SECURITY (CHAPTER 19 )- EXPLAIN RISK MANAGEMENT
PROCESSES AND CONCEPTS TEST SOLVED #10
What areas of a business or workflow must you examine to assess
Multiparty risk? - correct answer You need to examine supply chain dependencies to
identify how problems with one or more suppliers would impact your business. You also
need to examine customer relationships to determine what liabilities you have in the
event of an incident impacting your ability to supply a product or service and what
impact disruption of important customer accounts would have, should cyber incidents
disrupt their business.
What risk type arises from shadow IT? - correct answer Shadow IT is the deployment of
hardware, software, or cloud services without the sanction of the system owner
(typically the IT department). The system owner will typically be liable for software
compliance/licensing risks.
What metric(s) could be used to make a quantitative calculation of risk due to a specific
threat to a specific function or asset? - correct answer Single Loss Expectancy (SLE) or
Annual Loss Expectancy (ALE). ALE is SLE multiplied by ARO (Annual Rate of
Occurrence).
What factors determine the selection of security controls in terms of an overall budget? -
correct answer The risk (as determined by impact and likelihood) compared to the cost
of the control. This metric can be
Calculated as Return on Security Investment (ROSI).
What type of risk mitigation option is offered by purchasing insurance? - correct answer
Risk transference.
What is a risk register? - correct answer A document highlighting the results of risk
assessments in an easily comprehensible format (such as a heat map
Or "traffic light" grid). Its purpose is for department managers and technicians to
understand risks associated with the workflows that they manage.
What is control risk? - correct answer Control risk arises when a security control is
ineffective at mitigating the impact and/or likelihood of the risk
Factor it was deployed to mitigate. The control might not work as hoped, or it might
become less effective over
Time.
What factor is most likely to reduce a system's resiliency? - correct answer Single points
of failure.
True or false? RTO expresses the amount of time required to identify and resolve a
problem within a single system or asset. - correct answer True
PROCESSES AND CONCEPTS TEST SOLVED #10
What areas of a business or workflow must you examine to assess
Multiparty risk? - correct answer You need to examine supply chain dependencies to
identify how problems with one or more suppliers would impact your business. You also
need to examine customer relationships to determine what liabilities you have in the
event of an incident impacting your ability to supply a product or service and what
impact disruption of important customer accounts would have, should cyber incidents
disrupt their business.
What risk type arises from shadow IT? - correct answer Shadow IT is the deployment of
hardware, software, or cloud services without the sanction of the system owner
(typically the IT department). The system owner will typically be liable for software
compliance/licensing risks.
What metric(s) could be used to make a quantitative calculation of risk due to a specific
threat to a specific function or asset? - correct answer Single Loss Expectancy (SLE) or
Annual Loss Expectancy (ALE). ALE is SLE multiplied by ARO (Annual Rate of
Occurrence).
What factors determine the selection of security controls in terms of an overall budget? -
correct answer The risk (as determined by impact and likelihood) compared to the cost
of the control. This metric can be
Calculated as Return on Security Investment (ROSI).
What type of risk mitigation option is offered by purchasing insurance? - correct answer
Risk transference.
What is a risk register? - correct answer A document highlighting the results of risk
assessments in an easily comprehensible format (such as a heat map
Or "traffic light" grid). Its purpose is for department managers and technicians to
understand risks associated with the workflows that they manage.
What is control risk? - correct answer Control risk arises when a security control is
ineffective at mitigating the impact and/or likelihood of the risk
Factor it was deployed to mitigate. The control might not work as hoped, or it might
become less effective over
Time.
What factor is most likely to reduce a system's resiliency? - correct answer Single points
of failure.
True or false? RTO expresses the amount of time required to identify and resolve a
problem within a single system or asset. - correct answer True
