CRM Exam - Part 2.B.2 - Risk Assessments and Mitigation

What sort of information should not be stored in mobile computing devices that can be easily stolen?

- confidential - personal data - trade secrets - sensitive information

Accountability Risks

Risks associated with the possibility of loss, damage or unrecoverability of records and information that could result in the inability of the organization to show that it has acted correctly and fulfilled their obligations.

Records are vital to risk management because?

Records can be used to prove compliance, avoid potential penalties and fees, and inform business decisions.

__________ risk is loss, damage, or unrecoverability of records and information that could result in damage to the organization's public image, confidence or reputation.

Reputational

Reputational Risks

Reputational Risks are loss, damage, or unrecoverability of records and information that could result in damage to the organization's public image, confidence or reputation.

___________ are some potentially catastrophic agents of accidental destruction of vital records.

Natural disasters (violent weather, floods, and earthquakes)

__________ such as fire, floods, pest infestation, unauthorized intrusion, computer system failure or sabotage, explosions and bomb threats pose risks to record storage areas, server rooms and computer installations.

Natural hazards

A(An) __________ assessment is the evaluation of the possibility of incurring loss and the amount that is acceptable for a given event. a) damage b) risk c) retention d) archival e) strategic

b) risk

RIM Risks

Risks associated with the possibility of loss, damage or unrecoverability of records and information that could result in loss arising from how and where records are stored, retrieved, destroyed and retained.

A __________ risk assessment is usually based on a physical survey of locations where vital records are stored. a) compliance b) financial c) quantitative d) confidential e) qualitative

e) qualitative

Risk Preventative Measures

- address the physical environment where records are stored/used - designed to minimize the likelihood of damage to records and apply to both working and security copies of vital records

Name types of risks that a RIM Manager should understand.

- business - technical - RIM - legal/regulatory - accountability - reputational - financial - operational - environmental - natural hazards

What determines an organization's risk tolerance?

- compliance and privacy obligations - perceived security threats - data and asset value - industry and competitive pressure - management preferences

Risk Management

- consists of coordinated policies, plans, processes, resources and activities that direct and control risks to which an org is exposed - begins with heightened security awareness that must be communicated to all employees - culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects - systematic undertaking that involves assessing and addressing various risks to organizational activities

List examples of costs associated with risk.

- cost of file reconstruction - value of lost customer data, orders - labor costs associated with reversion to manual operations - litigation/legal costs

Human Disasters

- data entry error - improper handling of sensitive data - unauthorized access - malicious damage/tampering/destruction of data - robbery/theft/burglary - bomb threats - epidemic - explosion - strikes/picketing - civil disorder - loss of physical access to resources - chemical spill - vandalism/sabotage - hazardous - careless handling - misfiling

Risk Map

- data visualization tool for communicating specific risks an organization faces that helps companies identify and prioritize the risks associated with their business. - grid depicting a likelihood axis and an impact axis, usually rated on a scale of 1 to 5 - simple identification and ranking of the 10 greatest risks an organization faces in relation to business objectives

Natural Disasters (climate, topography/water, seismic stability)

- flooding - fire - earthquake - wind damage - snow/ice storm - volcanic eruption - electromagnetic interference - vermin/insects - hurricane

4 basic steps to completing a risk assessment:

- identify the risks your office may encounter (natural, technical, human) - determine what level of impact the risk will have - calculate the probability of that risk happening (high,med, low) - determine the risk factor (Impact Rating x Probability Rating = Risk Factor)

Administrative Risks

- lack of documentation to mitigate threats and vulnerabilities - lack of security awareness and training - lack of roles delegation - not having or failing to periodically reviewing/update policies and procedures - failing to review information system activity

Social Media Risks

- lack of social media policy - lack of training - employees can post things that accidentally cause harm to the organization - liability and potential for leakage or erosion of information assets

Risk Tolerance

- level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the organizational risk frame - amount of corporate data and systems that can be risked to an acceptable level - having this defined means the security program knows the degree that management requires the organization to be protected against confidentiality, integrity, or availability compromise

Operational Risks

- loss, damage, or unrecoverability of records and information needed for completing the organization's business transactions effectively - risk of direct or indirect loss of operations due to inadequate or failed internal processes, people or systems, or as a result of external events

Records Risks

- malicious destruction - accidental destruction - careless handling - misfiled records - stolen recorded information - computer hardware and software failures - tampering - improper disclosure of recorded information

Email Risks

- operational: losses in employee productivity - legal: legal risks associated with email can be either employee conducted or eDiscovery - compliance: mismanagement of emails with record content can lead to penalties, fines, and PR issues

High Risk Tolerance

- organization does not operate within the following areas: Finance, Health care, Telecom, Government, Research, Education - no compliance requirements - no sensitive data - customers do not expect you to implement and maintain strong security controls - innovation and revenue generation comes before security, so more risk is accepted - does not have remote locations

Low Risk Tolerance

- organization operates within the following areas: Finance, Health care, Telecom - multiple compliance requirements and house sensitive - customers require and expect your organization to have and maintain strong security controls. - information security is highly visible to senior - has multiple remote locations

Medium Risk Tolerance

- organization operates within the following areas: Government, Research, Education - some compliance requirements (e.g. HIPAA, PIPEDA) - some sensitive data, are required to retain records - customers will eventually need strong security controls for their activities - due to the sensitive data, information security is more visible to senior management - has some remote locations

Risk Protective Measures

- permit the reconstruction of essential information the and the restoration of business operations if vital records are lost/damaged/destroyed - typically limited to security copies or backup copies of vital records as these measures

Technical Disasters

- power failure - hvac failure - malfunction or failure of cpu - failure of system or application software - telecommunications failure - gas leaks - communications failure

List 5 types of risk assessments.

- qualitative - quantitative - generic - site-specific - dynamic

Quantitative Risk Assessment

- relies on site visits, discussions and other systems analysis methods to identify vulnerabilities, but uses numeric calculations to measure the likelihood and impact of losses - results expressed in dollar amounts related to cost of proposed protection measures; if cost of risk is higher than cost of mitigation, proposed measures should be implemented - provides a useful framework for comparing exposures for different record series and prioritizing them for protection - begins with the determination of probabilities associated with adverse events and the calculation of annualized loss multipliers based on those probabilities - uses numeric calculations to measure the likelihood and impact of losses associated with specific records

Qualitative Risk Assessment

- relies principally on group discussions to identify and categorize risk - useful for physical security problems and other vulnerabilities - based on a physical survey of locations, combined with examination of reference activities and patterns that may increase vulnerability and a review of security procedures already in place. - does not estimate the statistical probabilities of the destructive events or their financial impact; goal is to understand the interplay of threats, vulnerabilities, consequences

Probabilistic Risk Assessment (PRA)

- to estimate risk by computing real numbers to determine what can go wrong, how likely is it, and what are its consequences - risk is characterized by two quantities: (1) the magnitude (or severity) of the adverse consequence(s) that can potentially result from the given activity or action, and (2) by the likelihood of occurrence of the given adverse consequence(s) - consequences are expressed numerically - likelihoods of occurrence are expressed as probabilities or frequencies - aka quantitative risk assessment

What are the main purpose of risk assessments?

- to identify health and safety hazards and evaluate the risks presented within the workplace - to evaluate the effectiveness and suitability of existing control measures - to ensure additional controls (including procedural) are implemented wherever the remaining risk is considered to be anything other than low. - to prioritize further resources if needed to ensure the above

Recordkeeping System Risks

- weak records protection as part of emergency management - indiscriminate application of Information technology end tools without effective recordkeeping - multiplication of digital records and information, increasing the danger of security breaches, losses, confusion, and mismanagement - inadequate PII and security protections - lack of awareness of the importance of records as evidence

Record Control

Administration of documents, files, and records created or received by an organization to ensure proper authorization and procedure for having access to or handling of records.

Risk Factor / Annualized Loss Expectancy

Associated with the loss of specific records due to catastrophic event/threat.

What is the difference between business risks and financial risks?

Business Risks could result in lower than anticipated profits, or that it will experience loss rather than a profit. Financial Risks could result in financial losses that threaten the organization's financial position.

__________ are risks associated with the possibility of loss, damage or unrecoverability of records and information that could result in lower than anticipated profits, or that it will experience loss rather than a profit.

Business risks

Records management programs can also protect an organization from significant risks such as:

Compliance issues, disaster recovery, public relations crises, confidentiality breaches and security threats. A well-executed records management program helps mitigate these risks in much of the same way that legal counsel or an insurance policy does—by acting as a safeguard against unexpected future events.

Impact Rating

Cost of the loss if the threat occurs.

Generic Risk Assessments

Cover common hazards for a task or activity. The idea is to cut down on duplication of effort and paperwork. This type of risk assessment will consider the hazards for an activity in a single assessment, where that activity may be carried out across different areas of the workplace or different sites.

T/F A RIM Risk Assessment should be limited to only external threats to information.

FALSE. A RIM Risk Assessment should include internal intentional and unintentional corruption, damage, deletion, and unintended use of records .

T/F Malicious reconstruction of recorded information may result from warfare or warfare related activities such as terrorist attacks, purposeful sabotage, or seemingly aimless vandalism.

FALSE. Malicious destruction of recorded information may result from warfare or warfare related activities such as terrorist attacks, purposeful sabotage, or seemingly aimless vandalism.

__________ risks are associated with the possibility of loss, damage or unrecoverability of records and information that could result in financial losses or threaten the organization's financial position.

Financial

Risk Capacity

How much an organization is willing to lose without jeopardizing its goals.

Risk Assessment

Identification, evaluation, and estimation of the levels of risks to which an organization may be exposed in a situation, their comparison against benchmarks or standards, and whether it would be in the organization's best interest to take certain measures to reduce these risks to a level that is considered to be acceptable.

Natural Hazard Risks

Involves record storage areas, server rooms and computer installations that are all at risk from natural hazards as well as human threats such as fire, flood, pest infestation, unauthorized intrusion, computer system failure or sabotage, explosions and bomb threats.

__________ risk is loss, damage or unrecoverablility of records and information that could result in litigation or noncompliance with laws or regulations.

Legal/Regulatory

Environmental Risks

Loss, damage, or unrecoverability of records and information documenting the organization's environmentally safe practices.

Financial Risks

Loss, damage, or unrecoverability of records and information that could result in financial losses or threaten the organization's financial position.

Legal Risks

Loss, damage, or unrecoverability of records and information that could result in litigation or noncompliance with laws or regulations. Records are needed to provide evidence of the existence of appropriate policies and procedures and compliance.

Technical Risks

Loss, damage, or unrecoverability of records and information that could result in loss arising from activities such as design and engineering, manufacturing, technological processes and test procedures.

__________ destruction of recorded information may result from warfare or warfare related activities such as terrorist attacks, purposeful sabotage, or seemingly aimless vandalism.

Malicious

Security

Measures taken to protect materials from unauthorized access, change, destruction, or other threats.

Likelihood

Probability that loss will occur.

Probability Rating

Probability that such a threat will occur in a given year.

Dynamic Risk Assessment

Process of assessing risk in an on the spot situation. This type of risk assessment is often used to cope with unknown risks and handling uncertainty.

Risk Identification

Process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. It includes documenting and communicating the concern, its sources, area of impact, and causes and consequences of risk.

Risk Analysis

Process of identifying and evaluating specific risks; causes, consequences, likelihood and risk level. The outcome of risk analysis provides the basis for protection planning and other records management decisions.

Risk Evaluation

Process used to compare the estimated risk against the given risk criteria so as to determine the significance of the risk. In other words, level of risk compared to tolerance.

Risk Profile

Quantitative analysis of the types of threats an organization, asset, project or individual faces. Provides a non-subjective understanding of risk by assigning numerical values to variables representing different types of threats and the danger they pose.

___________ is usually done when first determining and evaluating the exposure of vital records to specific risks.

Risk analysis

Site-Specific Risk Assessment

Risk assessment that has been completed for a specific item of work, that takes account of the site-location, environment, and people doing the work. Might be qualitative, or quantitative.

__________ is the amount of acceptable loss while still reaching goals.

Risk capacity

Regulatory Risk

Risk that a change in laws and regulations will materially impact a security, business, sector, or market.

Business Risks

Risks are the loss, damage or unrecoverability of records and information that could result in lower than anticipated profits, or that it will experience a loss rather than a profit.

Magnitude

Size or extent of the potential loss.

T/F A preventive risk control measure for vital records is to limit access to vital records areas to a single supervised entrance.

TRUE

T/F A preventive risk control measure is to instruct employees to challenge and report suspect persons entering vital records repositories.

TRUE

T/F Potential catastrophic agents of accidental destruction include natural disasters such as violent weather, floods, and earthquakes.

TRUE

T/F Preventive risk control measures promote the physical security of vital records against malicious destruction or unauthorized access.

TRUE

T/F Records storage areas, server rooms and computer installations are at risk from natural hazards as well as human threats such as fire, flood, pests, intrusion, computer failures or sabotage.

TRUE

T/F Restricting access to computer workstations to authorized employees is a preventive risk control measure.

TRUE

T/F Reviewing the access control to physical locations such as offices or records centers is part of the risk assessment.

TRUE

T/F Risk analysis provides the basis to plan for records protection.

TRUE

T/F Risk assessment is part of developing and monitoring a Disaster Recovery Plan.

TRUE

T/F To identify the types of risks that are associated with the creation and use of information requires a risk assessment.

TRUE

T/F Vital records planning includes protection of essential information against malicious or accidental destruction.

TRUE

T/F Vital records stored on networked drives are at tisk of damage or deletion by remote users.

TRUE

__________ risk is loss, damage, or unrecoverability of records and information that could result in loss arising from activities such as design and engineering, manufacturing, technological processes and test procedures.

Technical

Records Risk Control

Techniques that reduce the frequency or severity of losses such as protective or preventative measures: - one storage location is easier to secure than many - access to vital records storage areas should be limited to a single supervised entrance and restricted to authorized individuals - employees should be instructed to challenge and report suspect persons who enter vital records repositories - vital records should be filed in locked drawers, cabinets, or other metal containers until needed and returned to their filing locations immediately after use - confidential personal data, trade secrets, or other sensitive information should not be stored in mobile computing devices - vital electronic records stored on networked computers can be accessed, and possibly damaged, by remote users - physical security measures must consequently be supplemented by safeguards against electronic intrusion - access to computer workstations must be restricted to authorized employees and computer workstations should be turned off, and locked when possible, they should never be left unattended while operational - system software should automatically terminate a computer session after a predetermined period of inactivity

Technology Risk

Technology risk is any potential for technology failures to disrupt your business such as information security incidents, service outages, or cloud software.

Risk Assessment Matrix

Used during risk assessment to define the level of risk by considering the category of probability or likelihood against the category of consequence severity. This is a simple mechanism to increase visibility of risks and assist management decision making.

A ___________ analysis will result in the most outcomes. a) probabilistic b) deterministic c) system d) computational e) retention schedule

a) probabilistic

The most common risk associated with records and information management is: a) fire b) loss of a document c) theft of sensitive information d) deterioration of information over time e) reduction of the RIM budget

b) loss of a document

Risk __________ is the systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence. a) protection b) mitigation c) retention d) determination e) elimination

b) mitigation

The loss, damage or unrecoverability of records and information that could result in damage to the organization's public image, confidence or reputation is called: a) accountability risks b) reputational risks c) business risks

b) reputational risks

Risk assessment recommendations on electronic records security may include: a) copying data b) printing for storage c) backing up data d) restoring data e) shredding paper

c) backing up data

A risk assessment site survey includes: a) developing an updated set of floor plans b) locating a records disaster recovery site c) performing a physical property inventory d) determining structural and environmental safety e) determining record retention requirements

d) determining structural and environmental safety

Which of these is not a step in risk management? a) identify risk b) monitor and review risk c) evaluate risk d) reduce risk by reducing multiple applications/software e) mitigate risk.

d) reduce risk by reducing multiple applications/software

Calculating the probabilities of damage or loss of records and information is a(an): a) organizational impact analysis b) insurance policy c) cost-benefit analysis d) risk analysis e) disaster assessment

d) risk analysis

Which of the following should be considered when performing a risk assessment of a RIM program: a) passwords b) security tables c) doors on file rooms d) public access controls e) all of the above

e) all of the above.

Risk assessments consider all of the following except: a) legal requirements b) physical security c) security controls d) policies and procedures e) cost of security

e) cost of security

When assessing risk, the need for security must be balanced against the need for: a) employee training programs b) policies and procedures c) communications equipment d) storage space expansion e) operational effectiveness

e) operational effectiveness

A __________ risk assessment is usually based on a physical survey of locations where vital records are stored. a) compliance b) financial c) quantitative d) confidential e) qualitative

e) qualitative

The purpose of __________ is to determine and evaluate the exposure of vital records to specific risks.

risk analysis