ISMN 6740 Exam 2
what is business impact analysis
-study used to identify the impact that can result from disruptions in the business -focuses on the failure of one or more critical IT function
qualitative risk assessment limitations
-subjective -based on expertise of experts -no CBA -no real standards
qualitative risk assessment comparison
-subjective -word values -expert opinions -key terms: probability and impact
elements to consider when determining asset value
-system access and availability -system functions -hardware and software assets -personnel assets -data and information assets -facilities and supplies
qualitative risk assessment benefits
-uses opinions of experts -easy to compute -uses words that are easy to express and understand
potential scope for web server risk assessment
-web server -database server -firewalls -DMZ
steps in implementing BIA
1. identify environment 2. identify stakeholders 3. identify CBFs 4. identify critical resources 5. identify maximum downtime 6. identify recovery priorities 7. develop the BIA report
the BIA is part of the _________
Business continuity plan (BCP)
small organization scope of BIA
Scope could include entire organization
large organization scope of BIA
Scope could include only certain areas, department, divisions
threat -> attack
a threat creates an attack
which of the following is a technical control? a. PKI b. awareness and training c. guards d. electrical grounding
a. PKI
what elements are included in a quantitative analysis? a. SLE, ALE, ARO b. ALE, ARO, ARP c. probability and impact d. threats and vulnerabilities
a. SLE, ALE, ARO
what can be used to ensure confidentiality of sensitive data? a. encryption b. hashing c. digital signature d. nonrepudiation
a. encryption
what does a qualitative RA use to prioritize a risk? a. probability and impact b. SLE, ARO, and ALE c. safeguard value d. cost benefit analysis
a. probability and impact
you are working on a qualitative risk assessment for your company. you are thinking about the final report. what should you consider when providing the results and recommendations? (select two) a. resource allocation b. risk acceptance c. SLE and ARO d. SLE and ALE
a. resource allocation b. risk acceptance
which type of assessment can you perform to identify weaknesses in a system without exploiting the weakness? a. vulnerability assessment b. risk assessment c. exploit assessment d. penetration test
a. vulnerability assessment
a(n) _________ control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more
access
an acceptable use policy is an example of a(n) __________ control
administrative
attack -> vulnerability
an attack exploits a vulnerability
vulnerability -> loss or impact
an exploited vulnerability results in a loss
A risk ________ is a major component of a risk management plan.
assessment
what does a quantitative RA use to prioritize a risk? a. probability and impact b. ALE, ARO, and ALE c. safeguard value d. cost benefit analysis
b. ALE, ARO, and ALE
which of the following is a physical control? a. logon identifiers b. CCTV c. encryption d. BCP
b. CCTV
what is created with a risk assessment to track the implementation of the controls? a. CBA b. POAM c. ALE d. SLE
b. POAM
what type of control is an intrusion detection system (IDS)? a. preventive b. detective c. corrective d. recovery
b. detective
what must you define when performing a qualitative risk assessment? a. formulas used for ALE b. scales used to define probability and impact c. scales used to define SLE and ALE d. acceptable levels of risk
b. scales used to define probability and impact
which of the following statements is true a. the RPO applies to any systems or functions. however, the RTO only refers to data housed in databases b. the RTO applies to any systems or functions. however, the RPO only refers to data housed in databases c. the the RTO and RPO apply to any system or functions d. the RTO and RPO apply to data housed in databases
b. the RTO applies to any systems or functions. however, the RPO only refers to data housed in databases
when defining the system for the risk assessment, what should you ensure is included? a. only the title of the system b. the current configuration of the system c. a list of possible attacks d. a list of previous risk assessments
b. the current configuration of the system
your organization purchased a control and installed it on several servers. this control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased? a. the cost and time to implement the control b. the operational impact of the control c. the in place and planned controls d. the impact of the risk
b. the operational impact of the control
what can you use to identify relevant vulnerabilities? a. historical data b. threat modeling c. CBA d. A and B only e. none of the above
d. A and B only
which of the following is a procedural control? a. session timeout b. reasonableness check c. water detection d. DRP
d. DRP
a _________ risk assessment is subjective. it relies on the opinions of experts
qualitatitive
you are trying to decide what type of risk assessment methodology to use. A primary benefit of a _______ risk assessment is that it can be completed more quickly than other methods
qualitative
a ________ risk assessment is objective. it uses data that can be verified
quantitative
a ________ risk assessment uses SLE
quantitative
you are trying to decide what type of risk assessment methodology to use. A primary benefit of a _______ risk assessment is that it includes details for a cost benefit analysis
quantitative
your organization requires users to log on with smart cards. this is an example of a(n) __________ control
technical
probability
the likelihood that a threat will exploit a vulnerability
general goal of risk assessment
to get risks to low consequence/low likelihood area
T/F A PTZ camera is used within a CCTV system. It can pan, tilt, and zoom.
true
T/F: controls can be identified based on their function. the functions are preventive, detective, and corrective
true
T/F: you are beginning an RA for a system. you should define both the operational characteristics and the mission of the system in the early stages of the RA
true
T/F:stakeholders can determine what functions are considered critical business functions
true
when should risk assessment be conducted
when evaluating risk and control and periodically after the control is implemented
do all systems have vulnerabilities
yes, all systems have vulnerabilities
why is risk assessment important
identifies which systems/assets to protect and gives insight into which controls provide most value
you are working on a BIA. you are calculating costs to determine the impact of an outage for a specific system. when calculating the costs, you should calculate the direct and _________ costs
indirect
risk matrix
matching probability and impact
the __________ identifies the maximum acceptable downtime for a system
maximum acceptable outage (MAO)
impact
negative result if a risk occurs
do all vulnerabilities result in a loss
no, not all vulnerabilities result in loss
You use video cameras to monitor the entrance of secure areas of your building. This is an example of a(n) ________ control.
physical
dimensions of BIA
- identify business impact of IT disruptions -mission ctitical IT systems and components - does not analyze all IT functions -stakeholders identify mission critical systems -compliance issues often drive BIA -inputs into the business continuity plan and risk assessment
technical control examples
- login identifier - system logs -firewalls
defining scope of BIA
-Define BIA scope early in the process -Scope defines the boundaries of the plan - Scope is affected by the size of the organization
vulnerability
-a weakness in physical, technical, or operational security -can be procedural, technical, or administrative
quantitative risk assessment limitations
-accurate data not always available -ensure people use control as expected
mission critical functions
-any function considered to be vital -derived from critical success factors -successful CSFs result in performing CBFs
asset valuation
-base on replacement or recovery value of asset -ensure risk assessment performed on current systems -evaluate only assets within boundary of risk assessment
prior to conducting risk assessment you should:
-define the assessment -review previous findings
best practices for risk mitigation security controls
-ensure control is effective -review controls in all areas -review NIST families -redo risk assessment if control is changed
planned controls
-identified in planning documents -specified implementation date -approved but not yet installed
critical components of risk assessment
-identify scope of assessment -identify critical areas -identify team
in place controls
-in the operational system -supported by associated documentation
what is risk assessment
-key step in risk management process -determination of quantitative and qualitative value of risk -help identify safeguards to implement -required to evaluate risk/control -conducted after implementation of control
physical control examples
-locked doors -video cameras -fire detection and suppression
control categories
-national institute of standards and technology (NIST) -three classes, 18 families of control -grouped as procedural, technical, and physical
quantitative risk assessment comparison
-objective -monetary values -historical data -key terms: SLE, ARO, ALE
procedural control examples
-policies and procedures -security plans -insurance -awareness and training -background and financial checks
3 objectives of in place controls
-prevent -recover -detect
developing mitigating recommendations
-provide specific recommendations to mitigate risks identified in analysis
identifying management structure
-refers to how responsibilities are assigned -large organization may have multiple divisions
identifying and evaluating threats
-review historical data -threat modeling -understand how threats interact with risks
quantitative risk assessment benefits
-simple math problem -provides CBA -management familiar with terminology -formulas use verifiable and objective measurements
what is included in an RA that helps justify the cost of a control? a. probability and impact b. ALE c. CBA d. POAM
c. CBA
what are two objectives of a BIA? (select two) a. identify MAO b. document new policy c. identify critical resources d. identify critical business funcitons
c. identify critical resources d. identify critical business funcitons
you are working on a BIA. you are calculating costs to determine the impact of an outage for a specific system. which one of the following is a direct cost? a. loss of customers b. loss of public goodwill c. loss of sales d. loss of opportnities
c. loss of sales
logon identifiers help ensure that users cannot deny taking a specific action such as deleting a file. what is this called? a. digital signature b. encryption c. nonrepudiation d. PKI
c. nonrepudiation
what are the primary objectives of a control? a. prevent, control, and attack b. prevent, respond, and log c. prevent, recover, and detect d. detect, recover, and attack
c. prevent, recover, and detect
what elements are included in a qualitative analysis? a. SLE, ALE, ARO b. ALE, ARO, ARP c. probability and impact d. threats and vulnerabilities
c. probability and impact
you have identified the MAO for a system. you now want to specify the time required for a system to be recovered. what is this called? a. BIA time b. MAO c. recovery time objectives d. recovery point objectives
c. recovery time objectives
what should you use to ensure that users understand what they can and cannot do on systems within the network? a. acceptable use banner b. data range checks c. rules of behavior d. audit trails
c. rules of behavior
which of the following should you match with a control to mitigate a relevant risk? a. threats b. vulnerabilities c. threat/vulnerability pair d. residual risk
c. threat/vulnerability pair
quantitative risk assessment
calculates absolute financial values, losses, and costs
qualitative risk assessment
calculates relative values, losses, and costs
your organization wants to issue certificates for internal systems such as internal Web server. you'll need to install a ___________ to issue and manage certificates
certification authority (CA)
a ______ will reduce or eliminate a threat or vulnerability
control or countermeasure
functional controls
controls based on function being performed -preventive -detective -corrective
Controls are often categorized based on how they are implemented. What are the three common methods of implementing controls? a. preventive, detective, corrective b. administrative, technical, operational c. technical, administrative, environmental d. procedural, technical, physical
d. procedural, technical, physical
you are working on a BIA. you want to identify the maximum amount of data loss an organization can accept. what is this called? a. BIA time b. MAO c. recovery time objectives d. recovery point objectives
d. recovery point objectives
what defines the boundaries of a business impact analysis? a. MAO b. BCP c. recovery objectives d. scope
d. scope
one of the challenges facing risk assessments is getting accurate data. what can be included in the risk assessment report to give an indication of the reliability of the data? a. probability statement b. accuracy scale c. validity level d. uncertainty level
d. uncertainty level
what should be logged in an audit log? a. all system events b. all security related events c. the details of what happened for an event d. who, what, when, and where details of an event
d. who, what, when, and where details of an event
of the following choices, what would be considered an asset? a. hardware b. software c. personnel d. data and information e. all of the above
e. all of the above
of the following, what would be considered a best practice when performing risk assessments? a. start with clear goals and a defined scope b. enlist support of senior management c. repeat the risk assessment regularly d. provide clear recommendations e. all of the above
e. all of the above
what can you use to help quantify risks? a. SLE B. ARO c. risk assessment d. risk mitigation plan e. all of the above
e. all of the above
which of the following should you identify during a risk assessment? a. assets b. threats c. vulnerabilities d. countermeasures e. all of the above
e. all of the above
T/F: qualitative analysis is more time consuming than quantitative analysis
false
T/F: risk assessments are a continuous process
false