Module 6: Risk Management Overview

Questions and Answers

What is the purpose of Early Warning Indicators in risk management?

To increase the risk exposure

To eliminate the risk entirely

To keep track of early signs of risks (correct)

To delay decision-making

Internal sources of risk can be controlled to a certain extent.

True

What should organizations cultivate to enhance risk management processes?

Supportive culture

The _____ cycle involves evaluating inputs at each step of the risk management process.

Review

Which principle of risk management involves considering the various external factors affecting an organization?

Organizational Context

Match the following principles of risk management to their descriptions:

Organizational Context = Factors affecting an organization Continual Improvement = Enhancing risk management strategies Supportive Culture = A culture of discussing risks Review Cycle = Evaluating inputs continuously

What element of risk management involves brainstorming and enabling discussion?

Supportive culture

The PMBOK contains principles that can enhance risk management processes.

True

What is a primary consideration when making decisions related to information security?

Risk-based approach

Information security policies are detailed procedures that describe specific actions to be taken.

False

What must be determined before writing information security policies?

The overall goal of the policy

The responsibility for conducting the GSI strategy often leads to headaches regarding the right __________ decisions.

investment

Match the investment areas with their corresponding focus:

Hardware = Physical assets protection Software = Program and application security Access = User entry and permissions management People = Human resource security

Which of the following is NOT considered an aspect of information security compliance?

Personal preferences

Information security policies should align with corporate risk management models.

True

What approach should be taken to ensure information security?

Risk-Based Approach

What is the primary purpose of a business continuity plan?

To ensure operations can be maintained during disasters

Senior management should not be involved in the creation of the business continuity plan.

False

What is the first step in developing a business continuity plan?

Identify the scope of the plan

The person responsible for the integrity and security of an asset is called the __________.

owner

Match the following terms with their definitions:

Authorization = Permission to perform certain actions Access = Means to reach and use a resource Business Impact Analysis = Assessment of vulnerabilities and losses Downtime = Period when a function is not operational

What is the primary role of a custodian in a system?

To maintain the security of a system

What should a business continuity plan assess in order to identify vulnerabilities?

Business processes and potential losses

Authentication is the process of granting permissions that are linked to the user's account.

False

Acceptable downtime must be determined for each critical function.

True

What is the term used for a person who simply uses the asset without the ability to change access rights?

End User

What is the definition of 'dependencies' in the context of a business continuity plan?

Dependencies refer to the relationships between various business areas and functions that are interconnected.

Identification is simply entering a user __________.

name

Which of the following is NOT one of the three key elements of security?

Decryption

A supplicant refers to a requester in the context of authentication.

True

Most security is based on one or more of three types of things: something you have, something you know, and something you __________.

are

Match the following roles or terms with their descriptions:

Custodian = Maintains system security End User = Uses the asset without permission changes Authentication = Confirming identity Authorization = Granting account permissions

Which access control model allows the owner to define the security policy?

Mandatory Access Control (MAC)

Role Based Access Control (RBAC) grants access based on individual identities rather than roles.

False

What is the primary function of a packet-filtering firewall?

To examine and filter network packets based on predefined rules.

Discretionary Access Control (DAC) is known as the ______ restrictive model.

least

Which of the following is NOT a type of firewalls classified by their processing type?

Nondiscretionary firewalls

What does Task Based Access Control (TBAC) allow users to do?

Change access levels based on the tasks they are performing.

Match the following access control models with their descriptions:

Mandatory Access Control (MAC) = Owner-defined security policy Discretionary Access Control (DAC) = Least restrictive model Role Based Access Control (RBAC) = Access granted based on user roles Task Based Access Control (TBAC) = Access changes based on user tasks

Nondiscretionary controls allow end users to change the security policies.

False

Which layer of the OSI Model is responsible for managing delivery and error checking of data packets?

Transport Layer

A stateful firewall allows packets from any source address without prior connection agreements.

False

What is one common example of a transport layer protocol?

TCP

The _____ layer controls conversations between different computers in the OSI Model.

Session

Match the following types of packet filtering firewalls with their descriptions:

Static = Rules set by a system administrator Dynamic = Rules set by the firewall for itself Stateful = Checks packets based on negotiated connections

The presentation layer is responsible for encrypting and decrypting data.

True

Which protocol is specified for allowing a packet if the source address is 192.168.0.1 and the destination address is 10.10.10.10?

FTP

What is the role of the presentation layer in the OSI model?

Formats or translates data for the application layer

Study Notes

Module 6: Risk Management

• Risk management is the process of minimizing or mitigating risk. It involves identifying, evaluating risk, and using resources to monitor and minimize it.
• Prioritize risks based on potential loss and likelihood of occurrence.
• Risk management involves four steps: assessment, evaluation/management, and impact measurement.
• Risk sources can be internal or external. External sources are uncontrollable (e.g., weather), while internal sources are controllable.
• Various organizations have risk management principles outlined by the International Standardization Organization (ISO) and the Project Management Body of Knowledge (PMBOK). The PMBOK has 10 principles.
• Risk management considerations include organizational context, stakeholder involvement, organizational objectives, reporting, roles, responsibilities, support structure, early warning indicators, review cycle, and supportive culture.
• Continual improvement in risk management strategies is key.

Module 7: Information Security Governance

• Information security governance (GSI) directs and controls information security activities within an organization.
• Similar to IT Governance, it's an evolving organizational governance structure.
• Various models exist with different levels of functionality.
• Policies are high-level plans outlining information security goals.
• Policies must determine what's being protected and why.
• Policies cover hardware, software, access, people, connections, network, and telecommunications. Policies also cover enforcement.
• Security must comply with internal and external laws/regulations, including General Data Protection (GDPR).
• Security and compliance principles should be consistent with business objectives.
• Security must promote a positive network environment, as human behaviour is a crucial factor in security.

Description

Explore the essential concepts of risk management in this quiz. Understand the four key steps involved, the distinction between internal and external risk sources, and the guiding principles from ISO and PMBOK. Test your knowledge on prioritizing risks and the considerations necessary for effective management.