Cyber Security and Risk Management Module 1 & 2

Questions and Answers

What is the primary purpose of creating a risk heat map?

• To share risks with third parties
• To avoid all types of risks
• To provide a visual representation of the nature and impact of risks (correct)
• To document security posture

Risk acceptance involves eliminating a potential risk completely.

False (B)

What is the first major process in risk management?

Risk identification

Risk _____ involves contracting with a third party to bear some or all costs of a risk.

sharing

Match the following processes in risk management with their descriptions:

Risk Identification = Examining and documenting risks Risk Assessment = Determining the extent of exposure to risks Risk Control = Applying controls to reduce risks Risk Treatment = Applying agreed-upon controls and confirming efficacy

What does risk mitigation typically involve?

Taking actions to limit or optimize a risk (B)

Monitoring and review in risk management helps determine if the controls are effective.

True (A)

What is the main aim of risk evaluation?

To assess whether the risks align with the organization's risk appetite and tolerance.

Which of the following best describes the objective of information security?

Protecting networks, devices, and programs from unauthorized access (B)

One of the main functions of counterintelligence is to support an opposition's intelligence program.

False (B)

What is the purpose of risk mitigation strategies?

To reduce the probability or impact of risks.

The process of __________ involves acknowledging risks and their effects.

accepting

Match the risk response strategies with their definitions:

Avoid = Eliminating the risk or its source Transfer = Shifting the risk or its consequences to a third party Mitigate = Reducing the probability or impact of the risk Accept = Acknowledging the risk and its effects

Which step in ISO 31000's seven-step process involves defining risk scenarios?

Risk identification (A)

Quantitative risk analysis focuses solely on qualitative descriptions of potential risks.

False (B)

Provide one example of a simulation used in risk analysis.

What if scenarios.

Which of the following is NOT one of the four basic types of threat categories?

Cyber threats (B)

Risk management plans only outline the financial aspects of managing risk.

False (B)

Name two characteristics of risk categories.

Information Exposure/Loss, Unauthorized Use

The attribute that assures a sender of data is provided with proof of delivery is called _______.

non-repudiation

Match the risk categories with their descriptions:

Information Exposure/Loss = Data being accessed or rendered unusable Unauthorized Use = Access granted without permission Exposure to Legal Action = Risks associated with non-compliance Weak Processes = Ineffective procedures that lead to risk

Which aspect of information assurance ensures that authorized users have proper access?

Availability (C)

Confidentiality refers to ensuring that information is available to all personnel.

False (B)

What role does authentication play in information security?

It verifies the validity of a transmission or the authority of an individual to access specific information.

Flashcards

Risk Identification

The process of finding and recording security issues and risks in an organization's IT systems.

Risk Assessment

Evaluating how likely and damaging potential risks are to the organization.

Risk Control

Implementing actions to reduce risks to data and IT systems.

Risk Avoidance

Choosing not to take on a risk, eliminating it altogether.

Risk Mitigation

Taking steps to lessen the effects of a risk.

Risk Sharing/Transfer

Moving some or all risk to another entity (like an insurance company).

Risk Acceptance

Acknowledging a risk and deciding not to reduce it.

Risk Evaluation

Analyzing the risks and determining the best course of action.

Risk Treatment

Applying the chosen risk management strategies.

Monitoring and Review

Regularly checking that risk control measures are working and making adjustments as necessary(as risks change).

Cybersecurity

Protecting computer networks, devices, programs, and data from unauthorized access or attacks.

Information Security

Protecting information from leaks, damage, or loss, encompassing all data forms.

Counterintelligence

Activities to protect an agency's intelligence program from opposition's intelligence.

Risk Analysis

Evaluating the likelihood and impact of risks to an organization.

Risk Matrix

A tool used to visualize and prioritize risks based on their likelihood and impact.

Risk Simulations

Testing potential risk scenarios (what-if scenarios).

Decision Trees

Graphical representations of possible decisions and their consequences.

Risk Responses (Eliminate)

Methods to remove the risk or its source.

Risk Responses (Transfer)

Shifting risk or consequences to a third party.

Risk Responses (Mitigate)

Reducing the likelihood or impact of a risk.

Risk Responses (Accept)

Acknowledging potential risk but not taking active measures.

Risk Monitoring & Control

Tracking risks and implementing actions to address them.

Risk Learning & Improvement

Using insights from risks to improve future planning and management.

ISO 31000

A framework for risk management.

ERM Framework

A formalized system for managing risk within an organization.

Risk Identification

Identifying potential risks that could affect business operations.

Insider Threat

A threat to information security originating from within an organization, by someone with authorized access.

External Threat

A threat to information security originating from outside an organization.

Man-made Threat

A threat to information security caused by human actions, not natural events.

Natural Disaster Threat

A security threat caused by natural events.

Risk Management Plan

A document outlining how an organization will address identified security risks.

Information Exposure/Loss

Risk category concerning the disclosure or loss of information.

Unauthorized Use

Risk category concerning unauthorized access or use of information systems.

Availability (Security)

Ensuring authorized users have timely and easy access to information services.

Integrity (Security)

Data remains unaltered during transmission and storage.

Authentication (Security)

Establishing the validity of a message or user.

Confidentiality (Security)

Protecting information from unauthorized disclosure.

Non-repudiation (Security)

Ensuring sender and receiver cannot deny actions.

Risk Assessment Methodologies

Systematic ways to analyze and evaluate security risks.

Weak Processes

Security issues caused by inadequate internal procedures.

Exposure to Legal Action

Risks associated with potential legal consequences due to security breaches.

Exposure to Contaminated Environments

Risk category concerning security threats from external systems or situations.

Loss of public confidence

Risk category concerning security threats from situations that cause loss of public trust.

Study Notes

Module 1

• Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording, or destruction of sensitive records.
• Cyber security applies technologies, processes, and controls to protect systems, networks, programs, devices, and data from cyber-attacks.
• Costs of cyber security breaches are increasing.
• Cyber-attacks are becoming more sophisticated.
• Cyber security is a critical business issue.
• Cybercrime is a large business.
• Common cyber threats include malware (ransomware, botnet software, trojan), backdoors, form jacking, cryptojacking, DDoS (Distributed Denial-of-Service) attacks, and DNS (Domain Name System) Poisoning attacks.
• Types of cyber security include network security, cloud security, IoT security, and application security.

Module 2

• Risk management is a continuing process to identify, analyze, evaluate, and treat loss exposure, and monitor risk control to mitigate losses.
• Steps to manage SDLC risk:
  • Define risk management plan (risk identification, analysis, implementation, monitoring, and improvement)
  • Identify and document risks (brainstorming, interviews, surveys, checklists, historical data, expert opinions)
  • Analyze and prioritize risks (risk matrices, simulations, decision trees)
  • Plan and implement risk responses (avoid, transfer, mitigate, accept)
  • Monitor and control risks
  • Learn and improve from risks
• A risk register helps track identified risks in software.

Module 3

• Risk management plan details an organization's risk approach, roles of risk management teams, resources for the process, and internal policies/procedures.
• Three Major Processes in Risk Management:
  • Risk identification
  • Risk assessment
  • Risk control
• Four basic threat categories: insider threats, external threats, man-made threats, and natural disasters.

Module 4

• Risk assessment methodologies include both qualitative and quantitative methods.
• Qualitative: Descriptions, quicker, less rigorous, subjective results.
• Quantitative: Numbers, measurable, more rigorous, objective results.
  • SLE (Single Loss Expectancy) calculation: Asset Value (AV) * Exposure Factor (EF)
  • ALE (Annual Loss Expectancy) calculation: SLE * Average Rate of Occurrence (ARO)
• Information Assurance (IA) protects data integrity, availability, authenticity, non-repudiation, and confidentiality
• Information security protects against unauthorized access, use, disclosure, disruption, modification or destruction of data.
• Differences between IA and IS: IA is concerned with overall organizational risk and standards, while IS focuses on methods to reduce risks.

Module 5

• Information assurance is the practice of assuring and managing risks related to confidential information throughout the process of transmission, processing, and storing data.
• Key characteristics of information assurance include availability, integrity, authentication, confidentiality and non-repudiation of data.
• Information assurance is more focused on organizational risk management and data quality while information security focuses on technical solutions to reduce risks.

Module 6

• Security controls are countermeasures to reduce threats exploiting vulnerabilities.
• Risk mitigation is reducing the likelihood that a threat will exploit a vulnerability, resulting in loss.
• Threats are events that compromise confidentiality, integrity, and availability.
• Vulnerabilities are weaknesses or flaws in hardware, software, or organizational processes.
• Security incidents are occurrences that jeopardize CIA of information systems or violate security policies.
• Types of security controls:
  • Physical: Walls, locks, surveillance.
  • Administrative: Policies/procedures.
  • Technical: Software, firewalls, encryption, access control.
• Configuration rules, administrative controls, and physical security controls to prevent unauthorized access.