Module 5, Unit 3 - Risk Management
Every change should be accompanied by a _____ so that the change can be reversed if it has harmful or unforeseen consequences.
Rollback (or remediation) plan
Which risk response technique means that you stop doing the activity that is risk-bearing?
Avoidance
There are many software suites and associated hardware solutions available for tracking and managing assets via a database that can be configured to store as much or as little information as is deemed necessary. This assists in what?
Asset Management
What does unlicensed software affect because the software vendor may suspend all licenses if the customer is found to be non-compliant, and unlicensed software exposes an organization to large fines and penalties?
Availability and Integrity
Identify the critical functions or processes of the business or organization, identify the assets and resources on which the organization depends, identify threats to the organization's functions and assets, and assess the risk of each function or asset given the threats, are the four components of what?
BIA (Business Impact Analysis)
Risk management starts with an initial risk investigation or analysis. This is often called what?
BIA (Business Impact Analysis)
For MEFs (Mission Essential Function), it is important to reduce the number of dependencies between components. Dependencies are identified by performing what on each function?
BPA (Business Process Analysis)
Major of significant changes might be managed as a separate project and require approval through what?
CAB (Change Advisory Board)
The period following a disaster that a system may remain offline, which represents the amount of time it takes to identify that there is a problem and then perform perform a system recovery.
RTO (Recovery Time Objective)
What are two main metrics that govern the analysis of MEFs (Mission Essential Function)?
RTO (Recovery Time Objective) and RPO (Recovery Point Objective)
What helps determine which business functions are critical and also to specify appropriate risk countermeasures?
RTO (Recovery Time Objective) and RPO (Recovery Point Objective)
The need for change where it is forced on the organization.
Reactive
The need to change is described _____ or _____.
Reactive or proactive
Assess the likelihood of loss or damage and its consequence (cost)
Risk
When setting up a security system, or reviewing and existing one, one of the first steps is to set up a team responsible for what?
Risk Management
There are a number of ways of mitigating risk, if you deploy a countermeasure that reduces exposure to a threat or vulnerability it is known as what?
Risk deterrence
The overall process of reducing exposure to or the effects of risk factors.
Risk mitigation or remediation
Controls that can either make a risk incident less likely or less costly is referred to as what?
Risk recduction
A document showing the results of risk assessments in a comprehensive format.
Risk register
FIPS 199 discusses how to apply _____ to information systems based on the impact that a breach of confidentiality, integrity, or availability would have on the organizaton as a whole.
SC (Security Categorizations)
The amount that would be lost in a single occurrence of the risk factor that is determined by multiplying the value of the asset by an EF (Exposure Factor).
SLE (Single Loss Expectancy)
A formal document that lists PII maintained by a Federal agency of the US government.
SORN (Systems of Records Notice)
It is important to realize that the value of an asset does not refer solely to its material value. The two principal additional consideration are what?
Downtime and cost to intangible assets
The amount that owuld be lost over the course of the year that is determined by multiplying the SLE (Single Loss Expectancy) by the ARO (Annual Rate of Occurance).
ALE (Annual Loss Expectancy)
Which risk response technique means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed, but continuous monitoring of the risk should be performed?
Acceptance
Compiling an inventory of an organization's business processes and its tangible and intangible assets and resources that is a crucial part of a risk assessment.
Identification of critical systems
The severity of the risk that may be determined by factors such as the value of the asset or the cost of disruption if the asset is compromised.
Impact
Planning and testing systems and operations so that they are as little affected by incidents as possible and so that the resources are available to recover from them.
Business continuity
In order to reduce the risk that changes to configuration items will cause service disruption, what can be used to implement changes in a planned and controlled way?
Documented change management process
Threat sources caused by some sort of failure in the built environment that could include power or telecoms failure, or pollution or accidental damage to include fires.
Environmental
Tangible assets can be identified using a barcode label or _________ tag attached to the device .
RFID (Radio Frequency ID)
The amount of data loss that a system can sustain - measured in time.
RPO (Recovery Point Objective)
Which FIPS 199 SC (Security Categorization) is major damage or loss, or the inability to perform one or more essential functions.
High
Having completed the asset and threat identification and completed a risk assessment, vulnerabilities can be identified how?
High value asset, threats with high likelihood, and procedures/equipment/software that increase the likelihood of threats
What factors should a BPA (Business Process Analysis) identify?
Inputs, hardware, staff and other resources supporting a function, outputs, and process flow
Metrics used in quality and performance management and are also likely to be quoted in a BIA (Business Impact Analyses).
KPI (Key Performance Indicators)
Threat sources that include downloading or distributing obscene material, defamatory comments published on social networking sites, hijacked email or web servers used for spam or phishing attacks, third-party liability for theft or damage or personal data, and accounting and regulatory liability to preserve accurate records.
Legal and commercial
Identifying unlicensed and unauthorized software installed clients/servers/VMs, identifying per-seat or per-user compliance with software license, preparing for vendor audits, and ensuring compliance with the terms of open source licensing, are all activities to ensure compliance with what?
License agreements
The probability of the threat being realized.
Likelihood
Calculating risk is complex but the two main variables are what?
Likelihood and Impact
Which FIPS 199 SC (Security Categorization) is minor damage or loss to an asset or loss of performance?
Low
A function that an organization must be able to perform as close to continually as possible and if there is any service disruption, these functions must be restored first.
MEF (Mission Essential Function)
Represents the expected lifetime of a product or system - should be used for non-repairable systems.
MTTF (Mean Time to Failure) and MTBF (Mean Time Between Failures)
A measure of the time taken to correct a fault so that the system is restored to full operation.
MTTR (Mean Time to Repair)
Threat sources emanating from terrorism or war, or vandalism / arson.
Manmade disaster
Which FIPS 199 SC (Security Categorization) is significant damage or loss to assets or performance?
Moderate
Threat sources such as river or sea floods, earthquakes, electrical storms, and so on.
Natural disaster
Risks whose impacts affect property (premises) mostly arise due to what?
Natural disaster, war/terrorism, and fire
What is the most critical type of impact?
One that could lead to loss of life or critical injury
A detailed study to assess the risks associated with storing, processing, and disclosing PII; it should identify vulnerabilities that may lead to data breach and evaluate controls mitigating against those risks.
PIA (Privacy Impact Assessment)
Another important source of risk is the unauthorized disclosure of what?
PII (Personally Identifiable Information)
An initial audit to determine whether a computer system or workflow collects, stores, or processes PII to a degree where a PIA (Privacy Impact Assessment) must be performed.
PTA (Privacy Threshold Analysis)
The need for change where it is initiated internally.
Proactive
Being up-to-date with best practices and standards relevant to the type of business or organization helps identify what?
Procedures or standards that are not currently being implemented but should be
A risk assessment that avoids the complexity of the quantitative approach and is focused on identifying significant risk factors.
Qualitative
A risk assessment that aims to assign concrete values to each risk factor.
Quantitative
What are the two methods of risk assessment?
Quantitative and Qualitative
In a formal change management process, the need for change and the procedure for implementing the change is captured in what type of document that is submitted for approval?
RFC (Request for Change)
Reducing dependencies makes it easier to provision redundant systems to allow the function to failover to a backup system smoothly. This means the systems design can more easily eliminate the sort of weaknesses that come from having what?
Single points of failure
A series of companies involved in fulfilling a product, and their assessment aims to determine whether each link in the chain is sufficiently robust.
Supply Chain
Within the inventory of assets and business processes, what is important to assess?
Their relative importance
The sources or motivations of people and things that could cause loss or damage.
Threat
What does a large part of the threat assessment aims to identify that is both internal and external to the organization, and tries to understand their motives in order to assess the level of risk that each type it possess?
Threat actors
Compiling a prioritized list of probable and possible threats.
Threat identification
If there is a natural disaster people's personal safety will be at what position of the list when it comes with protection?
Top
Which risk response technique means assigning risk to a third-party, such as an insurance company or a contract with a supplier that defines liabilities?
Transference
A specific flaw or weakness that could be exploited to overcome a security system.
Vulnerability