ISA 07
13. What is a cost-benefit analysis?
Answer: A cost-benefit analysis is an evaluation of the anticipated losses that could be avoided from a control effort (benefit), compared to the anticipated costs needed to implement the control.
1. What is competitive advantage? How has it changed in the years since the IT industry began?
Answer: An organization has competitive advantage when it creates a business model, method, or technique that allows it to provide a product or service that is superior to competitors. Competitive advantage was most common in the early days of IT systems; today, organizations operate at a similar level of automation.
16. What is the difference between benchmarking and baselining?
Answer: Benchmarking is the process of comparing one's company with other companies that are seeking the same results, whereas baselining is the process of standardizing a company's own results.
2. What is competitive disadvantage? Why has it emerged as a factor?
Answer: Competitive disadvantage is the state of falling behind the competition. Organizations today improve technologies to avoid loss of market share, not to stay ahead of their competitors.
14. What is the difference between intrinsic value and acquired value?
Answer: Intrinsic value is the essential worth of the asset under consideration; acquired value is the value beyond intrinsic value that some information assets acquire over time.
17. What is the difference between organizational feasibility and operational feasibility?
Answer: Organizational feasibility examines how well the proposed InfoSec alternatives will contribute to security, whereas operational feasibility examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders.
10. Describe how outsourcing can be used for risk transference.
Answer: Outsourcing can be used for risk transference when an organization chooses to hire an ISP or a consulting organization for products and services such as server acquisition and configuration, Web development, maintenance, administration, and even InfoSec functions. This allows the organization to transfer the risks associated with managing these complex systems to an organization that has experience with those risks. Outsourcing can shift responsibility for disaster recovery through service level arrangements
8. Describe residual risk.
Answer: Residual risk is the "leftover" risk that is not completely removed, shifted, or included in planning.
11. What conditions must be met to ensure that risk acceptance has been used properly?
Answer: Risk acceptance has been used properly if the level of risk posed to the asset has been determined, the probability of attack and the likelihood of a successful exploitation of a vulnerability has been assessed, the annual rate of occurrence of such an attack has been approximated, the potential loss that could result from attacks has been estimated, a thorough cost-benefit analysis has been performed, controls using each appropriate type of feasibility have been evaluated, or it has been decided that the particular function, service, information, or asset did not justify the cost of protection
12. What is risk appetite? Explain why risk appetite varies from organization to organization.
Answer: Risk appetite is the amount of risk an organization is willing to accept as it evaluates the trade-off between perfect security and unlimited accessibility. Risk appetite varies from organization to organization because of differences in their size, budget, culture, and the value placed on certain assets.
15. What is single loss expectancy? What is annualized loss expectancy?
Answer: Single loss expectancy (SLE) is the calculated value associated with a sole occurrence of the most likely loss from an attack. Annualized loss expectancy (ALE) is the calculated value associated with the most likely annual loss from an attack. ALE is often expressed as the SLE multiplied by the number of expected occurrences per year.
20. How does Microsoft define "risk management"? What phases are used in its approach
Answer: The Microsoft definition of risk is "the probability of a vulnerability being exploited in the current environment, leading to a degree of loss of confidentiality, integrity, or availability, of an asset." Microsoft presents four phases in its security risk management process: • Assessing risk • Conducting decision support • Implementing controls • Measuring program effectiveness
19. What is the OCTAVE Method? What does it provide to those who adopt it?
Answer: The OCTAVE Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets with the costs of providing protection of critical information assets. These costs include the costs of providing protective and detective controls. The OCTAVE Method can enable an organization to compare itself against known good security practices and then establish an organization-wide protection strategy and InfoSec risk mitigation plan.
3. What are the five risk control strategies presented in this chapter?
Answer: The five risk control strategies presented in this text are defense, transference, mitigation, acceptance, and termination.
18. What is a hybrid risk assessment?
Answer: The hybrid assessment approach tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimations used for quantitative measures. Hybrid assessment uses scales rather than specific estimates.
7. Describe the strategy of acceptance.
Answer: The risk control strategy of acceptance is an understanding of the consequences and acknowledgment of the risk by the proper level of authority, without any attempt at control or mitigation.
4. Describe the strategy of defense
Answer: The risk control strategy of defense is the application of safeguards that eliminate or reduce the remaining uncontrolled risks.
6. Describe the strategy of mitigation.
Answer: The risk control strategy of mitigation is the reduction of a risk's impact after a successful attack by preparing for its occurrence and the immediate actions needed to ameliorate the consequences.
5. Describe the strategy of transference.
Answer: The risk control strategy of transference is the shifting of risks to other areas or to outside entities
9. What are the three common approaches to implement the defense risk control strategy?
Answer: The three common approaches are the application of policy, the application of training and education, and the implementation of technology.