Chapter 3 ■ Integrated Information Risk Management ExamQ

How do you use RTO, MAO, and RPO in planning information risk management activities? Select the statements that are correct. A. Return to operations (RTO) is the desired time to get all business processes back into operation, whether on backup or workaround systems or on production systems. The recovery point objective (RPO) sets priorities for which systems to bring up first, or for which business processes to get back into operation before others (of lower priority). B. The recovery point objective (RPO) establishes the maximum amount of data that is lost due to a risk event. This could be in numbers of transactions or in units of time, and it indicates the amount of rework of information that is acceptable to get systems back into normal operation. C. The recovery time objective (RTO) must be less than or equal to the maximum acceptable outage. The MAO sets a maximum downtime (outage time) before mission impact becomes unacceptable; the RTO can be used to emphasize faster than MAO restoration. D. The maximum acceptable outage (MAO) relates to the mission or business objectives; if multiple systems support those objectives, then all of their recovery time objectives (RTOs) must be less than or equal to the MAO.

B, C, D. Option A is a misstatement of RTO and RPO.

How does information risk relate to information systems risk or information technology risk? A. These three terms all mean much the same thing, although with a greater or lesser degree of emphasis on securing the underlying computers and networks. B. They express the logical flow of making decisions about risk: first, what information do you need; second, how you get it, use it, and share it with others in the decision process; and third, what technologies help make all of that happen. The probability of an event causing a disruption to any step of that decision process is a risk. C. They reflect the need to think about risks in outcomes-based, process-based, asset-based, or threat-based terms. D. They suggest the levels of organizational leadership and management that need to be part of managing each risk: senior leaders with information risk, tactical unit managers with information systems risks, and the IT department with information technology risks.

B. Option B correctly shows the use of information to make decisions, as well as the roles of processes and technologies in doing so. Option A mistakenly suggests that the IT risks are more important; IT risks may be how important information is lost or compromised, but it is that information loss or impact that puts businesses out of business and not the failure of their IT systems. Option C confuses risk management with information risk. Option D also mistakes the role of information and the roles of processes and technologies, both in achieving objectives and in risk management

There are three ways in which risk assessments can be done. Choose the answer that orders them from best to least in terms of their contribution to risk management decision making. A. Qualitative, quantitative, and CVE-based B. CVE-based, quantitative, and qualitative C. There is no order; they all can and should be used, as each reveals something more about the risks you have to manage. D. Quantitative, CVE-based, and qualitative

C. Options A and D reflect biases toward or against qualitative assessments (presumably for being "soft" or potentially based on emotions or intuition) or quantitative ones (the data is too hard to get or validate). Using published common vulnerability and exposure (CVE) information can be quite illuminating, but as in Option D, be careful to not assume that other people's experiences and systems are a good match for your own, or to bow to authoritative statements without carefully considering whether they fit your situation.

What kind of information is part of an information risk assessment process? (Choose all that apply.) A. Lost revenues during the downtime caused by the risk incident, including the time it takes to get things back to normal B. Damage to equipment or facilities, or injury or death to people C. Estimated costs to implement chosen solutions, remediations, controls, or countermeasures D. Total costs to create an asset that is damaged or disrupted by the risk event

A, B. Option C is the safeguard value, which we cannot compute until we have completed a risk assessment and a vulnerability assessment, and then designed, specified, or selected such controls or countermeasures. Option D is typically not the loss incurred by damage of an asset; of greater interest regarding impact to an asset would be the cost to repair it (if repairable), replace it, or design and implement new processes to do without the damaged or disrupted asset.

Why do SSCPs need to appreciate the culture of the organization they are working with in order to be effective as information risk managers? (Choose all that apply.) A. Organizational culture determines how willingly managers and workers at all levels will accept greater responsibilities and accountability, which can severely limit the SSCP's ability to get a risk management plan enacted. B. "Old-boy" networks and informal information and decision paths may make anything written down in business processes, manuals, and so forth somewhat suspect. C. Privately held companies tend to be run more loosely than publicly held ones, because shareholder protection law and regulations dictate limits on what executives and board members can do or how they can do it. D. Larger companies have probably had more different people in key positions over time, and so the effect of one domineering personality (as might happen in small entrepreneurial organizations) is probably not as pronounced.

A, B. Options C and D may or may not be true in fact, but it's not clear whether these have any bearing on how the company determines priorities and risk tolerance, or what its decision-making processes and styles are. Options A and B are key elements of organizational culture that can impede or facilitate implementation of a risk management approach.

As chief risk officer, you are asked if ignoring a risk is the same thing as accepting it. Which of the following might be part(s) of your reply? A. Yes, because in both cases you have decided to do nothing different and just keep on with business as usual. B. No, because quite often you choose to ignore something without first really understanding it or assessing its possible impacts to you. C. No, because in ignoring a risk you may be violating your own responsibilities for due care or due diligence. D. Yes, because as the responsible manager, you still have due care and due diligence responsibilities here.

A. All are correct as far as they go in comparing "ignore" and "accept." However, the key to due care and due diligence is the standard of reasonable and prudent effort. You would not be prudent if you spent millions of dollars to relocate your business from Atlanta, Georgia (1,050 feet above mean sea level [MSL]) to Boulder, Colorado (5,328 feet above MSL) simply to avoid the risk of a tsunami flooding out your facility, given how astronomically huge that tidal wave would have to be! Thus, Options C and D do not apply, and Option B merely restates the due care or due diligence argument.

The acronym BIA refers to which of the following? A. A document identifying all of the impacts to the business due to the risks it has chosen to assess; forms the basis for risk mitigation planning and implementation B. The basic information security needs to provide for the privacy, integrity, and availability of business information C. The budgeted implementation and accreditation plan for information security, often required by insurers and financial authorities of businesses dealing with sensitive or safety-related information D. The budgeted cost of information availability, which when compared with the actual cost of information availability, lets management assess planned versus actual success of their information risk management programs

A. The business impact analysis (BIA) is an integrated view of the prioritized risks and the projected impacts they could have on the business. Option B is a misstatement of the confidentiality, integrity, and availability (CIA) needs for information security. Options C and D suggest realistic management needs for bringing together plans, costs, budgets, and timelines, but they are incomplete as stated and may not even exist.

Kim manages risk for an online publishing company on the island of St. Kitts, which currently uses an on-premises datacenter as its content development facility; it e-ships content to customers who are then responsible for hosting it wherever they want. Kim's division vice president is concerned about risks, and so Kim has done some estimating. The datacenter has enough backup power supply capacity to do a graceful shutdown, but normal round-the-clock, seven-day-per-week development operations must have commercial power available. Recent experience shows that at least once per month, a brownout or blackout lasting at least eight hours occurs. Each disruption costs the company an additional two hours to restore operations. Which statements about risk assessment are not correct? (Choose all that apply.) A. Risk appetite should determine the MAO, which can then be used as part of estimating SLE. B. If the SLE exceeds the safeguard value, Kim should advise that the company implement that safeguard. C. If the ALE exceeds the safeguard value, Kim should advise that the company implement that safeguard. D. Once she has estimated the ALE, Kim can assess different safeguards to see how long their payback period might be so that she can advise her management regarding these alternatives.

B, C. Option A is correct in that tolerance or appetite for risk should drive setting the maximum allowable outage time; the costs incurred during a maximum outage are part of computing single loss expectancy. Option B is incorrect, since the power outages seem to be happening monthly, so SLE alone overstates the potential losses. Option C annualizes the expected losses, but comparing it to the safeguard value assumes a one-year payback period is required. Option D reflects that management may be willing to spend significant money on a safeguard that requires more than one year to justify (pay back) its expense in anticipated savings.

Jill has recently joined a software development startup company as an information risk analyst, and she notices that the company does not make use of any risk management frameworks. Which is the best advice you could give to Jill? A. As a new employee, she'd be speaking out of turn to say anything just yet. Watch and learn. B. As an SSCP, Jill knows that risk management frameworks can offer valuable lessons to learn from as organizations start to plan and conduct risk management (and information risk management) activities. Jill should talk with her supervisor, and perhaps propose that she draft a concept for how to select, tailor, and use one of the widely accepted RMFs. C. Jill should suggest to her supervisor that key stakeholders, perhaps even the board of directors, would not be pleased to see that the company is "reinventing this wheel" on its own. Perhaps the organization should adapt an RMF to its needs, she suggests. D. Most RMFs really do not add value to small, entrepreneurial firms just starting out. Jill can keep the use of RMFs in the back of her mind, and maybe find small elements of these large, complex frameworks to introduce, bit by bit, to her company's security processes and posture.

B. Choice 3, perspective, should reflect priorities, risk appetite, or tolerance, and decision-making culture, and this has to lead all risk management activities. Next comes Choice 4, which feeds into the BIA. Choice 2 should be a product of the BIA process, because it combines costs or magnitude of impacts with acceptable damage limitation strategies. Finally, we choose what to fix, transfer (pay someone else to worry about), accept, or avoid, and any residual risk is recast or re-expressed to reflect these decisions.

What are all of the choices you need to make when considering information risk management, and what's the correct order to do them in? 1. Treatment: accept, treat (fix or mitigate), transfer, avoid, recast 2. Damage limitation: deter, detect, prevent, avoid 3. Perspective: outcomes, assets, process or threat based 4. Impact assessment: quantitative or qualitative A. 1, 2, 3, then 4 B. 3, 4, 2, then 1 C. 4, 3, 2, then 1 D. 2, 3, 1 then 4

B. Choice 3, perspective, should reflect priorities, risk appetite, or tolerance, and decision-making culture, and this has to lead all risk management activities. Next comes Choice 4, which feeds into the BIA. Choice 2 should be a product of the BIA process, because it combines costs or magnitude of impacts with acceptable damage limitation strategies. Finally, we choose what to fix, transfer (pay someone else to worry about), accept, or avoid, and any residual risk is recast or re-expressed to reflect these decisions.

What is information risk? A. The threat that data on your computers, online storage, local or cloud-hosted data, or other data could be hacked into, stolen, or changed B. The probability of an event occurring that disrupts your information and the business processes and systems that use it C. Vulnerabilities in your information systems that can be exploited by a threat actor and cause harmful impacts D. The probability that management's and leadership's directions and communications will be misunderstood, causing the wrong actions to be taken by stakeholders, possibly causing financial loss, injury, or death

B. Option B is the simplest and most effective definition of information risk. Options A and C do not include probability of occurrence (risks are not certain to happen), and describe how risks become events rather than what the risk actually is. Option D is one example, but it does not define information risk.

Threat modeling and threat assessment: A. Should be done during risk management so that the threat modeling and assessment can drive the detailed work of risk mitigation planning B. Refer to the boundaries of a system and look to identify, understand, assess, and manage anything that attempts to cross that boundary as a way to identify possible threats C. Involves highly mathematical approaches, such as predictive code analysis, to produce meaningful results D. Is best done using modeling and simulation tools

B. Whether the system is small and simple or large and complex, its owners, builders, and users have to treat it like a "black box" and know what can happen across every interface it has with the outside world. Thus Option B is correct. Option A has the steps in the wrong order; detailed threat modeling and assessment needs detailed system architectural information to be valid. Option C misstates how threat modeling is done. While Option D may address a useful set of tools, it does not explain what threat modeling and assessment are or how to do them.

Patsy is reviewing the quantitative risk assessment spreadsheet for her division, and she sees a number of entries where the annual loss expectancy is far greater than the single loss expectancy. This suggests that: A. The RTO is later than the RPO. B. The ARO is less than 1. C. The particular risk is assessed to happen many times per year; thus its ARO is much greater than 1.0. D. This looks like an error in estimation or assessment, and it should be further investigated.

C. Option B has the annualized rate of occurrence (ARO) use incorrect; if the ARO was less than 1, the single loss expectancy is in effect spread over multiple years (as if it were amortized). Option A involves restore time and point objectives, which are not involved inthe annualized loss expectancy (ALE) calculation. Option D misunderstands ALE = ARO * SLE (single loss expectancy) as the basic math involved.

What does it mean to have an integrated information risk management system? A. You choose controls and countermeasures that provide all-risk coverage, have graceful degradation or fallback capabilities, and provide end-to-end visibility and management via built-in command, control, and communications capabilities. B. You avoid point defense countermeasures or controls, as they tend to make you overlook gaps between them. C. You provide the communications capabilities to bring status, state, and health information from all countermeasures and controls, and all systems elements, to information security managers, who can then direct timely changes in these controls in real time as required to respond to an incident. D. Vendors of security information and event managers claim that their products are "integrated," but they often do not clearly say what this means or help customers achieve greater security because of this.

C. Option C shows both the purpose of an integrated approach (timely incident characterization and management) and the use of communications capabilities in doing so. Options A and D demonstrate that vendor self-description of their products can sound good but does not really address key needs. Option B is true, and partially addresses how point solutions need to be mutually supportive, but does not go far enough.

Which of the following shows the major steps of the information risk management process in the correct order? A. Assess risks across the organization; identify information security and privacy risks; implement countermeasures; establish security and privacy posture; review supply chain for IT security risk elements B. Establish basic security posture; review risks; implement countermeasures; perform ongoing monitoring and assessment, testing, and training C. Set priorities; assess risks; select controls and countermeasures; implement controls; validate correct operation; monitor D. Develop business impact analysis; establish risk tolerance levels; implement damage control choices; monitor

C. Option D incorrectly has the BIA first, but the BIA has to come after the organization's leadership has agreed to risk tolerance and set priorities. Option B is incorrect partly because the basic "common sense" posture is not part of a formal risk management process but a bare-minimum immediate set of actions to take if needed. Option A has establishing a posture (which consists of policies and decisions that drive implementation and operation steps) and implementation in the wrong order.

Terri has recently been assigned to the information security team as a risk assessment analyst. As she goes through the files (on paper and in the company's cloud-based information systems) that the company already has, she realizes that they are inconsistent in format and hard to use to perform analysis, and that there are no controls over who in the company can access these files. Does any of this present an information security concern? (Choose all that apply.) A. No, because the company would have chosen a cloud systems provider that fully protects any unauthorized persons or outsiders from accessing any company data. B. Yes, because the data in these files could represent significant vulnerabilities of company systems, and its inadvertent or deliberate disclosure could be very damaging to the company. C. Yes, because the lack of controls on access and use suggests that data integrity is lacking or cannot be assessed. D. Yes, because conflicting formats and content might make much of the data unusable for analysis and decision making without a lot of effort, impacting whether that data can support decision making in a timely manner.

C. Options A and D reflect biases toward or against qualitative assessments (presumably for being "soft" or potentially based on emotions or intuition) or quantitative ones (the data is too hard to get or validate). Using published common vulnerability and exposure (CVE) information can be quite illuminating, but as in Option D, be careful to not assume that other people's experiences and systems are a good match for your own, or to bow to authoritative statements without carefully considering whether they fit your situation.

When we call an attack a "zero day exploit," we mean that: A. The attack exploited a vulnerability within the first 24 hours of its discovery. B. The attack exploited a vulnerability within the first 24 hours of its being announced by the affected systems or software vendor, or when it was posted in the CVE. C. This term is meaningless hyperbole, invented by the popular press. D. The attack exploited a previously unreported vulnerability before the affected systems or software vendor recognized and acknowledged it, reported or disclosed it, or provided warning to its customers.

D. Despite the name, the 24 hours of a day have nothing to do with the element of surprise associated with attacking a heretofore-unknown vulnerability. Option C is false, since the term is well understood in IT security communities. Option D correctly explains the period from discovery in the wild to first recognition by system owners, users, or the IT community, and how this element of surprise may give the attacker an advantage.

Tom is the chief information security officer for a medium-sized business. It's been brought to his attention that the company has been storing its backup systems images and database backups in an offsite facility that has no alarm system and no way of knowing whether there were any unauthorized persons entering that facility. Which of the following might apply to this situation? A. This could be a failure of due care in that security requirements for the backup information should have been specified and implemented in the storage plan and contracts. B. Since there are no records to check to see if any unauthorized persons had access to these backups, there has been no due diligence lapse. C. This is at least a failure of due diligence, since there seems to have been no systematic or periodic check of the storage facility or the backup media stored in it. D. This could be a case of failing to perform both due care and due diligence.

D. Options A and C highlight what seem to be Tom's failures to adequately plan for or implement offsite backup storage of system images and data, and his failures to institute effective verification of the security of that storage. Option B is incorrect—the lack of records does not relieve Tom of the burden to check that things are working correctly anyway.

Which statement about risk perspectives or views is most correct? A. Outcomes-based risk assessment is best, because it focuses attention on the highest priority goals and objectives of the organization as the places to start risk identification and assessment. B. Asset-based risk assessment is best, because it focuses attention on where your sunk costs or remaining book value of capital assets is greatest, and thus most expensive to repair or replace if a risk occurs. C. Threat-based risk management is best, because it keeps you looking at rapidly evolving exploits and forces you to realize that somebody, somewhere, has their own reasons for stealing every stray bit of information or computer power from you. D. Each of these provides great insight as you start your risk management planning and implementation efforts; no one approach by itself covers everything a good risk management strategy must do.

D. Options A, B, and C are correct statements about each perspective, but they each falsely proclaim that their approach is the only one needed.

Which is the most correct statement as to what it means to have a proactive approach with your information security risk management plans, programs, and systems? A. Being proactive means that your countermeasures and controls can actively trace back to identify, locate, and characterize your attackers, which can help you both in defending against them and in potentially seeking legal redress. B. Senior leaders and managers in many businesses appreciate active, thoughtful, forward-looking approaches, and you will find it easier to gain their support. C. Proactive information security systems allow your security specialists to take real-time control of all system elements, and bring all information about events of interest into one common operational picture. This greatly enhances your ability to detect, characterize, and contain incidents. D. Being proactive means that you use the best knowledge you have today, including lessons learned from other organizations' experience with information risk, and you plan ahead to deal with them, rather than wait for them to occur and then investigate how to respond to them.

D. Proactive involves thinking ahead and planning for contingencies, as opposed to being reactive, or waiting until things break. Option A is both wrong and probably illegal in most circumstances. Option B might be true, but it is a general statement about "being proactive" rather than specifically about information security. Option C describes an integrated information security management approach.