NIST SP 800-30- Guide for Conducting Risk Assessments

Risk

A measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: -the adverse impacts that would arise if the circumstance or event occurs; -the likelihood of occurrence.

What publication is the Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach?

Answer A: NIST SP 800-37.

Risk

a function of the likelihood of a threat event's occurrence and potential adverse impact should the event occur.

Vulnerability

a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

A threat source is characterized as what? A. any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. b. the intent and method targeted at the exploitation of a vulnerability c. a situation and method that may accidentally exploit a vulnerability. d. None of the above

Answer B & C: NIST SP 800-30, page 8. As stated in the answers.

What is the following an example of (ex. the location of a facility in a hurricane-or flood-prone region (causing the likelihood of exposure to hurricanes or floods) or a stand-alone information system with no external network connectivity (decreasing the likelihood) of exposure to a network-based cyber attack). A. Pre-determined condition B. Predisposing condition C. Premeditated condition D. None of the above

Answer B - NIST 800-30, Page 10 - Predisposing condition

What is a condition that exists within an organzation, a mission or business process, enterprise architecture, information system, or environment of operation, which affects (i.e., increases or decreases) the likelihood that threat events, once initiated, result in adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. A. Pre-determined condition B. Predisposing condition C. Premeditated condition D. None of the above

Answer B - NIST 800-30, Page 10, Predisposing condition

What is the NIST 800-39? A. Managing Information Security Risk: Organization, Mission, and Information System View B. Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach C. Recommended Security Controls for Federal Information Systems and Organizations D. Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans.

Answer: A

Which component of risk management addresses how organizations establish a risk context —that is, describing the environment in which risk -based decisions are made? A. Frame B. Assess C. Respond D. Monitor

Answer: A - Frame. Explanation: NIST 800-30, page 4. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The risk management strategy establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations.

What is the end result of the second component of risk (assess)? A. Determination of Risk B. Determination of Impact C. Determination of Threat D. None of the above

Answer: A - NIST SP 800 -30, page 5. The end result is a determination of risk (i.e., typically a function of the degree of harm and likelihood of harm occurring).

Risk assessment

Process of identifying, estimating, and prioritizing information security risks.

Risk Management

Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.

Risk Assessment Process (PCCM)

Step 1: Prepare for Assessment Step 2: Conduct Assessment -Identify Threat Sources and Events -Identify Vulnerabilities and Predisposing Conditions -Determine Likelihood of Occurrence -Determine Magnitude of Impact - Determine Risk Step 3. Communicate Results Step 4: Maintain Assessment

Impact

Magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Threat

any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.

Risk models

define the risk factors to be assessed and the relationships among those factors.

Threat shifting

is the response of adversaries to perceived safeguards and/or countermeasures (i.e., security controls), in which adversaries change some characteristic of their intent/targeting in order to avoid and/or overcome those safeguards/countermeasures.

Threat source

the intent and method targeted at the exploitation of a vulnerability -or a situation and method that may accidentally exploit a vulnerability.

Aggregation

to roll up several discrete or lower-level risks into a more general or higher-level risk.

Examples of threat sources

-hostile cyber or physical attacks -human errors of ommission or commission -structural failures of organization-controlled resources (e..g., hardware, software, environmental controls); and -natural and man-made disasters, accidents, and failures beyond the control of the organization.

What domains can threat shifting occur?

-time domain (e.g., a delay in an attack or illegal entry to conduct additional surveillance); -target domain (e.g., selecting a different target that is not as well protected) -resource domain (e.g., adding resources to the attack in order to reduce uncertainty or overcome safeguards and/or countermeasures) -attack planning/attack domain (e.g., changing the attack weapon or attack path).

What is the definition of a threat? a. The magnitude of harm that can be expected as an outcome b. A specific category of information c. A condition that exists within an organization d. Any circumstance or event with the potential to create an adverse impact

Answer: D - NIST SP 800-30, page 8. A threat is any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.

What 3 step process is used to determine the likelihood of threat events? A. Organizations assess the likelihood that threat events will be initiated; organizations assess the likelihood that the threat events once initiated or occurring, will result in adverse impacts or harm to organizational operations and assets, individuals, other organizations, or the Nation; finally, organizations assess the overall likelihood as a combination of likelihood of initiation/occurrence and likelihood of resulting in adverse impact. B. Organizations assess the impact of threat events will be initiated; organizations assess the likelihood that the threat events once initiated or occurring, will result in threat or risk to organizational operations and assets, individuals, other organizations, or the Nation; finally, organizations assess the overall likelihood as a combination of likelihood of initiation/occurrence and likelihood of resulting in adverse impact. C. Organizations assess the likelihood that risk will be initiated; organizations assess the likelihood that the threat events once initiated or occurring, will result in vulnerability to organizational operations and assets, individuals, other organizations, or the Nation; finally, organizations assess the overall likelihood as a combination of likelihood of initiation/occurrence and likelihood of resulting in adverse impact. D. None of the above

Answer: A - NIST SP 800-30, Page 34 Answer B and C are made up answers

The tendency for ___________________ to potentially degrade in effectiveness over time reinforces the need to maintain risk assessments during the entire system development life cycle and also the importance of continuous monitoring programs to obtain ongoing situational awareness of the organizational security posture. A. Security categorization B. Security Controls C. Admin Controls D. Technical Controls

Answer: A - NIST SP 800-30, security controls

What are the 3 tiers to integrate risk management? A. Tier 1 - Organization level, Tier 2 - Mission/Business Processes, and Tier 3 - Information Systems B. Tier 1 - Mission/Business, Tier 2 - Information Systems, and Tier 3 - Organization level C. Tier 1 - Management, Tier 2 - Administrative, and Tier 3 - Business D. None of the above

Answer: A -NIST SP 800-30, page 4 Tier 1 - Organization level, Tier 2 - Mission/Business Processes, and Tier 3 - Information Systems

Likelihood of occurrence is based on which of the following? A. adversary intent B. adversary capability C. adversary targeting D. impact

Answer: A, B, and C. NIST SP 800-30, Page 10.

What is the NIST 800-53 Rev. 4 and why is it essential? A. Security and Privacy Controls for Federal Information Systems and Organizations; to provide guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. B. Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans; This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. C. Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy; This publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. D. None of the above

Answer: A. Security and Privacy Controls for Federal Information Systems and Organizations; to provide guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. B. NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans; This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. C. NIST SP 800-39, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy; This publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations.

What is a weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabiliites). A. Threat B. Vulnerability C. Threat Occurrence D. Likelihood of Occurrence

Answer: C - Likelihood of Occurrence, NIST SP 800-30, Page 10.

Why is NIST 800-53A, Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans essential in the risk assessment process? A. Provides guidance for carrying out each of the steps in the risk assessment process (i.e., preparing for the assessment, conducting the assessment, communicating the results of the assessment, and maintaining the assessment) and how risk assessments and other organizational risk management processes complement and inform each other. B. to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. c. This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations.

Answer: C - NIST 800-53, Managing Guide for Assessing the Security Controls in Federal Information Systems and Organizations, This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. B- NIST SP 800-39, Building Effective Security Assessment PlansInformation Security Risk Organization, Mission, and Information System View; to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. A. NIST SP 800-30,

Which of the following are inputs to Risk Framing? A. Laws B. Policies C. Regulations D. All of the above

Answer: D - NIST 800-30 -Laws -Policies -Directives -Regulations -Contractual relationships -Financial limitations Other risk framing inputs can include: -identification of trust relationships and trust models that derive from existing memoranda of understanding or agreement (MOUs or MOAs) -identification of the governance structures and processes that indicate the extent of or limits on decision-making authority for risk decisions that can be delegated to mission or business owners.

What are the four steps in the risk management process? A. Prepare, Conduct, Communicate, Maintain B. Prepare, Conduct, Communicate, Monitor C. Frame, Assess, Respond, Maintain D. Frame, Assess, Respond, Monitor

Answer: D - NIST SP 800-30, page 4. Risk management processes include: (i) framing risk ; (ii) assessing risk; (iii) responding to risk; and (iv) monitoring risk. The mnemonic "FARM" is useful to remember.

Which component of risk management addresses how organizations monitor risk over time. A. Frame B. Assess C. Respond D. Monitor

Answer: D - NIST SP 800-30, page 5. The purpose of the risk monitoring component is to: (i) determine the ongoing effectiveness of risk responses (consistent with the organizational risk frame) ; (ii) identify risk -impacting changes to organizational information systems and the environments in which the systems operate; and (iii) verify that planned risk responses are implemented and information security requirements derived from and traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, standards, and guidelines are satisfied.

Risk Assessments occur only in the Initiate Phase of the SDLC? True or False.

Answer: False NIST 800-30 Pg. ix Risk assessments are conducted throughout the system development life cyce, from pre-system acquisition (i.e., material solution analysis and technology development), through system acquisition (i.e., engineering/manufacturing development and production/development), and on into sustainment (i.e., operations/support).