Module 11 Risk Mitigation
Which of the following are key regulations and standards in BIA?
- International organization for standardization (ISO) 22301 - National fire protection act 1600 - Federal financial institutions examination council's (FFIEC) BCP standard
detective control
A control designed to identify any threat that has reached the system.
Operational
A control implemented and executed by people.
Technical
A control incorporated as part of hardware, software, or firmware.
deterrent control
A control that attempts to discourage security violations before they occur.
preventative control
A control that attempts to prevent the threat from coming in and reaching contact with the vulnerability.
physical control
A control that implements security in a defined structure and location.
corrective control
A control that is intended to mitigate or lessen the damage caused by an incident.
compensating control
A control that provides an alternative to normal controls that for some reason cannot be used.
Managerial
A control that uses administrative methods.
policy
A document that outlines specific requirements or rules that must be met.
Prescriptive frameworks
A framework that describes specific cybersecurity issues, such as security controls, which must be addressed.
Risk-based frameworks
A framework that focuses on the management and measurement of risk.
engineering trade-offs
A means for addressing compromises in risk evaluation.
White Team
A penetration testing team that enforces the rules of the penetration testing.
Blue Team
A penetration testing team that monitors for Red Team attacks and shores up defenses as necessary.
Red Team
A penetration testing team that scans for vulnerabilities and then exploits them.
continuous monitoring policy
A policy that defines how the organization may monitor its employees.
acceptable use policy (AUP)
A policy that defines the actions users may perform while accessing devices and networks belonging to the organization.
data ownership policy
A policy that defines the duties of a data custodian and a data owner for the protection of data.
data retention policy
A policy that outlines how to maintain information in the user's possession for a predetermined length of time.
code of conduct/ethics policy
A policy that outlines the expectations regarding an employee's behavior toward their colleagues, supervisors, customers, and other constituents.
work product retention policy
A policy that outlines who owns the material produced by an employee in the course of his or her work.
systems assessment
A process for evaluating the cybersecurity protections of a system.
business impact analysis (BIA)
A process for identifying business processes and functions and then quantifies the impact a loss of these functions may have on business operations.
account management policy
A security policy for personnel who are responsible for the management of user accounts, access to shared information or network devices, or access to information held within a database, application, or shared file space.
password policy
A security policy to address how passwords are created and managed.
audit
A systematic evaluation of the effectiveness of the controls when compared against a state of established criteria.
exercises
A technical activity for cyberteams.
Tabletop
A training exercise involving a monthly 30-minute discussion of a scenario conducted in an informal and stress-free environment.
Which of the following is also known as a fair use policy?
Acceptable use(age) policy
compliance audits
An audit to determine if controls are being properly implemented.
regulatory audits
An audit to ensure the controls are aligning to regulations established by outside agencies.
assessment
An internal review of security controls that are compared against stated security objectives.
Which of the following is a systematic evaluation of the effectiveness of the controls as compared to a state of established criteria?
Audit
Giovanni is completing a report on risks. Which risk option would he use to classify the action that the organization has decided not to construct a new a data center because it would be located in an earthquake zone?
Avoidance
What identifies business processes and functions and then quantifies the impact a loss of these functions may have on business operations?
BIA
Which of the following is NOT covered by an AUP?
Competitors
security controls
Countermeasures for managing risk.
Which of the following policy defines the management of and access to the data within an organization?
Data Ownership
Simona needs to research a control that attempts to discourage security violations before they occur. Which control will she research?
Deterrent control
training
End-user instruction to increase risk awareness.
Which of the following threats would be classified as the actions of a hactivist?
External threat
True or False: A preventative control is designed to identify any threat that has reached the system.
False
True or False: Risk avoidance utilizes cybersecurity insurance.
False
True or false: Risk discovery and elimination should not be communicated with stakeholders.
False
True or false: The risk identification phase in the risk management process determines the risk faced by the assets.
False
In which of the following threat classifications would a power blackout be classified?
Operational
Which of the following control categories includes conducting workshops to help users resist phishing attacks?
Operational
Which of the following is a step-by-step implementation of a policy?
Procedure
Purple Team
Provides real-time feedback between the Red and Blue Teams to enhance the testing
Which of the following is NOT a category of risk?
Public
Which of the following approaches to risk calculation typically assigns a numeric value (1-10) or label (High, Medium, or Low) to represent a risk?
Qualitative risk calculation
Risk prioritization
Ranking risks so that the most critical risks are addressed first.
supply chain assessment
Reducing the risk of supply chain infections that can be done by evaluating the steps in the chain.
Which of these is NOT a formal and documented response to risk?
Resistance
Which of the following is a list of potential threats and associated risks?
Risk register
Which of the following frameworks focuses on the management and measurement of risk?
Risk-based frameworks
Emiliano needs to determine the expected monetary loss every time a risk occurs. Which formula will he use?
SLE
Which of the following is NOT used in a cyber systems assessment?
SOAR analysis
Which threat classification affects the long-term goals of the organization?
Strategic
Which of the following is NOT a threat classification category?
Tactical
What is logical control also known as?
Technical Control
risk magnitude
The impact of a risk.
risk probability
The likelihood that a risk will be exploited within a specific period of time.
risk identification process
The procedures for identifying risk.
communication of risk factors
The process of informing constituents of risk prioritization.
documenting compensating controls
The process of recording controls.
hardware source authenticity
The process of verifying that hardware components have been purchased from a reputable supplier.
procedure
The step-by-step implementation of a policy.
Vendor due diligence (VDD)
The steps that purchasers take to vet a supplier from which they are purchasing the hardware or software.
Which of the following is NOT correct about supply chain infections?
They only involve software.
True or False: An operational control is implemented and executed by people.
True
True or False: At a basic level, risk may be defined as a situation that involves exposure to some type of danger, while at a more advanced level, risk can be described as a function of threats, consequences of those threats, and the resulting vulnerabilities.
True
True or false: A policy is a set of principles or guidelines that must define an objective for the organization.
True
True or false: Business impact analysis determines the impact if any of the critical function goes down.
True
True or false: Prescriptive frameworks define a specific direction or a series of steps, which can be in the form of procedures.
True
What does a work product retention policy address?
Who owns material produced by an employee
framework
a series of documented processes used to define policies and procedures for implementation and management of security controls in an enterprise environment.