Module 6: Risk Management Overview

Questions and Answers

What is the purpose of Early Warning Indicators in risk management?

• To increase the risk exposure
• To eliminate the risk entirely
• To keep track of early signs of risks (correct)
• To delay decision-making

Internal sources of risk can be controlled to a certain extent.

True (A)

What should organizations cultivate to enhance risk management processes?

Supportive culture

The _____ cycle involves evaluating inputs at each step of the risk management process.

Review

Which principle of risk management involves considering the various external factors affecting an organization?

Organizational Context (A)

Match the following principles of risk management to their descriptions:

Organizational Context = Factors affecting an organization Continual Improvement = Enhancing risk management strategies Supportive Culture = A culture of discussing risks Review Cycle = Evaluating inputs continuously

What element of risk management involves brainstorming and enabling discussion?

Supportive culture

The PMBOK contains principles that can enhance risk management processes.

True (A)

What is a primary consideration when making decisions related to information security?

Risk-based approach (C)

Information security policies are detailed procedures that describe specific actions to be taken.

False (B)

What must be determined before writing information security policies?

The overall goal of the policy

The responsibility for conducting the GSI strategy often leads to headaches regarding the right __________ decisions.

investment

Match the investment areas with their corresponding focus:

Hardware = Physical assets protection Software = Program and application security Access = User entry and permissions management People = Human resource security

Which of the following is NOT considered an aspect of information security compliance?

Personal preferences (D)

Information security policies should align with corporate risk management models.

True (A)

What approach should be taken to ensure information security?

Risk-Based Approach

What is the primary purpose of a business continuity plan?

To ensure operations can be maintained during disasters (A)

Senior management should not be involved in the creation of the business continuity plan.

False (B)

What is the first step in developing a business continuity plan?

Identify the scope of the plan

The person responsible for the integrity and security of an asset is called the __________.

owner

Match the following terms with their definitions:

Authorization = Permission to perform certain actions Access = Means to reach and use a resource Business Impact Analysis = Assessment of vulnerabilities and losses Downtime = Period when a function is not operational

What is the primary role of a custodian in a system?

To maintain the security of a system (A)

What should a business continuity plan assess in order to identify vulnerabilities?

Business processes and potential losses (A)

Authentication is the process of granting permissions that are linked to the user's account.

False (B)

Acceptable downtime must be determined for each critical function.

True (A)

What is the term used for a person who simply uses the asset without the ability to change access rights?

End User

What is the definition of 'dependencies' in the context of a business continuity plan?

Dependencies refer to the relationships between various business areas and functions that are interconnected.

Identification is simply entering a user __________.

name

Which of the following is NOT one of the three key elements of security?

Decryption (A)

A supplicant refers to a requester in the context of authentication.

True (A)

Most security is based on one or more of three types of things: something you have, something you know, and something you __________.

are

Match the following roles or terms with their descriptions:

Custodian = Maintains system security End User = Uses the asset without permission changes Authentication = Confirming identity Authorization = Granting account permissions

Which access control model allows the owner to define the security policy?

Mandatory Access Control (MAC) (A)

Role Based Access Control (RBAC) grants access based on individual identities rather than roles.

False (B)

What is the primary function of a packet-filtering firewall?

To examine and filter network packets based on predefined rules.

Discretionary Access Control (DAC) is known as the ______ restrictive model.

least

Which of the following is NOT a type of firewalls classified by their processing type?

Nondiscretionary firewalls (D)

What does Task Based Access Control (TBAC) allow users to do?

Change access levels based on the tasks they are performing.

Match the following access control models with their descriptions:

Mandatory Access Control (MAC) = Owner-defined security policy Discretionary Access Control (DAC) = Least restrictive model Role Based Access Control (RBAC) = Access granted based on user roles Task Based Access Control (TBAC) = Access changes based on user tasks

Nondiscretionary controls allow end users to change the security policies.

False (B)

Which layer of the OSI Model is responsible for managing delivery and error checking of data packets?

Transport Layer (C)

A stateful firewall allows packets from any source address without prior connection agreements.

False (B)

What is one common example of a transport layer protocol?

TCP

The _____ layer controls conversations between different computers in the OSI Model.

Session

Match the following types of packet filtering firewalls with their descriptions:

Static = Rules set by a system administrator Dynamic = Rules set by the firewall for itself Stateful = Checks packets based on negotiated connections

The presentation layer is responsible for encrypting and decrypting data.

True (A)

Which protocol is specified for allowing a packet if the source address is 192.168.0.1 and the destination address is 10.10.10.10?

FTP (A)

What is the role of the presentation layer in the OSI model?

Formats or translates data for the application layer

Flashcards

Risk Management Principles

Established guidelines for managing risks, often by organizations or industry bodies.

External Sources

Factors outside a system that impact it and are largely uncontrollable.

Early Warning Indicators

Signals that a risk is escalating into a problem.

Review Cycle

Regular evaluation of the risk management process for improvement.

Supportive Culture

Encouraging an environment that promotes risk discussion and questioning.

Continual Improvement

The ongoing enhancement of risk management strategies.

Organizational Context

The environment (political, social, legal, technological, societal, etc.) affecting an organization.

Problem

A potential threat or adverse situation at work, such as accident or fire.

Risk-Based Approach to Information Security

Information security decisions should be made considering the potential risks.

Risk Management Integration

Information security risk management should be part of the overall corporate risk management process.

Investment Strategy (Info Security)

A plan for investing in information security based on business goals.

Compliance with Laws/Regulations

Information security must adhere to relevant laws and regulations.

Information Security Policy

High-level plan outlining goals and procedures for information security.

Policy Development Steps

Determining what to protect and why, is the first step before creating a security policy.

Protected Asset Categories

Policies can cover various assets like hardware, software, access, people, connections, networks, and telecommunications.

Strategic Investment Decisions

Choosing relevant investments should align with GSI strategy/objectives based on business needs, objectives and expected outcomes.

Business Continuity Plan (BCP)

A plan outlining procedures for maintaining business operations during disasters.

Business Impact Analysis (BIA)

Assessment of business vulnerabilities and potential losses if processes fail.

Key Business Areas

Essential parts of a business that need to operate.

Critical Functions

The essential operations that must continue.

Dependencies

Interconnectivity between different parts of an organization.

Acceptable Downtime

Maximum time an operation can be unavailable without critical impact.

Senior Management Support

Essential involvement of top-level management in BCP creation and updates.

Access Control

Methods for adjusting and controlling who has access to company assets and resources.

Custodian

A person who maintains system security, potentially adding/removing user access.

End User

A person who uses a system's resources without altering access permissions.

Authentication

Verifying a user's identity.

Authorization

Granting permissions based on user accounts.

Subjects

Users or processes representing users interacting with objects.

Objects

System assets (data, files, etc.) acted upon by subjects.

Supplicant/Requester

A user requesting access to a system resource.

Access Control Methods

Ways to restrict system access (e.g., something you have, know, or are).

Mandatory Access Control (MAC)

The most restrictive access control model. Security policies are set by an owner and enforced by a custodian; users cannot change them.

Role Based Access Control (RBAC)

Access is granted based on assigned roles (groups) within the system. Users are associated with roles for their job tasks.

Task Based Access Control (TBAC)

Access control based on the specific task a user is performing; rules can change user access level based on the current task.

Discretionary Access Control (DAC)

Least restrictive model. Users control access to their own resources. Subjects (users) have ownership and decide what other users can access.

Packet-filtering firewall

A firewall that examines network packets to determine if they should be allowed through based on rules like source/destination addresses and protocols.

Network Packet

A small unit of data transmitted over a network. Each packet contains the sender's and receiver's addresses.

Firewall (Classification)

Firewalls can be classified by processing type, generational evolution, or their implemented structure.

Multi-factor authentication

A security process that requires multiple authentication methods (e.g., username/password + one-time password).

Packet Filtering Firewall Types

Packet filtering firewalls use rules to allow or deny packets based on source/destination address, protocol, and other attributes.

Static Firewall

A firewall with rules set by a system administrator.

Dynamic Firewall

A firewall that sets some rules based on observed traffic.

Stateful Firewall

A firewall that tracks connections, preventing packets to suspicious ports unless connected before.

Transport Layer

Manages data packet delivery and error checking, controlling data transfer.

Session Layer

Manages sessions and communication between computers, including authentication and reconnections.

Presentation Layer

Formats and translates data for the application layer, handling syntax and encryption.

OSI Model Layer

A conceptual framework for understanding how network systems communicate with each other.

Study Notes

Module 6: Risk Management

• Risk management is the process of minimizing or mitigating risk. It involves identifying, evaluating risk, and using resources to monitor and minimize it.
• Prioritize risks based on potential loss and likelihood of occurrence.
• Risk management involves four steps: assessment, evaluation/management, and impact measurement.
• Risk sources can be internal or external. External sources are uncontrollable (e.g., weather), while internal sources are controllable.
• Various organizations have risk management principles outlined by the International Standardization Organization (ISO) and the Project Management Body of Knowledge (PMBOK). The PMBOK has 10 principles.
• Risk management considerations include organizational context, stakeholder involvement, organizational objectives, reporting, roles, responsibilities, support structure, early warning indicators, review cycle, and supportive culture.
• Continual improvement in risk management strategies is key.

Module 7: Information Security Governance

• Information security governance (GSI) directs and controls information security activities within an organization.
• Similar to IT Governance, it's an evolving organizational governance structure.
• Various models exist with different levels of functionality.
• Policies are high-level plans outlining information security goals.
• Policies must determine what's being protected and why.
• Policies cover hardware, software, access, people, connections, network, and telecommunications. Policies also cover enforcement.
• Security must comply with internal and external laws/regulations, including General Data Protection (GDPR).
• Security and compliance principles should be consistent with business objectives.
• Security must promote a positive network environment, as human behaviour is a crucial factor in security.

Description

Explore the essential concepts of risk management in this quiz. Understand the four key steps involved, the distinction between internal and external risk sources, and the guiding principles from ISO and PMBOK. Test your knowledge on prioritizing risks and the considerations necessary for effective management.