Risk Management Processes Quiz

Risk Management Processes

Risk management is a cyclical process of identifying, assessing, analyzing, and responding to risks.
Business Impact Analysis (BIA) is a systematic activity that identifies organizational risks and determines their effect on ongoing mission-critical operations.
Risk acceptance is the process of determining that a risk is within the organization's appetite and no countermeasures are needed beyond ongoing monitoring.
Quantitative risk analysis is a numerical method used to assess the probability and impact of risk to measure the impact.
Qualitative risk analysis is the process of determining the probability and impact of risks using logical reasoning when numeric data isn't available immediately.
Inherent risk is the risk that an event will cause if no controls to mitigate it are put in place.
Key Risk Indicators (KRIs) are the method for identifying and analyzing emerging risks to proactively avoid issues.
Continuity of Operations (COOP) identifies how business processes address minor and disaster-level disruptions by ensuring processing redundancy.
Capacity planning estimates resources needed for personnel, storage, hardware, software, and connection infrastructure over a period of time.
Hot site is a fully configured alternate processing site that can be activated quickly after a disaster.
Warm site is a dormant processing location that can be quickly converted to a key operations site if needed.
Cold site is a predetermined alternate location where a network can be rebuilt after a disaster.
Asset Identification includes physical assets (e.g., laptops, computers, and storage devices) and intangible assets (e.g., data, processes, and intellectual property).
Internal threats include employee fraud, theft, system failure, sabotage, espionage, and collusion (e.g., "snooping").
External threats include fire, water damage, burglary, internet attackers, market competition, and natural disasters.
Risk Management Strategies include avoidance, transference, mitigation, and acceptance.
Transference includes outsourcing and cybersecurity insurance.
Security controls include administrative, technical, and risk-control checks.
Asset identification, risk identification, risk analysis, risk evaluation, and risk management strategies.
Analyzing risks calculates risk through quantitative and qualitative analysis.
Annual loss expectancy (ALE) is calculated by multiplying SLE (single loss expectancy) by ARO (annual rate of occurrence).
SLE is the loss expected by an attack and is usually expressed in monetary terms.
ARO is the frequency of an incident or event.
Risk register summarizes risks, identifies them with unique identifiers, projects impact, and likelihood with response plans to lower impact or probability.
Risk Matrix/Heat Map is used to illustrate risk levels with severity versus likelihood of risk.
Business continuity planning identifies critical functions, prioritizes those functions, calculates recovery timeframe, and estimates impact to create resilience.
Recover Point Objective (RPO) looks at how old restored data can be, and how many backups are needed.

Vendor Management

Due diligence is the best practice principle to use best practice or reasonable care. It involves avoiding negligence in tasks.
Conflict of interest occurs when individuals or organizations have investments or duties that could compromise an objective view, neutrality, or acting in the best interest of another party.
Questionnaires are structured means to collect consistent information to enable more effective risk analysis and comparison.
Rules of Engagement (RoE) defines the execution of a pen test, or constraints. This provides guidelines so the tester doesn't continually ask for permission.
Memorandum of Understanding (MOU) is a preliminary, or exploratory agreement between parties expressing intent to work together without money exchange.
Nondisclosure Agreement (NDA) agreement is not to disclose confidential or sensitive information to unauthorized parties.
Memorandum of Agreement (MOA) is a legal document forming the basis for cooperation between parties without needing a contract.
Business Partnership Agreement (BPA) defines agreement, collaboration, and close working relationship of companies.
Master Service Agreement (MSA) establishes precedence and guidelines for documents between two parties.
Service-level Agreement (SLA) sets service requirements based on the consumer and provider agreement, defining expectations.
Statement of Work (SOW)/Work Order (WO) defines expectations in a specific business engagement.
Third-party relationships (SLA, MOU, BPA, ISA).
Onboarding and offboarding considerations include verify compliance, assess vulnerabilities, audit security, share findings.
Offboarding includes disable shared connections, domain trusts, user or group accounts, and password reset, revisit NDA, and final business agreement.

Audits and Assessments

Audits determine if standards and tasks align with business practices.
Internal audit is completed by employees for analysis of business practices.
External audit is conducted by an independent third party to ensure standards meet expectations.
Penetration testing uses hacking techniques to find vulnerabilities that can be remediated.
Reconnaissance, scanning, vulnerability assessment, exploitation, and reporting are penetration testing stages.
Penetration test environments include unknown, partially known, and known vulnerabilities in targets.
Audit policies include Windows security log audits, advanced audit policy configuration, and enabling device logs from switches.
SIEM (Security Information and Event Management) is a software tool to compile data points from a network.
Sensor collects data points from a device or system and sends it to the monitoring system.
Trend is a pattern of activity discovered and reported to the system.
Sensitivity is a customized threshold for sensor data sent to the SIEM.
Types of audits include internal, external, and penetration testing, with different aspects of each.
Onboarding and offboarding are phases associated with risk management, to make sure tasks and systems are correct and compliant.