Risk Management Assessment Quiz

Questions and Answers

What does the people layer of cybersecurity involve?

CISOs/Security Officers, domain experts, and employee awareness

What role do CISOs/Security Officers play in cybersecurity?

Strategic and tactical leaders

What is the estimated cost of cybercrime in 2021?

$6 trillion

What type of attack involves mass infection of systems and demands payment in exchange for restoring access to data?

Ransomware

What method do living-off-the-land attacks use to conduct attacks?

Trusted system tools

Which technological weakness allows hackers to exploit it before a fix is available?

Zero-day vulnerability

What is the average return per attack for hackers?

$4,500

What are some common cybersecurity threats mentioned in the text?

Spear phishing and ransomware

Which layer of cybersecurity forms the hygiene layer?

People layer

What is the primary focus of domain experts in cybersecurity?

Operating technology and solving cybersecurity issues

What do hackers use to influence their target selection?

Return on investment (ROI)

What is an ISMS?

A systematic approach for managing an organization's information security

What is ISO27002 primarily focused on?

Implementing security controls

Which of the following is a pillar of a security strategy?

Risk management

What does ISO27001:2017 mainly focus on?

Leadership and planning

What is the 'Fog of More' related to in cybersecurity?

Technical maturity

What is a threat in the context of cybersecurity?

A potential cause of an unwanted incident

What is the main focus of an ISMS?

Managing information security risk

What does an ISO27k family of standards mainly include?

Security controls and risk assessments

What does developing a cybersecurity strategy involve?

Defining tailored security strategy and roadmap

What does Cyber Compliance act as in the context of trade?

An essential barrier for trade in the context of security trends and security management.

What are the opportunities presented by cybersecurity?

Avoidance of direct damage and customer/investor confidence

Which Implementation Group (IG) is characterized by small to medium-sized organizations with limited IT and cybersecurity expertise?

IG1

Which Implementation Group (IG) prioritizes addressing the confidentiality and integrity of sensitive data?

IG3

Which Implementation Group (IG) supports multiple departments with varying risk profiles and may have regulatory compliance burdens?

IG2

Which Implementation Group (IG) must summarize findings and risks after a maturity assessment using the chosen governance standard?

IG3

Which Implementation Group (IG) employs individuals responsible for managing and protecting IT infrastructure?

IG2

Which Implementation Group (IG) is concerned about keeping business operational and protecting employee and financial information?

IG1

Which Implementation Group (IG) employs security experts specializing in different cybersecurity facets?

IG3

Which Implementation Group (IG) aims to thwart general attacks with sub-controls implementable with limited expertise?

IG1

What is the definition of risk as per ISO31000 and ISO27001:2017?

The potential harm or threat to an organization, determined by the impact and likelihood

What does Risk management for CI/CD servers, such as JIRA and Confluence, involve?

Assessing and protecting critical information assets

What are RTOs and RPOs in the context of risk management for assets like Active Directory Servers?

Recovery Time Objectives and Recovery Point Objectives

How many controls are outlined in ISO27001:2017 for effective risk management?

114 controls in 14 clauses and 35 control categories

What does the NIST Cyber Security Framework (CSF) provide guidelines for?

Developing a cyber security strategy

What are the two tracks focused on by the NIST CSF?

Governance and Technical tracks

What are the essential components of an effective cyber security strategy according to the NIST CSF?

Continuous diagnostics and mitigation, automation, and measurements and metrics

What do ISO27002:2017 and other standards provide additional controls and guidelines for?

Operational security governance, procedural guidelines, and technical controls

What does NIST do in relation to cyber security programs?

Validates cyber security programs and offers certifications for individuals as NIST CSF Practitioners

What is the purpose of the high-level description of the actions to take to mitigate the risk associated with finding A, B, and C?

To specify the more detailed actions to take for each high-level risk mitigating action

How can one set a target maturity over 3 years?

Based on benchmark figures within the same sector

What is suggested to be documented for each detailed action to take to mitigate risks?

Stakeholders, budget estimate, and timing

What is recommended to gain overall security maturity and make it demonstrable towards interested stakeholders during the 'Repeatable, Scalable & Profitable Growth' phase?

Adopt security standards (ISO27k, NIST, ...)

What is the purpose of dividing and conquering the cybersecurity task according to the text?

To divide the cybersecurity task among multiple persons

What is part of the essential security & compliance projects in the Ecosystem of partners?

Continuous vulnerability scanning

What is recommended to focus on during the 'Product/Market Fit' phase in terms of security objectives?

During which phase should one define basic non-functional requirements, manually threat model, validate security of MVP, and use subsidized security services to minimize costs?

"Product/Market Fit" phase

What is suggested as an example deliverable in "HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY"?

What should be prioritized and detailed over the coming (3) years according to the text?

What is suggested during the 'Repeatable, Scalable & Profitable Growth' phase in terms of security objectives?

Study Notes

• Risk is defined as the potential harm or threat to an organization, determined by the impact and probability. (ISO31000, ISO27001:2017)
• Risk management for CI/CD servers, such as JIRA and Confluence, involves assessing and protecting critical information assets.
• Example assets include Active Directory Servers, with different risk profiles, RTOs (Recovery Time Objectives), and RPOs (Recovery Point Objectives).
• ISO27001:2017 outlines 114 controls in 14 clauses and 35 control categories for effective risk management, including controls for information security policies, human resource security, and access control.
• The NIST Cyber Security Framework (CSF) provides guidelines for developing a cyber security strategy, with easy-to-understand categories and maturity levels for risk management.
• The NIST CSF focuses on options for both the Governance and Technical tracks, including the use of community support networks and prioritized controls for effective cyber defense systems.
• Continuous diagnostics and mitigation, automation, and measurements and metrics are essential components of an effective cyber security strategy, according to the NIST CSF.
• ISO27002:2017 and other standards provide additional controls and guidelines for operational security governance, procedural guidelines, and technical controls.
• NIST validates cyber security programs and offers certifications for individuals as NIST CSF Practitioners.
• The CIS Controls (V7.1) are recommended for the Technical Track, offering a prioritized set of actions that are community-supported, implementable, scalable, and compliant with industry and government security requirements.
• The 5 critical tenets of an effective cyber defense system, according to the NIST CSF, include offense informs defense, prioritization, measurements and metrics, and continuous diagnostics and mitigation.

Description

Test your knowledge of risk management with this quiz. Evaluate your understanding of ISO31000, ISO27001:2017, CI/CD, servers, JIRA/Confluence, business impact assessment, and more.