Chapter 1: Managing Risk
If you calculate SLE to be $25,000 and that there will be one occurrence every four years (ARO), the the ALE is $6,250 ($25,000 x 0.25)
If you calculate SLE to be $25,000 and that there will be one occurrence every four years (ARO), then what is the ALE?
ALE (annual loss expectancy is equal to the SLE times the annualized rate of occurrence. In this case, the SLE is $2 million, and the ARO is 1/6.
Refer to the scenario in question 2. Which of the following amounts is the ALE for this scenario?
ARO (annualized expectancy) is the frequency (in number of yrs) that an event can be expected to happen. In this case, ARO is 1/60.
Refer to the scenario in question 2. Which of the following is the ARO for this scenario?
False positives are events that were mistakenly flagged and aren't truly events to be concerned about.
What is the term used for events that were mistakenly flagged although they weren't truly events about which to be concerned?
Service-Level Agreement (SLA)
an agreement that specifies performance requirements for a vendor. this agreement may use mean time before failure (MTBF) and mean time to repair (MTTR) as performance measures in the SLA
Risk Analysis
an evaluation of each risk that can be identified. Each risk should be outlined, described, and evaluated on the likelihood of it occurring
Risk Assessment
an evaluation of the possibility of a threat or vulnerability existing. An assessment must be performed before any other actions-such as how much to spend on security in terms of dollars and manpower-can be decided
Asset Value (AV)
the assessed value of an item (server, property, and so on) associated with cash flow
Single Loss Expectancy (SLE)
the cost of a single loss when it occurs. this loss can be a critical failure, or it can be the result of an attack.
It does not matter how frequent a loss is projected (only once every 60 years, in this case). What does matter is that each occurrence will be disastrous: SLE (single loss expectancy) is equal to asset value (AV) times exposure factor (EF). In this case, asset value is $2 million, and the exposure factor is 1.
(Question 2) Consider the following scenario. The asset value of your company's primary servers is $ 2 million, and they are housed in a single office building in Anderson, Indiana. Field offices are scattered throughout the United States, but the workstations located at the field offices serve as thin clients and access data from the Anderson servers. Tornados in this part of the country are not uncommon, and it is estimated that one will level the building every 60 years. Which of the following is the SLE for this scenario?
If you calculate the SLE to be $4,000 and that there will be 10 occurrences a year (ARO), then the ALE is $40,000 ($4,000 x 10).
If you calculate the SLE to be $4,000 and that there will be 10 occurrences a year (ARO), then the ALE is:
Collusion is an agreement between two or more parties established for the purpose of committing deception or fraud. Collusion, when part of a crime, is also a criminal act in and of itself.
Separation of duties helps to prevent an individual from embezzling money from a company. To embezzle funds successfully, an individual would need to recruit others to commit an act of ___ (an agreement between two or more parties established for the purpose of committing deception or fraud).
Risk acceptance necessitates an identified risk that those involved understand the potential cost or damage and agree to accept it.
Which of following strategies necessitates an identified risk that those involved understand the potential cost/damage and agree to live with it?
The ISA (Interconnection Security Agreement) specifies the technical and security requirements of the interconnection.
Which of the following agreements contains the technical information regarding the technical and security requirements of the interconnection between two or more organizations?
Change management is structured approach that is followed to secure a company's assets.
Which of the following is the structured approach that is followed to secure a company's assets?
A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization.
Which of the following policies are designed to reduce the risk of fraud and prevent other losses in an organization?
The acceptable use policies describe how the employees in an organization can use company systems and resources, both software and hardware.
Which of the following policies describes how the employees in an organization can use company systems and resources, both software and hardware?
The exception policy statement may include an escalation contact in the event that the person dealing with a situation needs to know whom to contact.
Which of the following policy statements may include an escalation contact in the event that the person dealing with a situation needs to know who to contact?
The risk-assessment component, in conjunction with the business impact analysis (BIA), provides an organization with an accurate picture of the situation it faces.
Which of the following policy statements should address who is responsible for ensuring that policy is enforced?
The principle of least privilege should be used when assigning permissions. Give users only the permissions that they need to do their work and no more.
Which of the following should be used when assigning permissions, giving users only the permission they need to do their work and no more?
Risk avoidance involves identifying a risk and making the decision no longer to engage in the actions associated with that risk.
Which of the following strategies involves identifying a risk and making the decision to discontinue engaging in the action?
Risk transference involves sharing some of the risk burden with someone else, such as an insurance company.
Which of the following strategies involves sharing some of the risk burden with someone else, such as an insurance company?
Risk mitigation is accomplished any time you take steps to reduce risk.
Which of the following strategies is accomplished any time you take steps to reduce risk?
Guidelines help clarify processes to maintain standards. Guidelines tend to be less formal than policies or standards.
You're the chief security contact for MTS. One of your primary tasks is to document everything related to security and create a manual that can be used to manage the company in your absence. Which documents should be referenced in your manual as ones that identify the methods used to accomplish a given task?
Annualized rate of Occurrence (ARO)
a calculation of how often a threat will occur. For example, a threat that occurs once every five years has an annualized rate of occurrence of 1/5 or 0.2.
Annual Loss Expectancy (ALE)
a calculation used to identify risks and calculate the expected loss each year
Redundant Array of Independant Disks (RAID)
a configuration of multiple hard disks used to provide fault tolerance should a disk fail. Different levels of RAID exist
Vulnerability
a flaw or weakness in some part of a system's security procedures, design, implementation, or internal controls that could expose it tot danger ( accidental or intentional) and result in a violation of the security policy
Single Point of Failure (SPOF)
a single weakness that is capable of bringing an entire system down
Risk Avoidance
a strategy of dealing with risk in which it is decided that the best approach is to avoid the risk
Risk Mitigation
a strategy of dealing with risk in which it is decided that the best approach is to lessen the risk
Risk Acceptance
a strategy of dealing with risk in which it is decided the best approach is simply to accept the consequences should the threat happen
Risk Deterrence
a strategy of dealing with risk in which it is decided the the best approach is to discourage potential attackers from engaging in the behavior that leads to the risk
Risk Transference
a strategy of dealing with risk in which it is decided the the best approach is to offload some of the risk through insurance, third-party contracts, and/ or shared responsibility
Business Impact Analysis (BIA)
a study of the possible impact if a disruption to a business's vital resources were to occur
Business Partners Agreement (BPA)
an agreement between partners in a business that outlines their responsibilities, obligations, and sharing of profits and losses
Acceptable use Policy/Rules of Behavior
agreed-upon principles set forth by a company to govern how the employees of that company may use resources such as computers and Internet access
Interconnection Security Agreement (ISA)
as defined by NIST (in Publication 800-47), it's "an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between organizations"
Memorandum of Understanding (MUO)/ Memorandum of Agreement (MOA)
most commonly known as an MOU rather than MOA, this is a document between two or more parties defining their respective responsibilities in accomplishing a particular goal or mission, such as securing a system
Recovery Time Objective (RTO)
the maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable
Maximum Tolerable Downtime (MTD)
the maximum period of time that a business. process can be down before the survival of the organization is at risk
Mean Time to Restore (MTTR)
the measurement of how long it takes to repair a system or component once a failure occurs
Mean Time Between Failures (MTBF)
the measurement of the anticipated lifetime of a system or component
Mean Time to Failure (MTTF)
the measurement of the average of how long it takes a system or component to fail
Recovery Point Objective (RPO)
the point last known good data prior to an outage that is used to recover systems
Exposure Factor (EF)
the potential percentage of loss to an asset if a threat is realized
Risk
the probability that a particular threat will occur, either accidentally or,intentionally leaving a system vulnerable and the impact of this occurring
Risk Calculation
the process of calculating the risks that exist in terms of cost, number, frequency, and so forth