Risk Management
All possible threats, assessment of potential impact loss of confidentiality, evaluation of critical organizational needs, & establish recovery priorities
What must be considered when a Risk Assessment is performed as part of the contingency response?
Threats, vulnerabilities, assets, and countermeasures
What must be identified for Risk-based Auditing?
Risk consequences
What places people at risk, system continuity and info at risk, organizational ops at risk as well as an organizational reputation at risk?
Mandatory access control policies
What policies support security labels as a means to restrict a subjects access to a particular object?
Retention policy
What policy is used when determining the disposition of information that is no longer required to support the main purpose of the business from an information security perspective?
Intentional insider
What presents the greatest area of concern for Security Management?
Risk monitoring
What process systematically tracks and evaluates the performance of Risk Mitigation actions?
Implementation of selected controls
What provides a measure of "Residual Risk" that is within management Risk Threshold?
Program Risk Management
What provides the ability to assess security need and capabilities, select appropriate safeguards, implement required controls, select adequate test controls, implement and manage changes and accept residual risk?
Cost-Benefit Analysis
What provides the cost of implementing the control and the associated measure of Risk reduction?
A balance between impact of risks and the cost of protective measures
What should the focus of operational risk centric Risk Analysis be based on?
Fault-Tree Analysis
What technique can be used to support reliability and safety analysis as well as provide a systematic description of hardware and human risk factors?
Users, disgruntled employees
What threat source is considered to be the most significant?
System Categorization, costs of testing, and overall benefit to organization.
What three aspects should be considered in Training & Education protocol?
Defined threat & a recognized vulnerability
What two things must exist for a security risk to be present?
Value analysis & sound business case
What two things should investments in risk management technologies be based on?
Identify the requirement, determination, data collection, analytical methodology, and Return of Investment.
What is required in identifying the appropriate Risk Analysis tool?
Building INFOSEC capabilities into commercial and federal ISs, & provide essential info to facilitate acceptance of Risk
What is the emphasis of Risk Management Framework?
Reduce the risk level to the IT system to an acceptable or reasonable level.
What is the goal of countermeasures?
Risk Analysis
What is the impact on system reliability, Security and speed and consequence of failure to mitigate identified risks?
Surveillance and reconstruction of events
What is the intent of Threat Monitoring?
Rules of Engagement
What is the most important piece of documentation in the whole penetration test process?
Compliance testing
What is used to determine whether unauthorized modifications were made to production programs?
Network vulnerability assessment
What type of assessment intends to identify known vulnerabilities that are based on common mis-configurations and missing updates?
Quantitative Risk Assessment
A process used to analyze numerically the probability of each risk and its consequence on operational or business objectives to include interviews, sensitivity analysis, decision tree analysis, and simulation.
Delphi
A security risk assessment and information gathering technique that uses the consensus of subject matter experts to determine operational and business risk.
Fault-Tree Analysis
A top-down, deductive failure analysis process in which an unwanted or undesired state of a system is analyzed using a Boolean logic to combine a series of lower-level events.
Focus of Risk Management
Ability to assess security needs and capabilities, select appropriate safeguards, develop an effective security design, implement required controls, select adequate test controls, implement and manage changes, accept residual risk
Encryption
An effective mechanism to facilitate protection and administration of individual user I&A but may require significant additional administration (key management, key control, key distribution)
Single Loss Expectancy x Annual Rate of Occurrence
Calculation for Annual Loss Expectancy (ALE)
Asset Value x Exposure Factor
Calculation for Single Loss Expectancy (SLE)
Risk Management Control
Focuses on stipulating info protection security policy, standards and guidelines and helps ensure System Security Policies are up-to-date and that all significant risks are addressed.
Federal law, national statutes, agency directives, component regulations, and organizational processes, procedures and protocols.
How are risk policies established?
Eliminate or reduce impact of system threat/vulnerability pair, add targeted controls to reduce capacity and motivation of threat force, reduce magnitude of adverse impact.
How can residual risk be mitigated?
Regularly
How often should risks be reviewed to ensure the initial risk acceptance rationale is still valid?
Organization objectives and risk tolerance levels
In an organization, what two things should be analyzed when defining risk management strategies?
Design Phase
In what system life-cycle phase does Risk Analysis begin?
Internal LAN, trust-relationship, physical access, and insider
List four attack avenues
Keystroke Monitoring
Provides protection from intruders, but must be restricted to specifically authorized individuals with probable cause.
Assessment of threats to the organization, prioritization of applications, development of recovery scenarios
Risk Assessment is a balancing act based on:
(1) determining the assessment's scope and methodology, collecting and synthesizing data, and interpreting the risk
Risk assessment, the process of analyzing and interpreting risk, is comprised of three basic activities:
Known, unknown, known unknown (identifiable uncertainty), unknown unknown (existence yet to be encountered)
Risk impact can be determined by what four types of risks?
False
T/F An enterprise that is subject to regulation by multiple governments or organizations doesn't need to establish baseline standards for all locations or add supplemental standards.
True
T/F An objective of a Risk Management program is to maintain residual risk at an acceptable level.
True
T/F Modifying, relocating, connecting, or reconfiguring the hardware of any component with a Trusting Computing Base must be approved by the Configuration Control Review Board or Configuration Management Board to control risks.
True
T/F Risk Assessment methods and processes should be simple, structured, and organizational centric
Qualitative Risk Assessment
The process of assessing the impact and likelihood of identified risks. (Probability, likelihood, consequence)
Communications accessible by the general public- SA's monitoring in normal course of their duties (originator gives consent)
Whar are the exemptions of the Electronics Communications Privacy Act?
Capability Maturity Monitoring
What allows an enterprise to understand its level of maturity in its risk capabilities as an indicator of operational readiness and effectiveness?
Classifying information assets
What allows for identification of controls proportional to risk?
Unauthorized hosts connected to network, vulnerable services, and deviations from allowed services defined in the network security policy.
What are network scanning processes designed to identify?
Acceptance, Avoidance, Assignment, Planning, Acknowledgement, & Transfer
What are the 6 Risk Mitigation options?
Planning, assessment, handling, monitoring and mitigation
What are the five components of the risk management structure?
Preparation, assessment, mitigation, reporting, and follow-up
What are the five steps of Risk-based Auditing?
Containment, eradication, recovery, and reporting
What are the four requirenents of incident response protocol?
Avoidance, transference, mitigation/control, acceptance
What are the four risk response strategies?
Develop assessment policy, prioritize and schedule assessments, select test techniques, determine logistics requirements, develop assessment plan, and assess legal considerations
What are the requirements of Training & Education planning?
Identification, analysis, assessment, response, recovery, and reporting
What are the six components of Incident Evaluation?
Categorization, Selection of controls, Implementation, Assessment, Authorization, Monitoring
What are the six strategic components of Risk Management Framework?
Identification and analysis
What are two specific requirements of a Risk Assessment?
Risk Assessment
What can be the most difficult process to accomplish in the Risk Management continuum?
Firewall
What can help facilitate access control, network protection, Auditing, minimize potential for "incident encroachment" and act as a central point of control for an organization?
Preventative and recovery controls
What does contingency planning provide?
Interception or access to wire communications, oral communications, or electronic communications
What does the Electronics Communications Privacy Act prohibit?
Monitoring techniques
What implementation can help detect organizational, operational, and environmental trends?
Stakeholder requirements
What is an important factor when designing information system controls in a complex environment?