Risk Management Assessment Quiz

Questions and Answers

What does the people layer of cybersecurity involve?

• Implementation, automation, and reporting
• CISOs/Security Officers, domain experts, and employee awareness (correct)
• Spear phishing and ransomware
• Supply chain, middlemen, and distribution channels

What role do CISOs/Security Officers play in cybersecurity?

• Restoring access to data after a ransomware attack
• Operating technology and solving cybersecurity issues
• Strategic and tactical leaders (correct)
• Implementing technology solutions

What is the estimated cost of cybercrime in 2021?

• $27k
• $6 trillion (correct)
• $4,500
• $500 billion

What type of attack involves mass infection of systems and demands payment in exchange for restoring access to data?

Ransomware (C)

What method do living-off-the-land attacks use to conduct attacks?

Trusted system tools (D)

Which technological weakness allows hackers to exploit it before a fix is available?

Zero-day vulnerability (D)

What is the average return per attack for hackers?

$4,500 (C)

What are some common cybersecurity threats mentioned in the text?

Spear phishing and ransomware (C)

Which layer of cybersecurity forms the hygiene layer?

People layer (C)

What is the primary focus of domain experts in cybersecurity?

Operating technology and solving cybersecurity issues (A)

What do hackers use to influence their target selection?

Return on investment (ROI) (B)

What is an ISMS?

A systematic approach for managing an organization's information security (B)

What is ISO27002 primarily focused on?

Implementing security controls (A)

Which of the following is a pillar of a security strategy?

Risk management (B)

What does ISO27001:2017 mainly focus on?

Leadership and planning (A)

What is the 'Fog of More' related to in cybersecurity?

Technical maturity (D)

What is a threat in the context of cybersecurity?

A potential cause of an unwanted incident (D)

What is the main focus of an ISMS?

Managing information security risk (D)

What does an ISO27k family of standards mainly include?

Security controls and risk assessments (A)

What does developing a cybersecurity strategy involve?

Defining tailored security strategy and roadmap (D)

What does Cyber Compliance act as in the context of trade?

An essential barrier for trade in the context of security trends and security management. (D)

What are the opportunities presented by cybersecurity?

Avoidance of direct damage and customer/investor confidence (C)

Which Implementation Group (IG) is characterized by small to medium-sized organizations with limited IT and cybersecurity expertise?

IG1 (C)

Which Implementation Group (IG) prioritizes addressing the confidentiality and integrity of sensitive data?

IG3 (D)

Which Implementation Group (IG) supports multiple departments with varying risk profiles and may have regulatory compliance burdens?

IG2 (A)

Which Implementation Group (IG) must summarize findings and risks after a maturity assessment using the chosen governance standard?

IG3 (A)

Which Implementation Group (IG) employs individuals responsible for managing and protecting IT infrastructure?

IG2 (A)

Which Implementation Group (IG) is concerned about keeping business operational and protecting employee and financial information?

IG1 (D)

Which Implementation Group (IG) employs security experts specializing in different cybersecurity facets?

IG3 (A)

Which Implementation Group (IG) aims to thwart general attacks with sub-controls implementable with limited expertise?

IG1 (B)

What is the definition of risk as per ISO31000 and ISO27001:2017?

The potential harm or threat to an organization, determined by the impact and likelihood (D)

What does Risk management for CI/CD servers, such as JIRA and Confluence, involve?

Assessing and protecting critical information assets (C)

What are RTOs and RPOs in the context of risk management for assets like Active Directory Servers?

Recovery Time Objectives and Recovery Point Objectives (C)

How many controls are outlined in ISO27001:2017 for effective risk management?

114 controls in 14 clauses and 35 control categories (A)

What does the NIST Cyber Security Framework (CSF) provide guidelines for?

Developing a cyber security strategy (D)

What are the two tracks focused on by the NIST CSF?

Governance and Technical tracks (B)

What are the essential components of an effective cyber security strategy according to the NIST CSF?

Continuous diagnostics and mitigation, automation, and measurements and metrics (B)

What do ISO27002:2017 and other standards provide additional controls and guidelines for?

Operational security governance, procedural guidelines, and technical controls (D)

What does NIST do in relation to cyber security programs?

Validates cyber security programs and offers certifications for individuals as NIST CSF Practitioners (B)

What is the purpose of the high-level description of the actions to take to mitigate the risk associated with finding A, B, and C?

To specify the more detailed actions to take for each high-level risk mitigating action (A)

How can one set a target maturity over 3 years?

Based on benchmark figures within the same sector (B)

What is suggested to be documented for each detailed action to take to mitigate risks?

Stakeholders, budget estimate, and timing (A)

What is recommended to gain overall security maturity and make it demonstrable towards interested stakeholders during the 'Repeatable, Scalable & Profitable Growth' phase?

Adopt security standards (ISO27k, NIST, ...) (A)

What is the purpose of dividing and conquering the cybersecurity task according to the text?

To divide the cybersecurity task among multiple persons (C)

What is part of the essential security & compliance projects in the Ecosystem of partners?

Continuous vulnerability scanning (A)

What is recommended to focus on during the 'Product/Market Fit' phase in terms of security objectives?

During which phase should one define basic non-functional requirements, manually threat model, validate security of MVP, and use subsidized security services to minimize costs?

"Product/Market Fit" phase (A)

What is suggested as an example deliverable in "HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY"?

What should be prioritized and detailed over the coming (3) years according to the text?

What is suggested during the 'Repeatable, Scalable & Profitable Growth' phase in terms of security objectives?

Study Notes

• Risk is defined as the potential harm or threat to an organization, determined by the impact and probability. (ISO31000, ISO27001:2017)
• Risk management for CI/CD servers, such as JIRA and Confluence, involves assessing and protecting critical information assets.
• Example assets include Active Directory Servers, with different risk profiles, RTOs (Recovery Time Objectives), and RPOs (Recovery Point Objectives).
• ISO27001:2017 outlines 114 controls in 14 clauses and 35 control categories for effective risk management, including controls for information security policies, human resource security, and access control.
• The NIST Cyber Security Framework (CSF) provides guidelines for developing a cyber security strategy, with easy-to-understand categories and maturity levels for risk management.
• The NIST CSF focuses on options for both the Governance and Technical tracks, including the use of community support networks and prioritized controls for effective cyber defense systems.
• Continuous diagnostics and mitigation, automation, and measurements and metrics are essential components of an effective cyber security strategy, according to the NIST CSF.
• ISO27002:2017 and other standards provide additional controls and guidelines for operational security governance, procedural guidelines, and technical controls.
• NIST validates cyber security programs and offers certifications for individuals as NIST CSF Practitioners.
• The CIS Controls (V7.1) are recommended for the Technical Track, offering a prioritized set of actions that are community-supported, implementable, scalable, and compliant with industry and government security requirements.
• The 5 critical tenets of an effective cyber defense system, according to the NIST CSF, include offense informs defense, prioritization, measurements and metrics, and continuous diagnostics and mitigation.

Description

Test your knowledge of risk management with this quiz. Evaluate your understanding of ISO31000, ISO27001:2017, CI/CD, servers, JIRA/Confluence, business impact assessment, and more.