Cyber Security Risk Management

¡Supera tus tareas y exámenes ahora con Quizwiz!

How do we know that a risk has been addressed? Name at least two of the four conditions.

AAEA • Approval of an Exception Request (Accept) • Approval of a Mitigation Plan (Mitigation or Transfer) • Elimination of the Vulnerability (Remediation, a form of Mitigation) • Activity Causing the Exposure is Ceased (Avoid)

Name risk mitigation plan approaches and describe each briefly.

ALP • Alleviation - Implement controls to prevent the threat • Limitation - Limit likelihood or effects with controls • Planning - Formal plan to prioritize, implement, and maintain controls.

Name three of the cyber-security program goals and explain each briefly.

BCC • Business Units to Identify & Remediate Risks. • Capability to Track Risks. • Consistency of Risk Assessments.

Name the three phases of the risk assessment engagement process and describe each briefly.

BIE+D • Build Asset-Based Threat Profiles • Identify Vulnerabilities • Evaluate Risks and * Develop Security Strategy

Define security risk reviews and name five high-level steps to implement this process.

EGARR • Gap Analysis of established policies and standards. Establishes an understanding of Cyber Security expectations and prioritizes areas with the greatest business exposure. Defines must-haves vs. nice-to-haves. - Establish an asset inventory. - Generate Findings - Analyze Risk - Risk Decision - Risk Exceptions

Describe threat and vulnerability management workflow.

FRA • The workflow defines how you will handle risk exposures. Three main steps: - Filter out low and moderate exposures. - Risk decision and mitigation planning - Action and tracking

Name three components of threat and vulnerability management.

SEDPD • Select a standard/baseline • Establish an asset inventory • Define your risk scales • Profile your environments (sensitivity) • Define a workflow for assessing vulnerabilities

What are the essential steps in building a cyber-security program?

SEDPD • Select a standard/baseline • Establish an asset inventory • Define your risk scales • Profile your environments (sensitivity) • Define a workflow for assessing vulnerabilities

List the cyber-security program prerequisites.

SMECE • Security Policies, Standards and Baselines • Mapping of Risk Domains to Business Objectives • Establish an asset inventory. • Common Risk Formula • Enterprise Risk Committee

What is cyber-security's role in business and IT decision making?

UMPS • Understand immediate versus high likelihood. • Map risk exposure to business objectives. • Providing knowledgeable facts. • Soft Costs (costs that aren't directly visible...e.g. reputation). • Fear, uncertainty and doubt (FUD) - not to be used as a hammer.

Define risk evaluation and name steps that leaders can take to manage identified risks.

UMPS • Understand immediate versus high likelihood. • Map risk exposure to business objectives. • Providing knowledgeable facts. • Soft Costs (costs that aren't directly visible...e.g. reputation). • Fear, uncertainty and doubt (FUD) - not to be used as a hammer. • Steps: - Avoid - Accept - Mitigate - Transfer

Name at least three of the main cyber security components to incorporate into the project life cycle.

VRR • During the planning part of the life-cycle: - Vendor Due Diligence - Review of ERDs and DFDs - Risk Planning

Name two risk assessment techniques and describe the concept of active vs passive testing.

• Active testing - Actively attacking/testing your network: Penetration Testing • Passive testing - No impact on the network. Application code security review

Name two of the pitfalls to avoid and explain each briefly.

• Don't run a security scan of the entire environment. A 200 page report helps no one and scares execs off (not actionable). • Don't try to identify and profile every system. That will come with time. Focus on priorities first.

Explain the security zoning principle.

• Should be a part of defense-in-depth strategy. • Put layers of security between the outside (attackers) and your most secure resources. • Example: three zones - low trust, lightly trusted, and secure trusted. • Ensure connectivity between layers has appropriate security controls.


Conjuntos de estudio relacionados

american history chapter 16 practice quiz

View Set

CNET 110 Introduction to Information Technology

View Set

Construction Mechanic Advanced: Fuel Overhaul

View Set

Module 14: A Universe of Galaxies: Fundamentals of Cosmology

View Set

Frankenstein Chapters 17, 18, And 20 For Quiz

View Set