Cyber Security and Risk Management Module 1 & 2

Questions and Answers

What is the primary purpose of creating a risk heat map?

To share risks with third parties

To avoid all types of risks

To provide a visual representation of the nature and impact of risks (correct)

To document security posture

Risk acceptance involves eliminating a potential risk completely.

False

What is the first major process in risk management?

Risk identification

Risk _____ involves contracting with a third party to bear some or all costs of a risk.

sharing

Match the following processes in risk management with their descriptions:

Risk Identification = Examining and documenting risks Risk Assessment = Determining the extent of exposure to risks Risk Control = Applying controls to reduce risks Risk Treatment = Applying agreed-upon controls and confirming efficacy

What does risk mitigation typically involve?

Taking actions to limit or optimize a risk

Monitoring and review in risk management helps determine if the controls are effective.

True

What is the main aim of risk evaluation?

To assess whether the risks align with the organization's risk appetite and tolerance.

Which of the following best describes the objective of information security?

Protecting networks, devices, and programs from unauthorized access

One of the main functions of counterintelligence is to support an opposition's intelligence program.

False

What is the purpose of risk mitigation strategies?

To reduce the probability or impact of risks.

The process of __________ involves acknowledging risks and their effects.

accepting

Match the risk response strategies with their definitions:

Avoid = Eliminating the risk or its source Transfer = Shifting the risk or its consequences to a third party Mitigate = Reducing the probability or impact of the risk Accept = Acknowledging the risk and its effects

Which step in ISO 31000's seven-step process involves defining risk scenarios?

Risk identification

Quantitative risk analysis focuses solely on qualitative descriptions of potential risks.

False

Provide one example of a simulation used in risk analysis.

What if scenarios.

Which of the following is NOT one of the four basic types of threat categories?

Cyber threats

Risk management plans only outline the financial aspects of managing risk.

False

Name two characteristics of risk categories.

Information Exposure/Loss, Unauthorized Use

The attribute that assures a sender of data is provided with proof of delivery is called _______.

non-repudiation

Match the risk categories with their descriptions:

Information Exposure/Loss = Data being accessed or rendered unusable Unauthorized Use = Access granted without permission Exposure to Legal Action = Risks associated with non-compliance Weak Processes = Ineffective procedures that lead to risk

Which aspect of information assurance ensures that authorized users have proper access?

Availability

Confidentiality refers to ensuring that information is available to all personnel.

False

What role does authentication play in information security?

It verifies the validity of a transmission or the authority of an individual to access specific information.

Study Notes

Module 1

• Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording, or destruction of sensitive records.
• Cyber security applies technologies, processes, and controls to protect systems, networks, programs, devices, and data from cyber-attacks.
• Costs of cyber security breaches are increasing.
• Cyber-attacks are becoming more sophisticated.
• Cyber security is a critical business issue.
• Cybercrime is a large business.
• Common cyber threats include malware (ransomware, botnet software, trojan), backdoors, form jacking, cryptojacking, DDoS (Distributed Denial-of-Service) attacks, and DNS (Domain Name System) Poisoning attacks.
• Types of cyber security include network security, cloud security, IoT security, and application security.

Module 2

• Risk management is a continuing process to identify, analyze, evaluate, and treat loss exposure, and monitor risk control to mitigate losses.
• Steps to manage SDLC risk:
  • Define risk management plan (risk identification, analysis, implementation, monitoring, and improvement)
  • Identify and document risks (brainstorming, interviews, surveys, checklists, historical data, expert opinions)
  • Analyze and prioritize risks (risk matrices, simulations, decision trees)
  • Plan and implement risk responses (avoid, transfer, mitigate, accept)
  • Monitor and control risks
  • Learn and improve from risks
• A risk register helps track identified risks in software.

Module 3

• Risk management plan details an organization's risk approach, roles of risk management teams, resources for the process, and internal policies/procedures.
• Three Major Processes in Risk Management:
  • Risk identification
  • Risk assessment
  • Risk control
• Four basic threat categories: insider threats, external threats, man-made threats, and natural disasters.

Module 4

• Risk assessment methodologies include both qualitative and quantitative methods.
• Qualitative: Descriptions, quicker, less rigorous, subjective results.
• Quantitative: Numbers, measurable, more rigorous, objective results.
  • SLE (Single Loss Expectancy) calculation: Asset Value (AV) * Exposure Factor (EF)
  • ALE (Annual Loss Expectancy) calculation: SLE * Average Rate of Occurrence (ARO)
• Information Assurance (IA) protects data integrity, availability, authenticity, non-repudiation, and confidentiality
• Information security protects against unauthorized access, use, disclosure, disruption, modification or destruction of data.
• Differences between IA and IS: IA is concerned with overall organizational risk and standards, while IS focuses on methods to reduce risks.

Module 5

• Information assurance is the practice of assuring and managing risks related to confidential information throughout the process of transmission, processing, and storing data.
• Key characteristics of information assurance include availability, integrity, authentication, confidentiality and non-repudiation of data.
• Information assurance is more focused on organizational risk management and data quality while information security focuses on technical solutions to reduce risks.

Module 6

• Security controls are countermeasures to reduce threats exploiting vulnerabilities.
• Risk mitigation is reducing the likelihood that a threat will exploit a vulnerability, resulting in loss.
• Threats are events that compromise confidentiality, integrity, and availability.
• Vulnerabilities are weaknesses or flaws in hardware, software, or organizational processes.
• Security incidents are occurrences that jeopardize CIA of information systems or violate security policies.
• Types of security controls:
  • Physical: Walls, locks, surveillance.
  • Administrative: Policies/procedures.
  • Technical: Software, firewalls, encryption, access control.
• Configuration rules, administrative controls, and physical security controls to prevent unauthorized access.

Description

This quiz covers the fundamentals of information security and cyber security, including common threats and types of security. It also delves into the importance of risk management processes for mitigating losses in the digital landscape. Test your knowledge on these critical business issues.