterprise
May be managed by the enterprise or a third party
May exist on or off premise
114
Characteristics of a public cloud
Made available to the general public or a large industry group
Owned by an organization selling cloud services
115
Characteristics of a community cloud
Shared by several enterprises
Supports a specific community that has a shared mission or interest
May be managed by the enterprises or a third party
May reside on or off premise
116
Characteristics of a hybrid cloud
A composition of two or more clouds that remain unique entities but are bound together by a standardized or proprietary technology that enables data and application portability
117
When outsourcing data processing
It does not remove the liability of the outsourcing organization to ensure data are properly protected and the transmission of data is compliant with laws on data transfer
118
What is a vulnerability assessment?
Careful examination of a target environment to discover any potential points of compromise and weakness
119
Samples of vulnerabilities
```
Network vulnerabilities
Poor physical access controls
Insecure applications
Poorly designed or implemented web facing services
Disruption to utilities
Unreliable supply chain
Untrained personnel
Inefficient processes
Poorly maintained or old equipment
```
120
What is penetration testing?
A targeted testing against a potential vulnerability or against an attack vector commonly used by an attacker that simulates the activities and approach used by an attacker
121
What is full knowledge testing?
The testing team is familiar with the entire infrastructure being tested
122
What is zero knowledge testing?
The testing team is in the position of the external hacker
123
What is the risk associated with intellectual property?
Failure to protect IP from improper use, disclosure, or duplication that may result in loss of IP for a product
124
What is risk scenario?
A description of a possible event that, when occurring, will have an uncertain impact on the achievement of the enterprise's objectives. The impact can be positive or negative.
125
The development of risk scenarios is based on...
Describing a potential risk event and documenting the factors and areas that may be affected by the risk event
126
Risk events may include...
```
System failure
Loss of key personnel
Theft
Network outages
Power failures
Natural disasters
```
127
The key to developing effective scenarios is...
To focus on real and relevant potential risk events
128
Ways a risk scenario can be developed
Top down
| Bottom up
129
Top down approach starts with
Business goals to come up with risk scenarios
| Based on understanding business goals and how a risk event could affect the achievement of those goals
130
Bottom up approach starts with
Generic risk scenarios to more specific risk scenarios
| Based on describing risk events that are specific to individual enterprise situations
131
What is a risk scenario?
A description of an IT related risk event that can lead to a business impact
132
Components of a risk scenario
Actor: internal or external party that generates the threat
Threat type: nature of the threat event
Event: the security incident
Asset: the entity affected by the risk event
Time: if relevant to the scenario (i.e. Duration, timing, detection, time lag between event and the consequence)
133
A risk awareness program creates...
An understanding of risk, risk factors, and the various types of risk that an organization faces
134
A risk awareness program should not...
Disclose vulnerabilities or ongoing investigations except when the problem has been addressed
135
An awareness program for management should highlight...
The need for management to play a supervisory role in protecting systems and applications from attack
136
Awareness training for senior management should highlight...
The liability, need for compliance, due care and due diligence, and the need to create the tone and culture of the organization through policy and good practice
137
Criteria for risk acceptance
Consideration of the availability of mitigating controls
The needs of regulation
Cost benefit analysis of a control option
The risk versus reward incentive that management is willing to consider
138
What is residual risk?
Risk that remains after the implementation of risk treatment controls
139
What is risk tolerance?
Acceptable variation that management is willing to allow for any particular risk as the enterprise pursues its objectives
140
Ownership of risk is ultimately the responsibility of...
The asset owners, or in most cases, senior management
141
Risk acceptance must not exceed the...
Risk capacity of the organization
142
What is risk capacity?
The objective amount of loss an enterprise can tolerate without risking its continued existence
143
Risk capacity and risk appetite are defined by
The board and executive management at the enterprise level
144
What are risk tolerance levels?
Tolerable deviations from the level set by the risk appetite definitions
145
The risk register shows the...
Severity, source, and potential impact of a risk
| Identifying the risk owner and the current status and disposition of risk
146
The purpose of a risk register is...
To consolidate risk data into one place and permit the tracking of risk
Contains all the risk identified in audits, vulnerability assessments, penetration tests, incident reports, process reviews, management inputs, risk scenario creation, and security assessments
147
The owner of the risk also owns the...
Controls and is responsible for monitoring its effectiveness
148
What is a control?
It is a means of managing risk, including policies, procedures, guidelines, practices or organizational structures
149
Developing a manageable and relevant set of risk scenarios requires:
Expertise and experience
A thorough understanding of the environment
The intervention and common views of all parties involved
A brainstorming/ workshop approach
150
What is systemic risk?
Something happens with an important business partner, affecting a large number of enterprises within an area or industry
151
What is contagious risk?
Events that happen at several of the enterprise's business partners within a very short time frame
Secret
flashcards
Decks in class (4)
# Cards
