Review Questions - SYS701 - 17 - Risk Management and Privacy

Questions and Answers

Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done?

• Removed the threat
• Reduced the threat
• Removed the vulnerability (correct)
• Reduced the vulnerability

You notice a high number of SQL injection attacks against a web application run by your organization, so you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk?

• Reduced the magnitude
• Eliminated the vulnerability
• Reduced the probability (correct)
• Eliminated the threat

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.

Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.

What is the asset value (AV)?

• $600,000
• $5,000
• $100,000
• $500,000 (correct)

What is the exposure factor (EF)?

100% (D)

What is the single loss expectancy (SLE)?

$500,000 (C)

What is the annualized rate of occurrence (ARO)?

0.05 (A)

What is the annualized loss expectancy (ALE)?

$25,000 (B)

Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.

Grace's first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt?

Risk mitigation (C)

Business leaders are considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would this approach use?

Risk avoidance (B)

Grace's company decided to install the web application firewall and continue doing business. They are still worried about other risks to the information that were not addressed by the firewall and are considering purchasing an insurance policy to cover those risks. What strategy does this use?

Risk transference (D)

In the end, Grace's risk managers found that the insurance policy was too expensive and opted not to purchase it. They are taking no additional action. What risk management strategy is being used in this situation?

Risk acceptance (A)

Under the European Union's GDPR, what term is assigned to the individual who leads an organization's privacy efforts?

Data protection officer (A)

Helen's organization maintains medical records on behalf of its customers, who are individual physicians. What term best describes the role of Helen's organization?

Data processor (A)

Gene recently conducted an assessment and determined that his organization can be without its main transaction database for a maximum of two hours before unacceptable damage occurs to the business. What metric has Gene identified?

RTO (C)

Tina works for a hospital system and manages the system's patient records. What category of personal information best describes the information that is likely to be found in those records?

PHI (B)

Asa believes that her organization is taking data collected from customers for technical support and using it for marketing without their permission. What principle is most likely being violated?

Purpose limitation (C)

Which one of the following U.S. government classification levels requires the highest degree of security control?

Top Secret (C)

Which type of analysis uses numeric data in the analysis, resulting in assessments that allow the very straightforward prioritization of risk?

Quantitative (D)

What term is given to an individual or organization who determines the reasons for processing personal information?

Data controller (B)

Brian recently conducted a risk mitigation exercise and has determined the level of risk that remains after implementing a series of controls. What term best describes this risk?

Residual risk (D)

Flashcards

Vulnerability Removal

Eliminating a vulnerability to prevent exploitation.

Risk Probability Reduction

Reducing the likelihood of a risk occurring.

Asset Value (AV)

The total worth of an asset.

Exposure Factor (EF)

The percentage of asset loss if an event occurs.

Single Loss Expectancy (SLE)

Expected loss from a single occurrence.

Annualized Rate of Occurrence (ARO)

Predicted number of times a loss event will occur yearly.

Annualized Loss Expectancy (ALE)

Expected loss for a threat in one year.

Risk Mitigation

Reducing risk impact or probability.

Risk Avoidance

Ceasing the activity that causes the risk.

Risk Transference

Shifting risk to a third party.

Risk Acceptance

Accepting potential risk consequences.

Data Protection Officer (DPO)

Leads an organization's GDPR privacy efforts.

Data Processor

Processes data on behalf of the data controller.

Recovery Time Objective (RTO)

Maximum time to restore a service after an outage.

PHI

Protected Health Information.

Purpose Limitation

Using data only for its intended purpose.

Top Secret

Highest level of classified U.S. government information.

Quantitative Analysis

Risk analysis using numeric data.

Data Controller

Determines the reasons for processing personal data.

Residual Risk

Risk remaining after controls implementation.