Sec+ Ch 34: Risk Management
1. Which of the following is the name often used to describe the process of addressing the questions associated with sources of risk, their impacts, and the steps taken to mitigate them in the enterprise? A. Risk assessment B. Business impact analysis C. Threat assessment D. Penetration test
1. B. Business impact analysis (BIA) is the name often used to describe a document created by addressing the questions associated with sources of risk and the steps taken to mitigate them in the enterprise. A risk assessment is a method to analyze potential risk based on statistical and mathematical models. A common method is the calculation of the annual loss expectancy (ALE). A threat assessment is a structured analysis of the threats that confront an enterprise. Penetration tests are used by organizations that want a real-world test of their security.
10. Which of the following represents a method of transferring risk to a third party? A. Applying controls that reduce risk impact B. Creating a record of information about identified risks C. Developing and forwarding the results of a risk matrix/heat map D. Purchasing cybersecurity insurance
10. D. A common method of transferring risk is to purchase cybersecurity insurance. Insurance allows risk to be transferred to a third party that manages specific types of risk for multiple parties, thus reducing the individual costs. Applying controls that reduce risk impact describes risk mitigation. A risk register is "a record of information about identified risks," as defined by the reference document ISO Guide 73:2009 Risk Management—Vocabulary. A risk matrix/heat map is used to visually display the results of a qualitative risk analysis.
2. Which of the following terms is used to describe the target time that is set for the resumption of operations after an incident? A. RPO B. MTBF C. RTO D. MTTR
2. C. The term recovery time objective (RTO) is used to describe the target time that is set for the resumption of operations after an incident. Recovery point objective (RPO) represents the maximum time period of acceptable data loss. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures. Mean time to repair (MTTR) is a common measure of how long it takes to repair a given failure.
3. Which of the following is a common measure of how long it takes to fix a given failure? A. MTTR B. RTO C. RPO D. MTBF
3. A. Mean time to repair (MTTR) is a common measure of how long it takes to repair a given failure. Recovery time objective (RTO) describes the target time that is set for the resumption of operations after an incident. Recovery point objective (RPO) represents the maximum time period of acceptable data loss. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures.
4. Which of the following is a system component whose failure or malfunctioning could result in the failure of the entire system? A. Mean time between failures B. Single point of failure C. Single-loss expectancy D. Likelihood of occurrence
4. B. A single point of failure is any aspect of a system that, if triggered, could result in the failure of the entire system. Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures. Single loss expectancy (SLE) is the expected loss from the occurrence of a risk on an asset. The likelihood of occurrence is the chance that a particular risk will occur.
5. Which of the following is the process of subjectively determining the impact of an event that affects a project, program, or business? A. Likelihood of occurrence B. Functional recovery plan C. Qualitative risk assessment D. Quantitative risk assessment
5. C. Qualitative risk assessment is the process of subjectively determining the impact of an event that affects a project, program, or business. The likelihood of occurrence is the chance that a particular risk will occur. Functional recovery plans represent the transition from operations under business continuity back to normal operations. Quantitative risk assessment is the process of objectively determining the impact of an event that affects a project, program, or business.
6. Which of the following describe mission-essential functions? (Choose all that apply.) A. Functions that, if they do not occur, would directly affect the mission of the organization B. Functions that, if they are not accomplished properly, would directly affect the mission of the organization C. Functions that are considered essential to the organization D. The routine business functions
6. A, B, and C. Mission-essential functions are those that, should they not occur or be performed properly, will directly affect the mission of the organization. This is where you spend the majority of your effort—protecting the functions that are essential. It is important to separate mission-essential functions from other business functions.
7. Which of the following is the best description of risk? A. The cost associated with a realized risk B. The chance of something not working as planned C. Damage that is the result of unmitigated risk D. The level of concern one places on the well-being of people
7. B. Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. Property damage can be the result of unmitigated risk. Safety is when you consider the level of concern one places on the well-being of people.
8. Which of the following impacts is in many ways the final arbiter of all activities because it is how we "keep score"? A. Reputation B. Safety C. Finance D. Life
8. C. Finance is in many ways the final arbiter of all activities because it is how we keep score. The others are important but are not considered the final arbiter.
9. Which of the following is a representation of the frequency of an event, measured in a standard year? A. Annual loss expectancy (ALE) B. Annualized rate of occurrence (ARO) C. Single-loss expectancy (SLE) D. Annualized expectancy of occurrence (AEO)
9. B. The annualized rate of occurrence (ARO) is a representation of the frequency of the event, measured in a standard year. The annual loss expectancy (ALE) is calculated by multiplying the single-loss expectancy (SLE) by the likelihood or number of times the event is expected to occur in a year. The SLE is calculated by multiplying the asset value times the exposure factor. Annualized expectancy of occurrence (AEO) is not a term used in the cybersecurity industry.
Annualized Loss Expectancy (ALE)
After the SLE has been calculated, the annual loss expectancy (ALE) is then calculated simply by multiplying the SLE by the likelihood or number of times the event is expected to occur in a year, which is called the annualized rate of occurrence (ARO): ALE = SLE × ARO This represents the expected losses over the course of a year based on the ALE. If multiple events are considered, the arithmetic sum of all of the SLEs and AROs can be calculated to provide a summation amount.
Business Impact Analysis
Business impact analysis (BIA) is the process used to determine the sources and relative impact values of risk elements in a process. It is also the name often used to describe a document created by addressing the questions associated with sources of risk and the steps taken to mitigate them in the enterprise. The BIA also outlines how the loss of any of your critical functions will impact the organization. This section explores the range of terms and concepts related to conducting a BIA.
Mean Time Between Failures (MTBF)
Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures. The time between failures is measured from the time a system returns to service until the next failure. The MTBF is an arithmetic mean of a set of system failures: MTBF = ∑ (start of downtime - start of uptime) / number of failures Mean time to failure (MTTF) is a variation of MTBF, one that is commonly used instead of MTBF when the system is replaced in lieu of being repaired. Other than the semantic difference, the calculations are the same, and the meaning is essentially the same. EXAM TIP Although MTBF and MTTR may seem similar, they measure different things. Exam questions may ask you to perform simple calculations. Incorrect answer choices will reflect simple mistakes in the ratios, so calculate carefully.
Mean Time to Repair (MTTR)
Mean time to repair (MTTR) is a common measure of how long it takes to repair a given failure. This is the average time, and it may or may not include the time needed to obtain parts. The CompTIA Security+ Acronyms list indicates mean time to recover as an alternative meaning for MTTR. In either case, MTTR is calculated as follows: MTTR = (total downtime) / (number of breakdowns) Availability is a measure of the amount of time a system performs its intended function. Reliability is a measure of the frequency of system failures. Availability is related to, but different than, reliability and is typically expressed as a percentage of time the system is in its operational state. To calculate availability, both the MTBF and the MTTR are needed: Availability = MTBF / (MTBF + MTTR) Assuming a system has an MTBF of 6 months and the repair takes 30 minutes, the availability would be the following: Availability = 6 months / (6 months + 30 minutes) = 99.9884%
Recovery Point Objective (RPO)
Recovery point objective (RPO), a totally different concept from RTO, is the time period representing the maximum period of acceptable data loss. The RPO defines the frequency of backup operations necessary to prevent unacceptable levels of data loss. A simple example of establishing RPO is to answer the following questions: How much data can you afford to lose? How much rework is tolerable? NOTE RTO and RPO are seemingly related but in actuality measure different things entirely. The RTO serves the purpose of defining the requirements for business continuity, while the RPO deals with backup frequency. It is possible to have an RTO of 1 day and an RPO of 1 hour, or an RTO of 1 hour and an RPO of 1 day. The determining factors are the needs of the business. EXAM TIP Know the difference between RTO and RPO. The RTO serves the purpose of defining the requirements for business continuity, while the RPO deals with backup frequency.
Annualized Rate of Occurrence (ARO)
The annualized rate of occurrence (ARO) is a representation of the frequency of the event, measured in a standard year. If the event is expected to occur once in 20 years, then the ARO is 1/20. Typically, the ARO is defined by historical data, either from a company's own experience or from industry surveys. Continuing our example, assume that a fire at this business's location is expected to occur about once in 20 years. Given this information, the ALE is $1 million × 1/20 = $50,000 The ALE determines a threshold for evaluating the cost/benefit ratio of a given countermeasure. Therefore, a countermeasure to protect this business adequately should cost no more than the calculated ALE of $50,000 per year. NOTE Numerous resources are available to help in calculating ALE. There are databases that contain information to help businesses (member institutions) manage exposure to loss from natural disasters such as hurricanes, earthquakes, and so forth. These databases include information on property perils such as fire, lightning, vandalism, windstorm, hail, and so forth, and even include granular information to help evaluate, for example, the effectiveness of your building's sprinkler systems.
Asset Value
The asset value (AV) is the amount of money it would take to replace an asset. This term is used with the exposure factor (EF), a measure of how much of an asset is at risk, to determine the single-loss expectancy (SLE). EXAM TIP Understand the terms SLE, ALE, and ARO and how they are used to calculate a potential loss. You may be given a scenario, asked to calculate the SLE, ALE, or ARO, and presented answer choices that include values that would result from incorrect calculations.
Single-Loss Expectancy (SLE)
The single-loss expectancy (SLE) is the value of a loss expected from a single event. It is calculated using the following formula: SLE = asset value (AV) × exposure factor (EF) Exposure factor (EF) is a measure of the magnitude of loss of an asset. For example, to calculate the exposure factor, assume the asset value of a small office building and its contents is $2 million. Also assume that this building houses the call center for a business, and the complete loss of the center would take away about half of the capability of the company. Therefore, the exposure factor is 50 percent, and the SLE is calculated as follows: $2 million × 0.5 = $1 million
Recovery Time Objective (RTO)
The term recovery time objective (RTO) is used to describe the target time that is set for the resumption of operations after an incident. This is a period of time that is defined by the business, based on the needs of the business. A shorter RTO results in higher costs because it requires greater coordination and resources. This term is commonly used in business continuity and disaster recovery operations.