UNIT3:Risk Identification

Questions and Answers

What is considered an asset in the context of risk identification?

• Threats, vulnerabilities, and reputation
• People, information, and business processes (correct)
• Confidentiality, integrity, and availability
• Anything that is irreplaceable

Why are key employees considered vulnerable assets?

• They are not valued by the management
• They are easily replaceable
• They may hold unique knowledge or expertise (correct)
• They lack expertise in certain areas

What are the three aspects that information assets should be protected against?

• Disclosure, modification, and non-accessibility
• Confidentiality, integrity, and availability (correct)
• Destruction, disclosure, and loss
• Unauthorized access, improper modification, and destruction

What is the primary purpose of developing relevant and manageable risk scenarios?

To gain organizational buy-in (A)

What do contagious risks refer to?

Events happening to several business partners within a short time frame (D)

What is the detectability of risk scenarios related to?

Visibility and recognition (B)

What is the focus of scenarios according to the text?

Complex scenarios with cascading impacts (D)

What is the purpose of managing and updating risk scenarios regularly?

To reflect changes in the enterprise and risk profile (A)

Which of the following is considered an actor in the context of I&T-related risk scenario development?

Any person, thing, or entity that acts or carries out a threat (D)

What do loss events refer to in the context of risk scenario development?

Negative impact-generating events (B)

Why is it essential to ensure consistent scoring of temporal elements in risk scenarios?

To maintain accuracy and reliability in risk assessment (A)

What is the role of vulnerabilities in risk scenario development?

Events contributing to impact or frequency of loss events (C)

Why is it important to use generic scenarios as a starting point for developing detailed risk scenarios?

To provide a foundation and structure for the scenario (C)

What is the aim of risk management according to the provided text?

To reduce complexity (C)

What should be done with regard to documenting assumptions made in scenario grouping or generalization?

Document assumptions clearly (A)

How should risk scenario scales reflect enterprise complexity and exposure?

By accurately representing enterprise complexity and exposure (B)

What is the role of I&T assets/resources in IT delivery within the enterprise?

They are valuable resources in IT delivery for the enterprise (D)

What do threat events refer to in the context of risk scenario development?

Circumstances or events brought about by a threat actor that can trigger loss events (D)

What is the purpose of asset classification in IT?

To determine the sensitivity and criticality of IT assets (A)

What are Advanced Persistent Threats (APTs)?

Sophisticated attackers seeking to establish and extend footholds within targeted organizations (B)

What is the role of risk scenarios in risk identification and assessment?

To facilitate communication and understanding of potential risks (C)

What is the distinguishing characteristic of Advanced Persistent Threats (APTs)?

They are sophisticated attackers aiming to establish and extend footholds (D)

What is the primary challenge in information asset valuation?

Valuing intangible assets like personally identifiable information or trade secrets (B)

Why is asset valuation important for risk management?

To understand the business impact of a breach or loss of an asset (B)

How do interviews contribute to risk assessment?

By providing valuable insights but having potential pitfalls (B)

What is the primary focus of I&T risk scenarios?

To describe potential IT-related events and their business impacts (B)

What makes infrastructure assets susceptible to risks?

The physical and IT nature, with new and outdated technologies posing risks (C)

What determines the sensitivity and criticality of IT assets?

The asset classification (C)

What is the primary purpose of scenario analysis in the context of risk management?

To assess the frequency and impact of identified scenarios (A)

What is the role of scenario generation in risk management?

To identify risks and put in place countermeasures (C)

What does detectability of risk scenarios include?

The visibility and recognition of anything wrong (D)

What does risk analysis assess in the context of risk scenario development?

The frequency and impact of identified scenarios (A)

What should scenario scales reflect?

The enterprise complexity and exposure (D)

What is the primary concern related to relevance risk?

The right information not reaching the right recipients at the right time (A)

What does schedule risk refer to in the context of IT projects?

The risk of the project taking longer than expected (B)

What is the primary focus of scenario analysis in the context of risk management?

Assessing the impact of different risk scenarios (B)

Why is asset valuation important for risk management in IT?

To determine the financial impact of potential risks on assets (B)

What is the main difference between internal and external contextual factors?

Degree of control by the enterprise (C)

Why is it important for enterprises to consider external contextual factors?

To understand factors outside their control (D)

What is the primary focus of the top-down approach to developing risk scenarios?

Understanding business goals and impact criteria (D)

What is a benefit of using the top-down approach in enterprise risk management?

Easier to achieve management buy-in even if management is not interested in IT (B)

What is the basis for developing risk scenarios using the bottom-up approach?

Assets, systems, or applications important to the enterprise (C)

What information forms the basis for identifying and analyzing risk using the top-down approach?

Mission strategy and business objectives (C)

Study Notes

• A business process is a set of interrelated activities resulting in the delivery of a product or service to a customer. Inefficient or ineffective business processes can negatively impact an enterprise.

• Infrastructure assets include physical and IT infrastructure, and new and outdated technologies pose risks.

• Financial assets, such as cash, investments, and accounts receivable, are subject to various risks.

• Reputation is an intangible asset impacted by various events and decisions.

• Asset classification determines sensitivity and criticality of IT assets, requiring a complete IT asset inventory and location identification.

• Asset valuation involves understanding the business impact of a breach or loss of an asset.

• Information asset valuation is difficult, especially for intangible assets like personally identifiable information or trade secrets.

• Threats can be external (espionage, theft, sabotage) or internal (human error, negligence) and intentional or unintentional.

• Advanced Persistent Threats (APTs) are sophisticated attackers seeking to establish and extend footholds within targeted organizations.

• Two common risk assessment approaches: systematic (reviewing plans and interviews) and inductive (analyzing processes).

• Interviews can be valuable but have potential pitfalls, requiring thorough preparation and open communication.

• Risk scenarios aid in risk identification and assessment, facilitating communication and understanding of potential risks.

• Top-down and bottom-up approaches to risk scenario development, based on business goals and specific risk events.

• I&T risk scenarios describe potential IT-related events and their business impacts, aiding in risk management and decision analysis.

• Entities should not report on all specific risk scenarios but can use a generic risk structure for reporting.

• Developing relevant and manageable risk scenarios requires expertise, understanding of the business and IT environments, involvement of all parties, a facilitated process, and identification of systemic and contagious risks.

• Scenario analysis is not just an analytical exercise but also a means to gain organizational buy-in.

• Scenarios should not focus only on worst-case events but also on less severe incidents and complex scenarios that show cascading and coincidental impacts.

• Systemic risks refer to events that affect a large group of enterprises within an industry, such as a nationwide air traffic control system failure.

• Contagious risks refer to events that happen to several business partners within a short time frame, such as a clearinghouse being temporarily out of business due to no transactions from providers.

• Detectability of risk scenarios includes visibility and recognition, requiring the enterprise to be able to observe and recognize anything wrong.

• Scenario generation identifies risks to which the enterprise may not have realized it was subject and puts in place countermeasures.

• Risk analysis assesses the frequency and impact of the identified scenarios and raises questions about detectability and the enterprise's ability to react appropriately.

Description

Test your knowledge of I&T-related risk scenarios with this quiz. Explore different threat types and their nature, as well as potential assets/resources that could be affected.