Information Risks

Question 1

A Threat

Answer 1

A threat is something that could damage, disrupt or compromise any of your
assets, tangible or intangible, data being an obvious target. If the threat is realised, it will cause a level of harm.

Question 2

Threats come in 3 main categories:

Answer 2

Accidental, Deliberate and Natural (Further broken down into external and internal

Accidental, Internal threat: User
spilling tea on laptop

Deliberate, Internal threat: Disgruntled
employee turning off power

Natural - External threat: Flood,
Earthquake, Natural disaster

Deliberate, External threat: Hacker
gaining unauthorised access to IT
System from the Internet

Question 3

Threat Management

Answer 3

• Threats can always exist regardless of measures taken
• Threat management is important to deal with types of threats and their sources
• Threat management should cover various areas to minimize threats
• Threat intelligence is about taking in vast amounts of raw information from various sources to see if there is a new or emerging threat
• Threat intelligence is complex and looks at the threat actors, their motivation and intent to establish where to focus cyber defence efforts
• Certain areas of business are more prone to threats and should be considered.

Question 4

Challenges and Threats of the Internet of Things (IoT)

Answer 4

• The Internet of Things (IoT) refers to the connection of billions of devices to the internet, including cars, building management systems, wearable fitness technologies, medical devices, and domestic devices.
• IoT devices present security problems, such as little configuration and no built-in security, generating vast quantities of data, and no upgrade paths.
• Many IoT devices lack security and have hard-coded credentials, making them vulnerable to new threats such as someone taking over your car or controlling your cooker.
• IoT is mainly a consumer problem, but it has entered the workplace, and external protective measures should be applied to ensure security if the device cannot be secured.

Question 5

The potential risks of social media use in the workplace

Answer 5

• Social media is a powerful marketing and communication tool for businesses.
• However, social media also presents risks, especially in terms of control of the message being conveyed and the potential for inadvertently revealing sensitive information.
• Open-Source Intelligence Gathering (OSINT) can be used for reconnaissance purposes, which can be both good and bad.
• LinkedIn is a specific area of concern because it is a recruiter’s paradise and contains personal and professional information that can be exploited by malicious actors using social engineering tactics.
• Workplace social media use should be controlled to manage official output regarding the business.
• Staff security awareness training should include social media guidelines to prevent company information from being propagated through personal social media accounts and to make staff aware of the risks of social engineering attacks.

Question 6

Vulnerabilities

Answer 6

• A vulnerability is an identified weakness in a system, process, or person
• People inside an organization can be the biggest threat, intentionally or unintentionally
• Vulnerabilities can be classified into three groups: technical, physical, and administrative/procedural
• Identified vulnerabilities can be varied, including unpatched systems, lack of background checks on employees, and no anti-virus software
• Vulnerability landscape changes constantly and remediation is needed once a vulnerability is identified, but new vulnerabilities will arise quickly.

Question 7

Asset Management

Answer 7

• Assets can be people, facilities, information/data, or reputation and are of value to the organization.
• If assets suffer damage or loss, it could affect the future viability of the business.
• Assets need to be identified, classified based on their value and sensitivity, and categorized based on their impact if any element of confidentiality, integrity, or availability (CIA) is lost.
• Loss of confidentiality has a high impact, while the unavailability of an information webpage has low impact.

Question 8

Impact

Answer 8

• Information Risk is the likelihood of the threat actor launching the threat that exploits the vulnerability, resulting in an adverse impact to the business.
• A vulnerability being exploited leads to an impact that can range from minimal to catastrophic, affecting an individual or the entire organization.
• Impact can be tangible (monetary loss) or intangible (reputational damage).
• It is important to consider the impact of a vulnerability being exploited when assessing risk.

Question 9

Likelihood and Probability

Answer 9

• Likelihood/probability measures how often something adverse may occur
• Historical data is used to produce reliability figures for equipment and systems
• The more often it occurs, the greater the effect on the business
• Likelihood calculations may drive business decisions
• The frequency of occurrence may vary seasonally due to weather conditions
• Situations like instances of Internet fraud are higher during times of high activity
• War and civil unrest would also affect likelihood

Question 10

Risk Assessment and Business Impact Analysis

Answer 10

• Business impact analysis (BIA) is conducted when considering business continuity activities and is usually an initial part of the risk assessment process.
• Asset identification is crucial in the risk assessment process.
• Assets can be tangible or intangible, and reputation is also an asset.
• BIA helps in identifying critical assets and quantifying risks associated with them.
• The losses associated with each asset can be assigned impact levels and monetary figures.
• Risks are associated with assets, and BIA can assist in identifying appropriate protective measures.
• BIA helps in identifying the most critical parts of the business.
• Critical assets need protective measures to prevent disruption and failure.
• The BIA should assess the losses that would occur in the event of failure of an asset.

Question 11

Risk Management Processes

Answer 11

• The risk management process is composed of four stages: Identification, Analysis, Treatment, and Monitoring.
• The basic risk treatment options are Accept, Mitigate, Transfer, and Avoid.
• The choice of treatment option depends on various factors.
• The implementation of controls is crucial for the success of the chosen treatment.
• There are several standards available to assist with risk management, such as ISO 27005:2018, ISO 31000 series, and NIST SP800-30.
• The risk management process is iterative and requires continuous monitoring to ensure its effectiveness.

Question 12

Risk Management Terminology

Answer 12

The context of risk assessment is driven by the business’s view on risk.
Key business risk terminologies include: Risk Capacity, Risk Appetite, Risk Acceptance, Risk Tolerance

Question 13

Risk Capacity

Answer 13

Risk capacity refers to the maximum amount of risk a business can sustain without being adversely impacted in its viability.

Question 14

Risk Appetite

Answer 14

Risk appetite refers to the amount of risk that a business is willing to take in order to achieve its goals and objectives. This level of risk is typically lower than the business’s risk capacity, as it represents the maximum level of risk the business is able to tolerate without compromising its viability.

Question 15

Risk Acceptance

Answer 15

Risk Acceptance: the minimum level of risk that a business is willing to tolerate on a daily basis after implementing risk treatments. Controls are applied to reduce risk to an economically feasible level, and the business accepts what remains.

Question 16

Risk Tolerance

Answer 16

Risk tolerance is the acceptable variation in risk that a business can tolerate to achieve a specific objective. It is the level between the risk acceptance and risk appetite where the business may temporarily exceed the risk appetite to allow for flexibility.

Question 17

Risk Identification and Categories

Answer 17

• Risk identification can be done through Business Impact Analysis, threat intelligence feeds, vendor advisories, and vulnerability databases.
• The stages of risk identification include identifying threats, vulnerabilities, determining likelihood, impact, and risk.
• There are three categories of risk within a business: strategic, tactical, and operational.
• Strategic risks are those that affect the business over the long term and may require avoidance, transfer, or acceptance.
• Tactical risks occur on a frequent basis in the medium term and are mitigated through the use of controls such as preventative, directive, detective, and corrective.
• Operational risks are risks found within the daily operation of the business and are treated using security controls similar to tactical risks.
• Operational issues in the workplace require interaction between people, processes, and technology.

Question 18

Risk Analysis

Answer 18

• Risk analysis involves determining the likelihood and impact of identified threats and vulnerabilities.
• The process allows for the prioritization of risks and the consideration of treatment options.
• Risk matrixes or heat maps are a useful tool for visualizing individual risks based on their likelihood and impact.
• Recognizable words such as unlikely, possible, very likely, and negligible, minor, moderate, etc., are used to categorize frequency and impact.

Question 19

Risk Evaluation

Answer 19

• Risk evaluation is closely linked to the analysis of risk factors.
• The evaluation process focuses on determining appropriate treatment options for identified risks.
• The severity of the risk, as determined during the analysis phase, informs the evaluation.
• The goal is to select the most cost-effective treatment option.
• The cardinal rule is not to spend more on protecting an asset than the value of the asset itself.
• The final decision on treatment options is typically made by senior management due to the financial considerations involved.

Question 20

What are the four ways risk can be treated?

Answer 20

Risk can be treated in four different ways:
 Avoid the risk
 Accept the risk
 Reduce the risk (mitigation)
 Transfer the risk

Question 21

Which of the following options describes a method of treating risk in risk management?

a) Risk Avoidance
b) Risk Identification
c) Risk Assessment
d) Risk Analysis

Answer 21

A) Risk Avoidance. Risk avoidance is a method of treating risk where the organization takes actions to completely eliminate or avoid the risk by not engaging in the activity or process that presents the risk.

Question 22

Risk Controls

Answer 22

We treat risk through the use of security controls of which there are three types:

Physical controls – guards, doors, fences, locks

Procedural controls – processes, policies, procedures, sometimes called
administrative controls

Technical controls – firewalls, access lists, IDS, IPS

Question 23

Risk Controls Categories

Answer 23

The three types of controls are implemented through control categories:

Preventative – a firewall would be a technical preventative control.

Directive – a policy or procedure

Detective – could be physical security guard or technical CCTV

Corrective – antivirus could be a technical corrective control

Deterrent – something that would deter an attacker, a guard dog.

Recovery – restore service, backups or disaster recovery

Compensating – supplement the primary control, CCTV as well as security
guard

Question 24

Which of the following categories of controls focuses on preventing incidents or threats from occurring in the first place?

a) Detective controls
b) Corrective controls
c) Preventative controls
d) Directive controls

Answer 24

C) Preventative controls. Preventative controls are designed to proactively reduce or eliminate the likelihood of incidents or threats occurring. They aim to prevent or minimize risks by implementing measures such as firewalls, access controls, security training, and secure coding practices.

Question 25

Which type of control focuses on identifying and responding to security incidents in real-time? A) Detective controls B) Corrective controls C) Preventative controls D) Directive controls

Answer 25

A) Detective controls because detective controls are specifically designed to detect and identify security incidents or breaches after they have occurred. These controls are focused on monitoring, analysis, and reporting of security events to provide timely detection of unauthorized activities or anomalies. By implementing detective controls, organizations can gain visibility into security incidents and take appropriate actions to mitigate the impact and prevent future occurrences. Examples of detective controls include intrusion detection systems (IDS), security information and event management (SIEM) systems, log analysis, and security audits.

Question 26

Which of the following controls focuses on reducing the impact of a security incident or risk event? a) Preventive controls b) Corrective controls c) Directive controls d) Detective controls

Answer 26

The answer would be b) Corrective controls. Corrective controls are designed to address and mitigate the impact of a security incident or risk event after it has occurred. They are implemented to correct or restore the affected systems, processes, or data to their normal state or functionality. Corrective controls aim to minimize the damage caused by an incident, restore normal operations, and prevent similar incidents from recurring in the future. Examples of corrective controls include incident response procedures, data recovery mechanisms, system restoration processes, and post-incident analysis.

Question 27

Which of the following risk control measures is focused on correcting a situation or restoring normalcy after a security incident has occurred? a) Preventative controls b) Directive controls c) Corrective controls d) Detective controls

Answer 27

Correct! The answer is C) Corrective controls. Corrective controls are implemented to address and rectify a security incident or problem that has already occurred. These controls aim to restore systems, processes, or environments to their normal state and mitigate the impact of the incident. Examples of corrective controls include incident response procedures, system recovery plans, and backup restoration. By implementing corrective controls, organizations can minimize the negative consequences of security incidents and restore the affected resources to their proper functioning.

Question 28

Which of the following risk control measures focuses on eliminating the root causes of risks and implementing measures to prevent their occurrence? A) Deterrent controls B) Corrective controls C) Preventive controls D) Compensating controls Take your time and select the most appropriate answer.

Answer 28

That's correct! The answer is C) Preventive controls. Preventive controls aim to proactively reduce or eliminate the likelihood of risks by implementing measures that prevent their occurrence. These controls focus on addressing the root causes of risks and mitigating them before they can manifest. By implementing preventive controls, organizations can reduce the likelihood of risks and minimize potential impacts. Deterrent controls (option A) aim to discourage potential threats or attackers from targeting the organization. Corrective controls (option B) focus on remedying the situation and restoring normalcy after a risk event has occurred. Compensating controls (option D) are alternative controls put in place when the primary controls are ineffective or unavailable. Therefore, option C is the correct answer as it specifically addresses the proactive measures taken to prevent risks from happening in the first place.

Question 29

Treatment Monitoring

Answer 29

1. Purpose: The final stage of the risk management cycle involves monitoring the effectiveness of the implemented treatments. 2. Monitoring for Effectiveness: - Check if the control measures are performing as intended. - Assess if the controls are achieving their intended outcomes. - Evaluate if the controls are cost-effective and efficient. 3. Revisiting Evaluation: - If any of the monitoring results are negative, reassess the effectiveness of the controls. - Consider alternative control options if necessary. - In some cases, a complete reassessment may be required. 4. Statistics and Reports: - Monitoring activities generate statistical data and reports. - Visual representation of risk reduction can aid management in assessing the effectiveness of controls. - Management looks for a return on investment in risk reduction efforts. Note: Effective treatment monitoring ensures that controls remain robust and aligned with the evolving risk landscape. Regular evaluation and reporting support informed decision-making and continuous improvement in risk management.

Question 30

Risk Assessment Methodologies

Answer 30

1. Types of Risk Assessment: - Two main methodologies: Quantitative and Qualitative. - Choice depends on the nature of risks being assessed. 2. Quantitative Risk Assessment: - Utilizes numerical values to calculate losses. - Involves assigning monetary figures to losses. - Relies on historical data to determine the frequency of occurrence. - Provides a more objective and data-driven assessment. 3. Qualitative Risk Assessment: - Used when it's challenging to assign monetary values or predict intangible losses. - Relies on subjective estimation by the assessor. - Assessor makes educated guesses regarding frequency and loss. - Subject to variations and inconsistencies based on individual assessor's skills and experience. 4. Factors affecting Accuracy: - Accuracy of qualitative risk assessment depends on the assessor's expertise and judgment. - Lack of consistency among assessors can lead to different sets of figures for the same risks. Note: The choice between quantitative and qualitative risk assessment depends on the availability of data, the nature of the risks, and the desired level of objectivity. It is important to recognize the limitations and potential variations in qualitative assessments due to their subjective nature.

Question 31

Which risk assessment methodology relies on numerical values and historical data to calculate losses? a) Quantitative risk assessment b) Qualitative risk assessment c) Hybrid risk assessment d) Reactive risk assessment

Answer 31

a) Quantitative risk assessment Quantitative risk assessment involves assigning numerical values, including monetary figures, to calculate losses. It relies on historical data to determine the frequency of occurrence and provides a more objective and data-driven assessment. In contrast, qualitative risk assessment relies on subjective estimation and does not involve numerical calculations. Hybrid risk assessment is not a commonly recognized methodology, and reactive risk assessment refers to responding to risks after they occur rather than assessing them proactively.

Question 32

Which risk assessment methodology relies on subjective estimation and does not involve numerical calculations? a) Quantitative risk assessment b) Qualitative risk assessment c) Hybrid risk assessment d) Reactive risk assessment

Answer 32

b) Qualitative risk assessment Qualitative risk assessment is a subjective process where estimations are made regarding the frequency and impact of risks. It does not involve numerical calculations or assigning specific values to risks. This methodology is used when it is not feasible or appropriate to use numerical data, or when dealing with intangible or difficult-to-predict losses. Quantitative risk assessment, on the other hand, relies on numerical values and historical data. Hybrid risk assessment is not a commonly recognized methodology, and reactive risk assessment refers to responding to risks after they occur rather than assessing them proactively.

Question 33

The Risk Register

Answer 33

- Purpose: The Risk Register serves as a documented record of risks within the organization, providing crucial information for risk management and decision-making. - Contents of the Risk Register: 1. Risk: Each identified risk is recorded in the register to ensure it is acknowledged and tracked. 2. Risk Owner: The individual or department responsible for managing and addressing the specific risk. 3. Categorization: Risks are categorized based on their severity or impact, such as low, medium, high, or other relevant classifications. 4. Treatment Plan: The strategies, actions, or controls outlined to address and mitigate the identified risks. 5. Date and Review: Entries in the risk register are dated, allowing for a clear timeline of risk management activities, and they should be subject to periodic review and updates. - Relationship to Risk Management Planning: - The risk treatment plan is an integral part of ongoing risk management planning. It outlines specific actions and measures to reduce or control identified risks. - Risk registers may also reference external risk treatment plans documented elsewhere, ensuring comprehensive risk management across the organization. - Integration with Corporate Risk Register: - The focus of the risk register discussed here is primarily on information security risks. - In some cases, the information security risk register may be part of a broader corporate risk register that encompasses all risks present in the business, providing a holistic view of risk across various domains. Note: Regular review and updates to the risk register are essential to maintain its accuracy and effectiveness in supporting risk management processes.

Question 34

What is the primary purpose of the risk register in an organization? a) To document all incidents and breaches that occur within the organization. b) To record and track identified risks along with their corresponding treatment plans. c) To determine the financial impact of each identified risk on the organization. d) To assess the effectiveness of control measures implemented for risk mitigation. Please note that the question may vary depending on the specific exam or context, but the options provided cover different aspects of the risk register's purpose.

Answer 34

b) To record and track identified risks along with their corresponding treatment plans. The primary purpose of the risk register is to maintain a centralized record of identified risks within an organization. It includes details such as the nature of the risk, its owner, categorization, and the corresponding treatment plan. The risk register helps in effectively managing and monitoring risks throughout their lifecycle.

Question 35

Which of the following is a key component of a risk register? a) Risk assessment methodology b) Risk treatment plan c) Risk mitigation strategy d) Risk impact analysis Take your time and choose the correct answer.

Answer 35

The answer is B) Risk treatment plan. A risk register is a record that documents various risks within an organization. It includes important information such as the identified risks, their owners, categorization (e.g., low, medium, high), and most importantly, the treatment plan for each risk. The risk treatment plan outlines the specific actions and measures to be taken in order to mitigate, manage, or control the identified risks. It serves as a crucial component of ongoing risk management and helps ensure that risks are properly addressed and monitored.

Question 36

In the context of risk management, which of the following statements are true regarding risk registers? Select two. a) Risk registers are primarily used for documenting risks related to physical security. b) Risk registers provide a formal documentation of identified risks within an organization. c) Risk registers are only applicable to information security risks. d) Risk registers include details about the treatment plan for each identified risk.

Answer 36

B and D are correct: b) Risk registers provide a formal documentation of identified risks within an organization. - Risk registers are used to record and document identified risks in a structured manner. They serve as a centralized repository where risks, along with relevant details such as their nature, potential impact, and likelihood, are recorded. This documentation helps ensure that risks are properly documented and can be reviewed independently. d) Risk registers include details about the treatment plan for each identified risk. - In addition to capturing information about risks, risk registers also typically include details about the treatment plan for each identified risk. The treatment plan outlines the actions and strategies to be implemented to address and mitigate the identified risks. By including the treatment plan in the risk register, organizations can have a comprehensive view of the risks and the corresponding measures in place to manage them effectively.