CISSP All-in-One Exam Guide Chapter Review PDF

Summary

This chapter review provides an overview of risk management principles, techniques like Failure Modes and Effect Analysis (FMEA), and quantitative/qualitative analysis in the context of information systems. It emphasizes the importance of identifying and mitigating risks.

Full Transcript

CISSP All-in-One Exam Guide
116
Chapter Review
We took a very detailed look at the way in which we manage risk to our information
systems. We know that no system is truly secure, so our job is to find the most likely
and the most dangerous threat actions so that we can address them first. The process of
quantifying losses and their probabilities of occurring is at the heart of risk assessments.
Armed with that information, we are able to make good decisions in terms of controls,
processes, and costs. Our approach is focused not solely on the human adversary but also
on any source of loss to our organizations. Most importantly, we use this information to
devise ways in which to ensure we can continue business operations in the face of any
reasonable threat.

Quick Review
Risk management is the process of identifying and assessing risk, reducing it to
an acceptable level, and ensuring it remains at that level.
An information systems risk management (ISRM) policy provides the foundation
and direction for the organization’s security risk management processes and
procedures and should address all issues of information security.
A threat is a potential cause of an unwanted incident, which may result in harm
to a system or organization.
Four risk assessment methodologies with which you should be familiar are NIST
SP 800-30; Facilitated Risk Analysis Process (FRAP); Operationally Critical
Threat, Asset, and Vulnerability Evaluation (OCTAVE); and Failure Modes and
Effect Analysis (FMEA).
Failure Modes and Effect Analysis (FMEA) is a method for determining functions,
identifying functional failures, and assessing the causes of failure and their effects
through a structured process.
A fault tree analysis is a useful approach to detect failures that can take place
within complex environments and systems.
A quantitative risk analysis attempts to assign monetary values to components
within the analysis.
A purely quantitative risk analysis is not possible because qualitative items cannot
be quantified with precision.
Qualitative risk analysis uses judgment and intuition instead of numbers.
Qualitative risk analysis involves people with the requisite experience and
education evaluating threat scenarios and rating the probability, potential loss,
and severity of each threat based on their personal experience.
Single loss expectancy × frequency per year = annualized loss expectancy
(SLE × ARO = ALE)
 Chapter 2: Risk Management
117
The main goals of risk analysis are the following: identify assets and assign values
to them, identify vulnerabilities and threats, quantify the impact of potential

PART I
threats, and provide an economic balance between the impact of the risk and the
cost of the safeguards.
Capturing the degree of uncertainty when carrying out a risk analysis is
important, because it indicates the level of confidence the team and management
should have in the resulting figures.
Automated risk analysis tools reduce the amount of manual work involved in the
analysis. They can be used to estimate future expected losses and calculate the
benefits of different security measures.
The risk management team should include individuals from different departments
within the organization, not just technical personnel.
Risk can be transferred, avoided, reduced, or accepted.
Threats × vulnerability × asset value = total risk.
(Threats × vulnerability × asset value) × controls gap = residual risk.
When choosing the right safeguard to reduce a specific risk, the cost, functionality,
and effectiveness must be evaluated and a cost/benefit analysis performed.
There are three main categories of controls: administrative, technical, and
physical.
Controls can also be grouped by types, depending on their intended purpose, as
preventive, detective, corrective, deterrent, recovery, and compensating.
A control assessment is an evaluation of one or more controls to determine the
extent to which they are implemented correctly, operating as intended, and
producing the desired outcome.
Security control verification answers the question “did we implement the control
right?” while validation answers the question “did we implement the right control?”
Risk monitoring is the ongoing process of adding new risks, reevaluating existing
ones, removing moot ones, and continuously assessing the effectiveness of your
controls at mitigating all risks to tolerable levels.
Change management processes deal with monitoring changes to your
environment and dealing with the risks they could introduce.
Continuous improvement is the practice of identifying opportunities, mitigating
threats, improving quality, and reducing waste as an ongoing effort. It is the
hallmark of mature and effective organizations.
A supply chain is a sequence of suppliers involved in delivering some product.
Business continuity management (BCM) is the overarching approach to managing
all aspects of BCP and DRP.
A business continuity plan (BCP) contains strategy documents that provide
detailed procedures that ensure critical business functions are maintained and
that help minimize losses of life, operations, and systems.
CISSP All-in-One Exam Guide
118
A BCP provides procedures for emergency responses, extended backup operations,
and post-disaster recovery.
A BCP should have an enterprise-wide reach, with each individual organizational
unit having its own detailed continuity and contingency plans.
A BCP needs to prioritize critical applications and provide a sequence for efficient
recovery.
A BCP requires senior executive management support for initiating the plan and
final approval.
BCPs can quickly become outdated due to personnel turnover, reorganizations,
and undocumented changes.
Executives may be held liable if proper BCPs are not developed and used.
Threats can be natural, man-made, or technical.
The business impact analysis (BIA) is one of the most important first steps in the
planning development. Qualitative and quantitative data on the business impact of
a disaster need to be gathered, analyzed, interpreted, and presented to management.
Executive commitment and support are the most critical elements in developing
the BCP.
A business case must be presented to gain executive support. This is done by
explaining regulatory and legal requirements, exposing vulnerabilities, and
providing solutions.
Plans should be prepared by the people who will actually carry them out.
The planning group should comprise representatives from all departments or
organizational units.
The BCP team should identify the individuals who will interact with external
players, such as the reporters, shareholders, customers, and civic officials.
Response to the disaster should be done quickly and honestly, and should be
consistent with any other organizational response.

Questions
Please remember that these questions are formatted and asked in a certain way for a reason.
Keep in mind that the CISSP exam is asking questions at a conceptual level. Questions may
not always have the perfect answer, and the candidate is advised against always looking for
the perfect answer. Instead, the candidate should look for the best answer in the list.
1. When is it acceptable to not take action on an identified risk?
A. Never. Good security addresses and reduces all risks.
B. When political issues prevent this type of risk from being addressed.
C. When the necessary countermeasure is complex.
D. When the cost of the countermeasure outweighs the value of the asset and
potential loss.