Chapter 2: Risk Management

¡Supera tus tareas y exámenes ahora con Quizwiz!

NIST SP 800-161

A good resource to help integrate supply chain risk into your risk management program.

Which best describes a quantitive risk analysis?

A method that assigns monetary values to components in the risk assessment.

Risk Assessment vs Risk Analysis

A risk assessment is used to gather data, a risk analysis examines the gathered data to produce results that can be acted upon.

Vulnerability assessment vs risk assessment

A vulnerability assessment just finds the vulnerabilities (the holes) and risk assessment calculates the probability of the vulnerabilities being exploited and the associated business impact.

A business impact analysis (BIA) is often the most important first step in what process?

Business continuity planning (BCP)

Administrative Controls

Commonly referred to as soft controls because they are more management oriented. *security documentation, risk management, personnel security and training*

Business Process Compromise (BPC)

Commonly targeted at the financial sector, where transaction amounts, deposit accounts, or other parameters are changed to funnel money to the attackers pockets.

Risk Analysis

Detailed examination of the components of risk that is used to ensure security is cost-effective, relevant, timely, and responsive to threats.

Third-Party Assessments

Considered best practice and may be required for compliance.

Threat Working Group (TWG)

Consist of members of all major parts of the organization, meeting regularly to review the list of risks and ensure that threats and controls remain valid.

Monitor Risk

Continuously monitor the effectiveness of our control against the risks for which we designed the,

Service Level Agreement (SLA)

Contractual agreement that states that a service provider guarantees a certain level of service. Provides a mechanism to mitigate some of the risk from service providers in the supply chain.

Which is the most valuable technique when determining if a specific security control should be implemented?

Cost/benefit analysis

Does not support the idea of calculating exploitation probability numbers or annualized loss expectancy values. Believes that trying to use mathematical formulas for the calculation of risk is too confusing and time consuming.

FRAP

Which risk assessment methodology is known for using Boolean logic expressions to help identify failures in complicated systems?

Fault tree analysis

Corrective Security Control

Fixes components or systems after an incident has occurred.

Facilitated Risk Analysis Process (FRAP)

Focus only on the systems that really need assessing, to reduce costs and time obligations. Analyzes one system, application, or business process at a time.

ISO/IEC 27031:2011

Guidelines for information and communications technology readiness for BC.

A large grocery store chain has discovered that their customers' credit card details are being stolen whenever the customer swipes their card for payment. After an investigation, it is determined that a malicious threat actor working at the factory where these point of sale (PoS) devices are assembled has been adding a component capable of skimming, storing, and exfiltrating credit card details when they are swiped. This is an example of what kind of risk?

Hardware Trojan supply chain

Detective Security Control

Helps identify an incidents activities and potentially an intruder.

Which two categories of controls should always be implemented together and should complement each other?

Preventative & Detective

Disaster Recovery (DR)

Process of minimizing the effects of a disaster or major disruption. It means taking the necessary steps to ensure that the resources personnel and business processes are sage and able to resume operation in a timely manner.

Upstream Suppliers

If they supply materials, goods or services to your company and your company uses those in return to provide whatever it is that it supplies to others.

Effects Analysis (FMEA)

Impact of that break or failure.

Business Impact Analysis (BIA)

In which a team collects data through interviews and documentary sources: documents business functions, activities and transactions: develops a hierarchy of business functions: and finally applies a classification scheme to indicate each individuals functions critically level.

Preventive Security Control

Intended to avoid an incident from occurring.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Intended to be used in situations where people manage and direct the risk evaluation for information security within their organization. Relies on the idea that the people working in these environments best understand what is needed and what kind of risks they are facing. Assess all systems, applications, and business processes with the organization.

Recovery Security Control

Intended to bring the environment back to regular operations.

Deterrent Security Control

Intended to discourage a potential attacker.

Risk Monitoring

Ongoing process of adding new risks, reevaluating existing ones, removing moot ones, and continuously assessing the effectiveness of our controls at mitigating all risks to tolerable risks. (effectiveness, change, compliance. )

Loss Potential

Organization could lose assets or revenues if a threat agent actually exploited a vulnerability.

Instead of being considered an outsider, BCP should be

Part of the team, final responsibility should belong to a high level executive manger.

Single point of failure (FMEA)

Represent vulnerabilities that could directly affect the productivity of the network as a whole.

Exposure Factor (EF)

Represents the percentage of loss a realized threat could have on a certain asset.

What is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact?

Risk

Total Risk

Risk an organization faces if it chooses not to implement any type of safeguard.

A risk assessment must be supported and directed by:

Senior mamagement.

Delayed Loss

Takes place after a vulnerability is exploited. May include damage to the organizations reputation, loss of market share, accrued late penalties, civil suites, the delayed collection of funds from customers, resources required to reimage other compromised systems.

Risk Avoidance

Terminate the activity that is introducing the risk.

Defense in Depth

The coordinated use of multiple security controls in a layered approach.

Risk

The likelihood of a threat source exploiting a vulnerability and the corresponding business impact.

Maximum Tolerable Downtime (MTD)

The maximum period of time that a business process can be down before the survival of the organization is at risk.

Accept the Risk

The organization understands the level of risk it is faced with as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure.

Risk Mitigation

The risk is reduced to a level considered acceptable enough to continue conducting business.

Residual Risk

The risk that is left over to deal with even after countermeasures are implemented.

Executives and Board Members

These leaders want to know whether risks can be properly mitigated or require change to the organizational strategy. Should also be briefed on risks that have been "accepted" and what their potential impact could be. Risk *heat maps* are used rather than verbose descriptions.

Project Sizing

Understand what assets and threats should be evaluated.

Hacktivitsts

Use cyberattacks to affect political or social change. Preferred objectives are highly visible to the public or yield information that, when made public, aims to embarrass government entities or undermine public trust in them.

Quantitive Risk Analysis

Used to assign monetary and numeric values to all elements of the risk analysis process.

Qualitative Risk Analysis

User uses a softer approach to the data elements of a risk analysis. it is more opinion and scenario based and uses a rating system to relay the risk critically levels. (Red, yellow, green)

Which of the following statements is FALSE?

All threats are human individuals or groups

Delphi (qualitative risk technique)

Brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one on one meetings and interviews. A group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be.

How do you conceptually calculate residual risk?

(Threats x vulnerability x asset value) x controls gap

Annual Loss Expectancy (ALE)

ARO X SLE =

Hardware Trojan

An electronic circuit that is added to an existing device in order to compromise its security or provide unauthorized functionality.

Control Assessments

An evaluation of one or more controls to determine the extent to which they are implemented correctly, operating as intended, and are producing the desired outcome.

Business Continuity (BC)

An organizations ability to maintain business functions or quickly resume them in the event that risks are realized and result in disruptions.

SLE (equation)

Asset Value (AV) * Exposure Factor (EF) = SLE

Script-kiddies

Basic grasp of hacking (but access to someones else's scripts or tools).

Why should the teak that will perform and review the risk analysis information be made up people in different departments?

Because people in different departments understand the risks of their department. thus, it ensures data going the analysis is close to reality as possible

Respond to Risk

Becomes the matter of matching our limited resources with our prioritized set of controls.

Frame Risk

Defines the context within which all other risk activities take place.

Security Effectiveness

Deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system.

Risk Reporting

Enables organizational decision making, security governance, and day to day operations. Also important for compliance purposes.

Which best describes the purpose of the ALE calculation?

Estimates the loss potential of a threat in a span of a year.

Risk Reports should be made to?

Executives, (board members) Managers and risk owners.

Failure Mode (FMEA)

How something could break or fail.

Provides the information and direction for the organizations security risk management processes and procedure and should address all issues of information security.

ISRM policy.

Communicates information on the organizations risks to senior management and how properly execute management's decisions on risk management tasks.

ISRM team

ISO 22301:2019

International standard for BC management systems, the specification document against which organizations will seek certification.

Illogical Processing & Cascading errors

Invalid results are passed on to another process. These type of problems can lie within application code and are very hard to identify.

Risk Management (RM)

Is the process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level.

Annualized Rate of Occurrence (ARO)

Is the value that represents the estimated frequency of a specific threat taking place within a 12 month timeframe.

Physical Controls

Items put into place to protect facilities, personnel, and resources. *security guards, locks, fencing, lighting*

Failure Modes and Effect Analysis (FMEA)

Method of determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. Commonly used in product development and operational environments. *The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement control to reduce the impact of the break*

Risk assessment

Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls.

Single Loss Expectancy (SLE)

Monetary value that is assigned to a single event that represents the organizations potential loss amount if a specific threat were to take place.

Managers

More detailed reports because they are responsible for well, managing the risks. They want to know current risks and how they've been trending over time. *risk management boards*

Cybercriminals

Most common threat actors, motivated by greed or just have fun breaking things.

Risk Owners

Most detailed reporting because the staff members responsible for managing individual risks.

Describes four interrelated components that compromise the risk management process

NIST SP 800-39

Which is one of the first steps in developing a BCP?

Perform a business impact analysis.

Continuous Improvement

Practice of identifying opportunities, mitigating threats, improving quality and reducing waste as an ongoing effort. Hallmark of maturity and effective organizations.

Business Continuity Management (BCM)

Provides a framework for integrating resilience with the capability for effective responses in a manner that protects the interest of an organizations key stakeholder. The main objective is to allow the organization to continue to perform business operations under various conditions.

Compensating Security Control

Provides an alternative measure of control.

Transfer the risk

Purchase insurance, this transfers the risk to the insurance company.

Which kind of risk analysis may gather data from brainstorming, the Delphi Technique, storyboarding, focus groups, surveys, and one-on-one meetings or interviews?

Qualitative risk analysis

Why is a truly quantitative risk analysis not possible to achieve?

Quantitative measures must be applied to qualitative elements.

Quantitive vs Qualitative

Quantitive evaluation can be used for tangible assets (monetary values) and a qualitative assessment can be used for intangible assets (priority values)

Supply Chain

Sequence of suppliers involved in delivering some product.

Technical Controls

Software or hardware components *firewalls, IDS, encryption, identification, authentication*

NIST SP 800-30 Revision 1, Guide for conducting risk assessments

Specific to IS threats and hoe they relate to information security risks. 1. Prepare the assessment 2. Conduct the assessment 3. Communicate results 4. Maintain assessment

Change Advisory Board (CAB)

Standing group that reviews and approves any changes such as deployment of new policies, systems, and business processes. Measures changes through a variety of metrics that also are used to monitor risks.

Assess Risk

This is perhaps the most critical aspect of the process.

Which is the BEST term to denote a potential cause of an unwanted incident, which may result in harm to a system or organization?

Threat

Which of the following is not one of the three keys areas for risk monitoring?

Threat

total risk equation

Threat x Vulnerability x Asset Value

How do you calculate residual risk ?

Threats X vulnerability X asset value X control gap.

Maturity Models

Tools that allow us to determine the ability of our organizations for continuous improvement. A business decisions NOT a cybersecurity one.

Fault Tree Analysis (FTA)

Usually proves to be more useful approach to identifying failures that can take place within more complex environments and systems. First, an undesired effect is taken at the root or top event of the tree of logic. Then, each situation that has the potential to cause that effect is added to the tree as a series of logic expressions. This is done using computer programs that can calculate the failure of probabilities from a fault tree.

Validation

Validate that the controls are producing the desired outcomes.

Verification

Verify that the manner in which it is implemented is correct and that controls are operating as intended.

Nation State Actors (state actors)

Very selective in who they target, use advanced capabilities to compromise systems and establish a persistent presence to allow them to collect intelligence for extended periods. Main motivations are espionage and gaining access to critical infrastructure.

When is it acceptable to take no action regarding an identified risk?

When the cost of the countermeasure is greater than the value of the asset and the potential loss.

When is it acceptable to not take action on an identified risk?

When the cost of the countermeasure outweighs the value of the asset and potential loss.

NIST SP 800-34 Revision 1 (R1)

guidelines for performing business continuity and disaster recovery planning. The following list summarizes the steps in SP 800-34 R1: 1. Develop contingency planning policy. 2. Conduct business impact analysis (BIA). 3. Identify preventive controls. 4. Create recovery strategies. 5. Develop business continuity plan (BCP). 6. Test, train, and exercise. 7. Maintain the plan.

Residual risk equation

threats X vulnerability X asset value X controls gap. OR total risk - countermeasures.


Conjuntos de estudio relacionados

Ch. 10 (Externalities) Key Terms

View Set

Introduction to Literature shorter version

View Set

Week 2: Software Process - CS 427

View Set

Topics 4 and 5: Kinetic Theory and Thermodynamics

View Set

Dr. Britt PSYCH 101 Exam 2 Chps 3-4

View Set

Chapter 17 Eye and Ear Diseases/ Disorders

View Set