ISMN 5740 Exam 1 | Questions and Answers (Complete Solutions)

ISMN 5740 Exam 1 | Questions and Answers (Complete Solutions) Risk is an ___________ Uncertainty Asset Anything of value to an organization Some assets are ________ Critical Critical assets: -generates revenue ($) -regulatory compliance (ex. HIPAA) Risk management: rule 1 Don't risk more than you can afford to lose (ex. Skydiving) Risk management: rule 2 Don't risk a lot for a little (what's the return?) Risk management: rule 3 Know the odds (what might happen?) Risk management: rule 4 Take some risks (greater likelihood for positive over negative) A RISK is when a _______ meets a _____________ Threat, vulnerability. -when the risk becomes real Threat Any activity that represents a possible danger. -the thing that causes the harm Vulnerability A WEAKNESS that can be exploited by a threat -IT system, HVAC system -what is missing? Look at the ______ to find the vulnerabilities Assets Loss A loss results in a compromise to business functions or assets 2 kinds of loss: -tangible -intangible Tangible loss $ lost, building loss, typically something physical Intangible loss NOT a physical loss. -ex. Loss of trust after a data breach The CIA triad: 1. Confidentiality 2. Integrity 3. Availability Confidentiality Prevents unauthorized disclosure of systems and information Integrity Prevents unauthorized modification of systems and information Availability Prevents disruption of service and productivity Risk management triad: -risk -threat -vulnerability Risk management triad: RISK Probability of loss Risk management triad: THREAT Potential harm Risk management triad: VULNERABILITY System weakness Risk management chart goal: To move from high consequence, high likelihood to low consequence, low likelihood - x-axis: probability of occurrence (likelihood) - y-axis: consequence of occurrence Red risk level Indicate immediate action should be taken to reduce the risk Orange risk level Indicate that actions should be planned and initiated to reduce the risk Yellow risk level Indicate these should be monitored and prepared to respond if they are realized Green risk level Indicate no specific actions need to be taken Mitigation Reduction in a consequence or likelihood of a risk Risk management ________ risks by defining and controlling threats and vulnerabilities Reduces Threats, vulnerability, & asset value = Total risk Total risk - countermeasures = Residual risk Residual risk Leftover risk that we don't know about or can afford to take care of. -no money, manpower, or time -we can't know what we don't know Risk is NEVER _____ Zero Primary way to reduce risks: Implement controls to reduce exposure Zero day We couldn't have anticipated this event to happen in any way. -no one has seen this thing before A zero day event is why risk can never be _____ Zero Threat-likelihood-impact matrix asks... How much of the asset was affected? -low impact -medium impact -high impact Low impact 10% Very little impact; will only have to restore a little Medium impact 50% Half impact; can restore half High impact 100% 100% impact; cannot restore -almost never is it 100% destroyed Security and usability is a __________ ____ Balancing act Security should _______ the business, not impede Support. -security must match the business processes -security shouldn't make peoples' lives harder Risk identification process 1. Identify threats 2. Identify vulnerabilities 3. Estimate likelihood of a threat exploiting a vulnerability -everybody's processes are different Threat types: -external or internal -natural or man-made -intentional or accidental External threats Threats that originate outside an organization Internal threats Threats that originate within an organization. -are more significant Natural threats Hurricanes, floods, tornadoes -not intentional Man-made threats Hackers, viruses -can be intentional Intentional threats Have some type of malicious intent behind them Accidental threats Human error, machine error, not intentionally Vulnerabilities types: -audit -certification/accreditation records -system logs -prior event -trouble reports -incident response teams 4 techniques of risk management: 1. Avoidance 2. Transference 3. Mitigation 4. Acceptance Risk avoidance Stopping the thing that brings you the risk entirely. -too risky! -ex. Data center in Miami moving to Atlanta Risk transference We're going to pay for somebody else to deal with the risk. -insurance! Car, homeowners' Risk mitigation Mitigate the risk with implementing controls, ultimately reducing the risk Risk acceptance We recognize the risk, but we're okay with it. -greater upside than downside -ex. Accepted the risk of driving to campus each day 2 aspects of risk management: 1. Residual risk 2. Cost-benefit analysis Threats cannot be ________ Eliminated Threats are ALWAYS _______ Present. -even if you aren't affected by them, they're still there. -you're just not as vulnerable You can take action to reduce the _______ for a threat to occur Potential. -ex. Putting controls in place -- mitigation You can take action to reduce the ________ of a threat Impact You cannot affect the threat ______ Itself Unintentional threats (3 types) -environmental -human -- accidents -failures Intentional threats (3 p's) 1. Profit -profiting somehow: reputation, money, anything of value 2. Passion -acting out of a sense of passion: feeling cheated, sense of duty 3. Psychosis -psychotic behavior: only a small portion of people Unintentional threats examples: environmental & failures Environmental: -fire -wind -lightning -flooding failures: -equipment Unintentional threats examples: human -keystroke errors -political changes -programming bugs -accident Intentional threats examples: individuals or organizations -hackers -criminals -disgruntled employees