Module 2: Risk Assessment

Question 1

What is Risk

Answer 1

It is defined as the probability of the occurrence of an incident

Question 2

What is Risk Policy

Answer 2

A set of ideas that are to be implemented in order to minimize and mitigate risks faced by an organization

Question 3

Risk Policy defines these steps in managing the risks

Answer 3

1. Establishing a Context
2. Risk Identification
3. Risk Analysis
4. Risk Evaluation
5. Treating the risks
6. Monitor and Review
7. Communication and Consultation

Question 4

What is Risk Assessment

Answer 4

A set of guidelines and procedures to identify and assess the risks that pose a threat to the business or project environment

Question 5

What is the NIST Risk Assessment Methodology

Answer 5

1. System Characterization
2. Threats Identification
3. Identify Vulnerabilities
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation

Question 6

What happens in Step 1 System Characterization

Answer 6

The limits of an IT system are determined in order to set the scope of risk assessment

Question 7

What happens in Step 2 Threats Identification

Answer 7

Different threats and threat sources are to be identified

Question 8

What are the two threat sources

Answer 8

Human and Technical Threats

Question 9

What are the common human threats

Answer 9

• False data entry or deletion of data
• Eavesdropping
• Impersonation
• Theft
• Espionage

Question 10

What are the common technical threats

Answer 10

• Breaking passwords for unauthorized access
• Sniffing and scanning of network traffic
• Malicious code infection
• Spam and mail frauds
• DDoS attacks
• Session hijacking

Question 11

What is a threat source

Answer 11

It means any incident or occurrence with the potential to cause harm to the information system

Question 12

What happens in Step 3 Identify Vulnerabilities

Answer 12

To prepare a list of information system vulnerabilities that could be exploited by the probable threat-sources

Question 13

What is the best source for information gathering

Answer 13

Internet

Question 14

Vulnerability identification process methods

Answer 14

• Vulnerability sources
• System security testing
• Development of security requirements checklist

Question 15

System Security testing methods

Answer 15

• Automated vulnerability scanning tool
• Security test and evaluation (ST&E)
• Pen Test

Question 16

What happens in Step 4 Control Analysis

Answer 16

The controls that are planned to implement or already implemented are analyzed by the organization in order to reduce the probability of a threat.

Question 17

What happens in Step 5 Likelihood Determination

Answer 17

This step determines the likelihood of occurrence of a threat.

Question 18

Factors for the overall likelihood

Answer 18

• Motivation and the capability of threat-source
• Nature of the vulnerability
• Efficiency and existence of current controls

Question 19

What happens in Step 6 Impact Analysis

Answer 19

This step involved in risk assessment methodology determines the adverse impact resulting from a successful threat with the exercise of the vulnerability

Question 20

What happens in Step 7 Risk Determination

Answer 20

To determine the level of risk to different organizational processes and assets.

Question 21

Risk Determination involves what consideration

Answer 21

• The probability of occurrence of an anticipated incident
• The tangible and intangible impact of incident on organizations resources
• The control measures to minimize the impact or totally avoid the incident

Question 22

What happens in Step 8 Control Recommendations

Answer 22

Risk assessment teams recommend the controls based on the likelihood, impact and criticality of risk for business operation

Question 23

What happens in Step 9 Results Documentation

Answer 23

An official, detailed, and clear risk assessment report helps the senior management in taking decisions on policies, procedures, system operational, and management changes.

Question 24

Steps involved in the risk assessment of the work place

Answer 24

• Identify hazards
• Determine who will be harmed and how
• Analyze risks and check for precautions
• Implement results of risk assessment
• Review risk assessment

Question 25

What is a hazard

Answer 25

A hazard is anything that may cause harm

Question 26

What is a plan of action

Answer 26

It is a document that contains the implementation method of the risk assessment results

Question 27

What is Risk Analysis

Answer 27

The process that defines and analyzes the dangers

Question 28

How do you find Risk Analysis

Answer 28

Risk Assessment + Risk Management + Risk Communication

Question 29

What is Risk Management

Answer 29

A structured approach to manage risks due to any incident on information systems and its security

Question 30

What is Risk Communication

Answer 30

The correspondence between the client and the manager

Question 31

Risk Analysis helps to analyze what five elements

Answer 31

1. Assets 2. Disruptive events 3. Vulnerabilities 4. Losses 5. Safeguards

Question 32

What are the two approaches for Risk Analysis

Answer 32

Quantitative Risk Analysis (numbers, dollars) & Qualitative Risk Analysis (Best guess)

Question 33

What is Risk Mitigation

Answer 33

The process of minimizing the risk

Question 34

What Risk Mitigation Strategies are used

Answer 34

* Risk Assumption * Risk Avoidance * Risk Limitation * Risk Planning * Research and Acknowledgement * Risk Transference

Question 35

What is Risk Assumption

Answer 35

Executes controls to bring risk factor to an acceptable level or accepts the potential risk

Question 36

What is Risk Avoidance

Answer 36

It refers to preventing the risks by curbing the cause of the risk and/or consequence

Question 37

What is Risk Limitation

Answer 37

This procedure implements controls to diminish the level of controls which in turn condenses the impact of a threat's exercising vulnerability Example: Use of supporting, preventive, and detective controls

Question 38

What is Risk Planning

Answer 38

A risk mitigation plan is to developed in order to prioritize, implement, and maintain the controls

Question 39

What is Research and Acknowledgment

Answer 39

Analyzing the vulnerability of flaw and determine what actions can be taken to lessen the risk

Question 40

What is Risk Transference

Answer 40

Transfer the risk with the help of other options.

Question 41

What is Cost-Benefit Analysis

Answer 41

The process of calculating return on investment

Question 42

What are NIST's approach for Control Implementation

Answer 42

1. Prioritize actions 2. Evaluate recommended control options 3. Conduct cost-benefit analysis 4. Select control 5. Assign responsibility 6. Develop a safeguard implementation plan 7. Implement selected controls

Question 43

How do you prioritize actions

Answer 43

By using the risk levels in the risk assessment report

Question 44

What is residual risk

Answer 44

The amount of risk remaining after implementation of all the possible controls

Question 45

How do you calculate residual risk

Answer 45

Residual risk = Inherent Risk * Control risk

Question 46

How do you calculate inherent risk

Answer 46

Inherent risk = threats * vulnerability

Question 47

The numerical determination of the probability of an adverse event, and the extent of the losses due to the event, refers to which approach of risk determination

Answer 47

Quantitative risk analysis

Question 48

How many primary steps does NIST's risk assessment methodology involve

Answer 48

Nine

Question 49

In which of the steps of NIST’s risk assessment methodology are the boundaries of the IT system, along with the resources and the information that constitute the system, identified?

Answer 49

System Characterization

Question 50

In a qualitative risk analysis, risk is calculated in terms

Answer 50

(Attack Success + Criticality) - (Countermeasures) = Risk

Question 51

In a quantitative risk analysis, risk is calculated in terms

Answer 51

Risk = Probability of Loss * Loss

Question 52

What is the Risk formula

Answer 52

Risk = (events) * (probability of occurrence) * (consequences)

Question 53

A measure of possible inability to achieve a goal, objective, or target within a defined security, cost, plan, and technical limitations that adversely affects the organization’s operations and revenues

Answer 53

Risk

Question 54

In step 4 Control Analysis of the NIST's risk assessment methodology, technical and nontechnical control methods are classified into two categories. What are the two control categories

Answer 54

Preventive and Detective controls