Chapter 1: Managing Risk

Question 1

Three types of threats

Answer 1

Environmental
Manmade
Internal vs external

Question 2

Environmental threat

Describe!

Answer 2

Threats caused by environment (ie fire, flood, lightning, etc)

Question 3

Manmade threats

Answer 3

Threats caused by people (ie hackers, viruses)

Question 4

Internal threat

Answer 4

Threat by personnel within the company

Question 5

External threat

Answer 5

Threat by personnel outside the company

Question 6

Risk register

Answer 6

Scatter plot of possible problem areas

Question 7

Vulnerability

Answer 7

Weakness that could be exploited by a threat

Question 8

Risk assessment process

Answer 8

Risks to the organization
Risks worth addressing
Coordination with business impact analysis

Question 9

ALE

Answer 9

Annual loss expectancy: monetary measure of expected loss per year

Question 10

BIA

Answer 10

Business impact analysis

Question 11

SLE

Answer 11

Single loss expectancy: monetary measure of expected loss at a single time

Question 12

AV

Answer 12

Asset value

Question 13

EF

Answer 13

Exposure factor: percentage of item threatened

Question 14

Single loss expectancy can be divided into:

Answer 14

Asset value and exposure factor

Question 15

ARO

Answer 15

Annualized rate of occurrence: likelihood of an event occurring within a year

Question 16

Risk assessment formula

Answer 16

SLE x ARO = ALE

Question 17

NIST

Answer 17

National institute of standards and technology

Question 18

Appendix G of NIST pub 800-30

Answer 18

Assessment scale for likelihood of threat event initiation

Question 19

NIST pub 800-30 assessment scale qualitative, semi-quantitative, and description

Answer 19

Very high 10 adversary is almost certain to initiate threat event

High 8 adversary is highly likely to initiate threat event

Moderate 5 adversary is somewhat likely

Low 2 adversary is unlikely

Very low 0 adversary is highly unlikely

Question 20

Supply chain assessment

Answer 20

Used to look at vendors your organization works with strategically and the potential risks they introduce

Question 21

Threat vectors

Answer 21

The way in which an attacker poses a threat

Question 22

MTBF

Answer 22

Mean time between failures

The measure of the anticipated incidence of failure for a system or component

Question 23

MTTF

Answer 23

Mean time to failure

The average amount of time to failure for a non repairable system

Question 24

MTTR

Answer 24

Mean time to restore

The measurement of how long it takes to repair a system or component once failure occurs

Question 25

RTO

Answer 25

Recovery time objective Maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable

Question 26

RPO

Answer 26

Recovery point objective Defines the point at which the system needs to be restored

Question 27

PIA

Answer 27

Privacy impact assessment Identifies the adverse impacts that can be associated with the destruction, corruption, or loss of accountability data for the organization; used in conjunction with a business impact analysis

Question 28

PTA

Answer 28

Privacy threshold assessment The compliance tool used in conjunction with the privacy impact assessment

Question 29

Types of testing that can help identify risks

Answer 29

Penetration testing | Vulnerability testing

Question 30

7 Key measures to prevent unanticipated threats

Answer 30

``` Likelihood Threat vector Mean time between failures Mean time to failure Mean time to restore Recovery time objective Recovery point objective ```

Question 31

Four possible responses to a risk once identified

Answer 31

Risk avoidance Risk transference Risk mitigation Risk acceptance

Question 32

Risk avoidance

Answer 32

Identifying a risk and making the decision not to engage any longer in the actions associated with that risk

Question 33

Risk transference

Answer 33

Share some of the burden of the risk with someone else

Question 34

Risk mitigation

Answer 34

Taking steps to reduce the risk

Question 35

Risk acceptance

Answer 35

The choice that you make when the cost of implementing any of the other responses exceeds the value of the harm that would occur if the risk came to fruition

Question 36

DLP

Answer 36

Data loss prevention Monitors the contents of systems to make sure that key content is not deleted or removed; also monitors the usage and transmission of data

Question 37

Three ways to implement cloud computing

Answer 37

Platform as a service Software as a service Infrastructure as a service

Question 38

PaaS

Answer 38

Platform as a service or cloud platform services Vendors allow apps to be created and run on their infrastructure

Question 39

SaaS

Answer 39

Software as a service Applications are remotely run over the web

Question 40

IaaS

Answer 40

Infrastructure as a service Utilizes virtualization and clients pay a cloud service provider for resources used

Question 41

3 Risk related issues associated with cloud computing

Answer 41

Regulatory compliance User privileges Data integration/segregation

Question 42

2 risks associated with virtualization

Answer 42

Breaking out of the virtual machine | Intermingling network and security controls

Question 43

Policies

Answer 43

Provide the people in the organization with guidance about their expected behavior

Question 44

5 key areas of a good policy

Answer 44

``` Scope statement Policy overview statement Policy statement Accountability statement Exception statement ```

Question 45

Scope statement

Answer 45

Outlines what the policy intends to accomplish and which documents, laws, and practices the policy addresses

Question 46

Policy overview statement

Answer 46

Provides the goal of the policy why it’s important and why to comply with it

Question 47

Policy statement

Answer 47

Substance of the policy

Question 48

Accountability statement

Answer 48

Should address who is responsible for ensuring that the policy is enforced

Question 49

Exception statement

Answer 49

Provides specific guidance about the procedure or process that must be followed in order to deviate from the policy

Question 50

Standard

Answer 50

Deals with the specific issues or aspects of the business

Question 51

Five key aspects of standards documents

Answer 51

``` Scope and purpose Roles and responsibilities Reference documents Performance criteria Maintenance and administrative requirements ```

Question 52

Scope and purpose

Answer 52

Should explain or describe the intention

Question 53

Roles and responsibilities

Answer 53

Outlines who is responsible for implementing, monitoring, and maintaining the standard

Question 54

Reference documents

Answer 54

Explains how the standard relates to the organizations different policies, thereby connecting the standard to the underlying policy’s that have been put in place

Question 55

Performance criteria

Answer 55

Outlines how to accomplish the task

Question 56

Maintenance and administrative requirements

Answer 56

Outlines what is required to manage and administer the systems or networks

Question 57

Audit

Answer 57

Evaluation of requirements

Question 58

Guidelines

Answer 58

Help an organization implement or maintain standards by providing information on how to accomplish the policies and standards

Question 59

Four minimum contents of a good guideline document

Answer 59

Scope and purpose Roles and responsibilities Guideline statement Operational considerations

Question 60

Scope and purpose of the guideline document

Answer 60

Provides an overview and statement of the guidelines intent

Question 61

Roles and responsibilities

Answer 61

Identifies which individuals or departments are responsible for accomplishing a specific tasks

Question 62

Guidelines statement

Answer 62

Provide the step by step instructions procedures on how to accomplish a task in specific manner

Question 63

Operational considerations

Answer 63

Specifying and identify what duties are required and at what intervals

Question 64

BPAs

Answer 64

Business partner agreement Outline responsibilities and obligations between business partners

Question 65

MOU and MOA

Answer 65

Memorandum of understanding and memorandum of agreement Defined the terms and conditions for security sharing data and information resources

Question 66

ISA

Answer 66

Interconnection security agreement Documents the technical and security requirements for establishing, operating, and maintaining the interconnection

Question 67

Personnel policies

Answer 67

``` Mandatory vacations Job rotation Separation of duties Clean desk Background checks Nondisclosure agreements Onboarding Continuing education Exit interviews Role based training Acceptable use policies (AUP) Adverse actions General security policies ```

Question 68

Three control types

Answer 68

Management Operational Technical

Question 69

Management controls

Answer 69

Risk assessment Planning System and services acquisition Certification, accreditation, and security assessment

Question 70

Operational controls

Answer 70

``` Personnel security Physical and environmental protection Contingency planning Configuration management Maintenance System and information integrity Media protection Incident response Awareness and training ```

Question 71

Technical controls

Answer 71

Identification and authentication Access control Audit and accountability System and communication protection

Question 72

BIA

Answer 72

Business impact analysis The process of evaluating all of the critical systems in an organization to define impact and recovery plans

Question 73

Four key components of a business impact analysis

Answer 73

Identifying critical functions Prioritizing critical functions Calculating a timeframe for critical systems loss Estimating the tangible and intangible impact

Question 74

Possible plans to prepare for emergency

Answer 74

``` Automation/scripting Frameworks and templates Master image Non-persistence Elasticity Scalability Distributive allocation High availability Planning for resiliency Redundancy Fault tolerance RAID ```

Question 75

Non-persistent image

Answer 75

Image that can only exist in Random access memory or be changes that are over written on a reboot by a persistent or frozen image

Question 76

Elasticity

Answer 76

The ability to scale up resources as needed

Question 77

Distributive allocation

Answer 77

Load balancing

Question 78

HA

Answer 78

Hi availability The measures, such as redundancy, failover, and mirroring, used to keep services and systems operational during an outage