DOMAIN 2 — IT RISK ASSESSMENT (20%)

Questions and Answers

Which of the following methods uses risk scenarios when estimating the likelihood and impact of significant risk to the enterprise?

• An IT audit
• An IT security assessment
• A threat and vulnerability assessment (correct)
• A security gap analysis

An enterprise desires a quick implementation of a crucial technical solution that deviates from company policy. What action should the risk practitioner take FIRST?

• Recommend against implementation due to policy violation.
• Recommend immediate revision of the current policy.
• Recommend a risk assessment and subsequent implementation, only if residual risk is accepted. (correct)
• Conduct a risk assessment and decide based on the outcome.

Which of the following will produce comprehensive results when performing a qualitative risk analysis?

• Scenarios with threats and impacts (correct)
• Estimated productivity losses
• A vulnerability assessment
• The value of information assets

Under what condition may risk be removed from the risk register?

The risk is no longer relevant. (C)

What is the BEST way to ensure that an accurate risk register is maintained over time?

Publish the risk register centrally with workflow features that periodically poll risk assessors. (A)

When should a risk practitioner add an emerging risk to the risk register?

When the activity that triggers the risk begins to initiate (C)

What is the PRIMARY objective of a risk management program?

Maintain residual risk at an acceptable level (B)

What is the function of risk assessment techniques for a risk practitioner?

Justify the selection of risk mitigation strategies. (A)

A procurement employee discovers that new printer models retain copies of printed documents on a hard disk. What should the employee do FIRST?

Notify the security manager to conduct a risk assessment. (D)

Why should risk assessments be repeated at regular intervals?

Business threats are constantly changing. (B)

What is the BEST way to approach the assessment of risk to information systems assets?

Evaluating threats associated with existing information systems assets (B)

What does a lack of adequate controls represent?

A vulnerability (B)

An enterprise learns of a security breach at another entity using similar network technology. What is the MOST important action for a risk practitioner to take?

Assess the likelihood of the incident occurring at the risk practitioner's enterprise. (D)

Detection of changes in which of the following is the MOST likely trigger to conduct a comprehensive risk assessment?

The business environment (D)

Which risk identification technique BEST supports an enterprise seeking anonymous risk input from employees?

The Delphi technique (B)

Which description BEST reflects the information needed for each risk in a risk register?

Risk scenario including date, description, impact, probability, risk score, mitigation action and owner (B)

What is the GREATEST advantage of performing a business impact analysis (BIA)?

It promotes continuity awareness in the enterprise (D)

What is the PRIMARY advantage of creating and updating a risk register?

Ensure that an inventory of identified risk is maintained (B)

Which option BEST assists a risk practitioner in measuring the existing development level of risk management processes against the desired state?

A capability maturity model (D)

Which of the following is MOST effective in assessing business risk?

Risk Scenarios (A)

In which risk management process does the preparation of a risk register begin?

Risk Identification (C)

What is a business impact analysis (BIA) used for PRIMARILY?

Evaluate the impact of disruption on an enterprise's ability to operate over time (C)

Risk scenarios enable the risk assessment process because they:

Help estimate the frequency and impact of risk (A)

Which information in the risk register helps the MOST in developing accurate risk scenarios?

A list of potential threats to assets (D)

What BEST helps identify information systems control deficiencies?

Gap analysis (A)

When assessing the performance of a critical application server, from what can the MOST reliable assessment results be obtained?

Continuous monitoring (D)

Which situation presents the GREATEST risk when updating the risk register?

Updates are carried out annually (C)

How is IT risk measured?

Impact on Business Operations (B)

Deriving the likelihood and impact of risk scenarios through statistical methods can BEST be described as:

Quantitative Risk Analysis (B)

During an internal risk assessment, a risk manager notes that local management has proactively mitigated a high-level risk related to the global purchasing process. Which of the following accurately reflects responsibility?

Corporate management remains responsible for the risk. (B)

Which of the following BEST estimates the likelihood of significant events affecting an enterprise?

Scenario analysis (C)

Which of the following BEST improves decision-making related to risk?

Maintaining a documented risk register of all possible risks (D)

What is the PRIMARY reason to have the risk management process reviewed by an independent risk management professional?

Assess the validity of the process end to end (D)

What review is BEST suited for IT risk analysis results before they are sent to management for approval and decision making?

A peer review (A)

What is the FIRST step in identifying and assessing IT risk?

Gather information on the current and future environment (A)

Risk scenarios should primarily be created based on which of the following:

Threats that the enterprise faces (B)

Which of the following triggers performance of an internal ad hoc risk assessment BEFORE the annual occurrence?

A new system is introduced into the environment. (B)

When a start-up company becomes popular, and suddenly is the target of hackers, what is this considered?

An Emerging Threat (B)

To gain a thorough understanding of what, is the PRIMARY reason an external risk assessment team reviews documentation as the first step in a risk assessment?

The enterprise's business processes (D)

When using a maturity model for assessing the risk management process, which capability dimensions is MOST important?

Performance (A)

Flashcards

Threat and vulnerability assessment

Evaluates business process elements for threats/vulnerabilities, identifying likelihood and business impact if realized.

Risk practitioner's role

Clarify risk when policies can't be followed; implement solution only if related risk is formally accepted.

Comprehensive qualitative risk analysis

Using possible threat scenarios better frames the range of risk and facilitates informed decisions.

Maintaining a Risk Register

Ensures accuracy by enabling periodic polling of risk assessors through workflow features.

Primary Objective of Risk Management

Ensuring residual risk remains at an acceptable level for the business

Use of Risk Assessment Techniques

Justify and implement risk mitigation strategy efficiently.

Importance of risk assessment

Yields risk mitigation techniques appropriate for the enterprise risk context.

Assessing Information System Risk

Threats and vulnerabilities evaluated using qualitative/quantitative risk assessment approaches.

When to add emerging risk

Risk identification starts when planning an activity.

What is a vulnerability?

A weakness exposing sensitive information to malicious damage or attack

Learning of a security breach

Assess if it will occur at the practitioner's enterprise.

Triggering a Comprehensive Risk Assesment

Changes in the business environment will trigger risk assessment.

Delphi Technique

Polling or gathering information between interviewer/interviewee done anonymously or privately

Information in a risk register

Date, description, impact, probability, risk score, mitigation action, and owner.

Greatest advantage of Business Impact Analysis (BIA)

Raises enterprise-wide awareness of risk to business recovery and continuity.

Advantage of updating Risk Register

Ensure an inventory of risk is maintained.

The Capacity Maturity Model

Grading processes based on their maturity on a scale of 0 to 5.

Risk Scenarios

Best technique in assessing business risk

Business Impact Analysis (BIA)

Evaluates the impact of disruption over time

Risk Scenarios used in Assessment

Estimate frequency and impact of risk

Gap Analysis

Enables control deficiencies, gap between desired objectives and effective design/operations.

Continuous Monitoring

Track key performance metrics to quickly address critical issues with minimum impact.

Updating Risk Register annually

Risk register does not reflect true status of IT risk of the enterprise

IT Risk Measured

By its impact on business operations

Quantitative Risk Analysis

Deriving probability and impact from the use of statistical techniques

Mitigation in Global Enterprise

Corporate management still owns it.

Scenario Analysis

With vulnerability analysis, best determines whether a risk is relevant.

Documented risk register

A risk register captures the population of risk scenarios and provides a basis for their prioritization

Primary reason to review

Validates the whole end-to-end risk management process.

Peer Review: IT Risk Analysis

Effective, efficient and good practice

First Step: Identify IT Risk

Gather info about the pending changes to enterprise environment.

Important factors to consider

Likelihood or threat action occurring.

Ad Hoc Risk assessment

The level of new/added risk needs assessing.

Emerging threat, start-up

The opportunity for a start up company for hackers is because its a threat

Primary reasons External Risk Assessment

Gain a thorough understanding of the business processes.

Capability Dimensions, Maturity model

Performance of the implemented process fulfils its purpose

Define vulnerability

A weakness because the premium has been lapsed

What value does a risk register have?

They serve as reference for making judgements on risk

Main risk assessments objective

To detect possible threats that may affect the business

Best use of a maturity model

Maturity models can be used to help identify gaps current and desired state

Study Notes

IT Risk Assessment Overview

• IT risk assessment estimates significant risk likelihood and impact
• Utilizes risk scenarios for estimation
• Focuses on all business process components for threats and vulnerabilities
• Identifies occurrence likelihood
• Determines the business impact of realized threats

Technical Solution Implementation

• In cases of critical business importance where technical solutions deviate from policies, conduct a risk assessment
• Implement the solution only if related risk has formal enterprise acceptance

Qualitative Risk Analysis

• In qualitative risk analysis that involves scenarios with threats and impacts, comprehensive results obtained
• Frames the risk range
• Facilitates informed discussions and decisions

Risk Register Management

• When a risk is no longer relevant, remove it from the risk register

Maintaining an Accurate Risk Register

• Publish the risk register centrally
• Use workflow features for periodic polling of risk assessors
• Employ a knowledge management platform featuring workflow and polling to automate register maintenance

Emerging Risk Addition

• An emerging risk should be added when the triggering activity has initiated

Risk Management Program Objectives

• The primary goal is to maintain residual risk at an acceptable level for the business

Risk Assessment Technique Application

• Apply risk assessment techniques to efficiently justify and implement risk mitigation strategies

Printer Security Protocol

• Upon noticing new printer models retain document copies on an internal hard disk, notify the security manager
• Risk assessment determines appropriate mitigation techniques relative to enterprise risk context and appetite

Repeated Risk Assessments

• Conducted at regular intervals because business threats are constantly evolving

Assessing Information System Risk

• Best achieved by evaluating threats linked to existing informational assets

What a Lack of Adequate Controls Represents

• Indicates a vulnerability, sensitive information and exposing data

Incident Response Protocol

Assess likelihood of similar incident at the risk practitioner's enterprise upon security breach at another entity

Most Likely Trigger for Risk Assessment

• Detected business environment changes triggers comprehensive periodic risk assessment

Technique For Identifying Risk

• Anonymous risk identification via Delphi technique involves polling anonymously or privately

Key Info Need For Each Risk

• Mitigation action and owner to be specified

Greatest Advantage Of Impact Analysis

• Raises enterprise-wide awareness of risk to business recovery and continuity

Primary Advantage

• Maintain an inventory of identified risk

Tool For Measuring Risk

• Capability maturity model assists in measuring existing levels for management

Technique For Assessing Business Risk

• Risk scenarios are valuable in determining identified risk's likelihood and impact

Risk Register

• The risk register details all identified risks
• Risk register identifies the inclusion category, cause, and probability of impacting objectives
• Identifies proposed responses, owners, and current status

Business Impact

• Its primary use is to evaluate the impact of disruption over time on an enterprise's ability to operate

Enablement For Frequency

• When used correctly, risk scenarios aid by making clear 2 key elements

Identifying Business Assets Is Key For:

• Identifying vulnerabilities that will contribute to the risk scenarios

Identifying Info Systems

• Gap analysis helps to identify potential deficiencies

Assessing Performance

• Continuous monitoring can help to track key performance metrics and possibly prevent potentially related issues

Greatest Risk

• Updating the register annually means that it does not show real number for IT risk

Main Measurement

• IT risk is measured mainly by its impact on Business operations

Likelihood And Impact

• Quantitative derives risk, with statistical and data methods

Responsibilities

• The corporate management has the responsibility of a risk - even when response is being executed low on the latter

Scenarios and Analysis

• Scenarios and vulnerability analysis determines risks

Risk Register Capture

• Maintaining a documented risk register improves the relationship and responses

Primary Reasons

• The primary method is to have process reviewed to end with the end-to-end process

Results Sent

• Effciency with good peer result analysis

Steps To Minimize IT Risk

• The first step would to gather information

Scenarios Should Be Based On The Following

• Scenarios need to be based risks the company faces

Introducing New Risks

Introducing mew systems will increase over all risk

New Hacker Targets

• A threat to potentially new hackers

To gain through understanding of an external risk assessment team reviews documentation

• Encompasses business processes

Risk management Process

• Achieved when the process implemented, in its perforce

The Type

• A weakness can be a vulnerability based on management

Provides Detailed Info

• Registers provide related information by supplying activities along decision making skills

The Main Objective

• Detection and documentation

A Maturity Model

• Should help when identifying potential efforts to mediate

The alignment

• The main alignment is related to prioritizing

Likelihood and impact

• Determine the magnitude if they determine it a loss

Benefits Of A Register

• With a register, there is now likely a impact with prioritization

Prevent Low Level Risks

• Address more with a series of attacks.

Total Impact

• A professional makes quantitative measurments to help measure

Should Be Available

• Risk should be in the register

To Establish

• To compare future results

The Important Items

• Are Business objectives

Evaluation

• To take in mind the size and likelihood of loss