Cyber Security Risk Management

¡Supera tus tareas y exámenes ahora con Quizwiz!

How do we know that a risk has been addressed? Name at least two of the four conditions.

AAEA • Approval of an Exception Request (Accept) • Approval of a Mitigation Plan (Mitigation or Transfer) • Elimination of the Vulnerability (Remediation, a form of Mitigation) • Activity Causing the Exposure is Ceased (Avoid)

Name risk mitigation plan approaches and describe each briefly.

ALP • Alleviation - Implement controls to prevent the threat • Limitation - Limit likelihood or effects with controls • Planning - Formal plan to prioritize, implement, and maintain controls.

Name three of the cyber-security program goals and explain each briefly.

BCC • Business Units to Identify & Remediate Risks. • Capability to Track Risks. • Consistency of Risk Assessments.

Name the three phases of the risk assessment engagement process and describe each briefly.

BIE+D • Build Asset-Based Threat Profiles • Identify Vulnerabilities • Evaluate Risks and * Develop Security Strategy

Define security risk reviews and name five high-level steps to implement this process.

EGARR • Gap Analysis of established policies and standards. Establishes an understanding of Cyber Security expectations and prioritizes areas with the greatest business exposure. Defines must-haves vs. nice-to-haves. - Establish an asset inventory. - Generate Findings - Analyze Risk - Risk Decision - Risk Exceptions

Describe threat and vulnerability management workflow.

FRA • The workflow defines how you will handle risk exposures. Three main steps: - Filter out low and moderate exposures. - Risk decision and mitigation planning - Action and tracking

Name three components of threat and vulnerability management.

SEDPD • Select a standard/baseline • Establish an asset inventory • Define your risk scales • Profile your environments (sensitivity) • Define a workflow for assessing vulnerabilities

What are the essential steps in building a cyber-security program?

SEDPD • Select a standard/baseline • Establish an asset inventory • Define your risk scales • Profile your environments (sensitivity) • Define a workflow for assessing vulnerabilities

List the cyber-security program prerequisites.

SMECE • Security Policies, Standards and Baselines • Mapping of Risk Domains to Business Objectives • Establish an asset inventory. • Common Risk Formula • Enterprise Risk Committee

What is cyber-security's role in business and IT decision making?

UMPS • Understand immediate versus high likelihood. • Map risk exposure to business objectives. • Providing knowledgeable facts. • Soft Costs (costs that aren't directly visible...e.g. reputation). • Fear, uncertainty and doubt (FUD) - not to be used as a hammer.

Define risk evaluation and name steps that leaders can take to manage identified risks.

UMPS • Understand immediate versus high likelihood. • Map risk exposure to business objectives. • Providing knowledgeable facts. • Soft Costs (costs that aren't directly visible...e.g. reputation). • Fear, uncertainty and doubt (FUD) - not to be used as a hammer. • Steps: - Avoid - Accept - Mitigate - Transfer

Name at least three of the main cyber security components to incorporate into the project life cycle.

VRR • During the planning part of the life-cycle: - Vendor Due Diligence - Review of ERDs and DFDs - Risk Planning

Name two risk assessment techniques and describe the concept of active vs passive testing.

• Active testing - Actively attacking/testing your network: Penetration Testing • Passive testing - No impact on the network. Application code security review

Name two of the pitfalls to avoid and explain each briefly.

• Don't run a security scan of the entire environment. A 200 page report helps no one and scares execs off (not actionable). • Don't try to identify and profile every system. That will come with time. Focus on priorities first.

Explain the security zoning principle.

• Should be a part of defense-in-depth strategy. • Put layers of security between the outside (attackers) and your most secure resources. • Example: three zones - low trust, lightly trusted, and secure trusted. • Ensure connectivity between layers has appropriate security controls.


Conjuntos de estudio relacionados

american history chapter 16 practice quiz

View Set

CNET 110 Introduction to Information Technology

View Set

Module 14: A Universe of Galaxies: Fundamentals of Cosmology

View Set

Frankenstein Chapters 17, 18, And 20 For Quiz

View Set