ISMN 5740 Exam 2 | Questions and Answers (Complete Solutions)

ISMN 5740 Exam 2 | Questions and Answers (Complete Solutions) A risk assessment is used to identify which _______ to implement Controls Why is a risk assessment important? -identifies which systems/assets to protect -gives insight into which controls provide the most value There are 2 types of risk assessments: 1. Qualitative 2. Quantitative Qualitative risk assessment Calculates RELATIVE values, losses, and costs -NO NUMBERS, CATEGORIES Quantitative risk assessment Calculates ABSOLUTE financial values, losses, and costs -ALL NUMBERS, % It is a waste of time to perform a __________ assessment first, as it will only lead to arguing about numbers and costs Quantitative A qualitative risk assessment is _________ Subjective. -you cannot assume you know everything about their business; watch and learn A qualitative risk assessment deals with __________ and ________ Likelihood, impact Likelihood The likelihood that a threat will exploit a vulnerability. -high, medium, low Impact (consequence) The negative result if a risk occurs. -if the bad thing happens, how bad is it for us? Only use quantitative analysis for __________ purposes Budgeting A risk matrix ________ probability and impact Matches. -the problem is this is bringing numbers in right away Qualitative risk assessment benefits: -uses the opinions of experts -is easy to complete -uses words that are easy to express and understand A quantitative risk assessment uses numbers such as _______ values to do budgeting Dollar Quantitative risk assessment results can help us: -identify the priority of risks -determine the effectiveness of controls *however, very inaccurate at best Quantitative risk assessment key terms: -SLE (single loss expectancy) -ARO (annual rate of occurrence) -ALE (annual loss expectancy) Single loss expectancy (SLE) If it happens one time, how much money do we stand to lose? -$ Annual rate of occurrence (ARO) How many time do we expect the bad thing to happen in one calendar year? -time Annual loss expectancy (ALE) SLE x ARO = total loss for the calendar year (ALE) Quantitative risk assessment benefits: 1. Simple math problem 2. Provides CBA (accurate values for SLE, ARO, and safeguard value lets you calculate CBA) 3. Easy to grasp details of assessment & its recommendations 4. Formulas use verifiable and objective measurements Quantitative risk assessment limitations: 1. Accurate data isn’t always available (ARO reductions) 2. May need training to ensure users are aware of the control Qualitative risk assessment limitations: Subjective, based on expertise of experts, no CBA, & no real standards QUALITATIVE: -subjective -word values -expert opinions -likelihood -impact QUANTITATIVE: -objective -monetary values -historical data -SLE x ARO = ALE Risk assessment challenges: - Using static process to evaluate a moving target - Availability - Data consistency - Estimating impact effects - Providing results that support resource allocation and risk acceptance Best practices for risk assessment: -Start with clear goals and a defined scope. -Enlist senior management support. -Build a strong RA team. -Repeat the RA regularly. -Define a methodology to use. -Provide a report of clear risks and clear recommendations. General goal of risk management: To move from high consequence, high likelihood to low consequence, low likelihood Prior to conducting a RA, you should ______ previous findings Review Identifying the management structure: -Refers to how responsibilities are assigned • Helpful to keep the scope within the ownership of a single entity -Large organization may have multiple divisions: • Network infrastructure • User and computer management • E-mail servers / Web servers / Database servers • Configuration and change management Identifying assets and activities: -Perform asset valuation • Base on replacement or recovery value of the asset • Ensure RA performed on current systems • Evaluate only assets that are within the boundary of the RA -Prioritize importance Elements to Consider When Determining Asset Value: - System access and system availability - System functions - Hardware and software assets - Personnel assets - Data and information assets - Facilities and supplies Identifying and evaluating threats: - Reviewing historical data - Threat modeling - Important to understand how threats interact with risks Identifying and Evaluating Vulnerabilities: -A vulnerability is a weakness • Can be a weakness in physical security, technical security, or operational security • Can be procedural, technical, or administrative -All systems have vulnerabilities -Not all vulnerabilities result in a loss --a vulnerability and a threat must meet in order for a loss to occur In place controls -In place in the operational system -Supported by associated documentation *MUST be fully functional to be considered in place Planned controls -identified in planning documents -specified implementation date *Plans mean NOTHING if they are not actually in place Control categories -national institute of standards and technology (NIST) -three classes, 18 families of controls -grouped as procedural, technical, and physical Control types (3): -administrative -technical -physical Administrative controls examples: