Risk Management Fundamentals Exam Questions and Answers

Risk Management Fundamentals Exam Questions and Answers Risk - answer- likelihood of a loss occurring. = Threat x Vulnerability Threat - answer- any activity that represents possible danger vulnerability - answer- a weakness; procedural, technical, or administrative Loss - answer- results in a compromise to business functions or assets. Occurs when a threat exposes a vulnerability What are risk related concerns for businesses? - answer- Compromise of business functions, assets, driver of business costs, and profitability vs survivability Business function - answer- activities or the work that a business unit or role performs to sell products/services. Business Assets - answer- is anything with a measurable value to a company. Tangible or intangible. A company sells product via a website. Revenue is $5000 per hour. If the website fails for 2 hours what is the tangible and intangible loss assuming that the repair cost is $1000. What is the tangible and intangible value? - answer- Tangiblevalue=$5,000*2+$1,000=$11,000 • IntangibleValue: - Future lost revenue - Cost of gaining a customer - Customer influence Tangible value - answer- the actual cost of the asset. Tangiblevalue=lostrevenue+Repaircost Intangible value - answer- value that can't be measured by cost for future loss of revenue, cost of gaining a customer, and customer influence. Driver of business cost - answer- Risk can drive business costs due to costs associated with managing risk by implementing controls/countermeasures. Profitability vs. survivability - answer- Profitability - ability of a company to make a profit --. Revenue - costs. Survivability - ability of company to survive a loss due to risk. Loss may cause company to lose profit. Lost opportunity costs - answer- Money spent to reduce risks can't be spent elsewhere. What must risk managers take into account when considering profitability vs survivability? - answer- Out of pocket costs to reduce risks, lost opportunity costs due to the money spent to reduce risk that can't be spent elsewhere, future costs associated with ongoing/future countermeasures What are the 7 domains of a Typical IT infrastructure? - answer- 1. User - all people, Includes usernames, passwords, biometric or other authentication, and social engineering. 2. Workstation - end user's computer/system/cell phone. 3. LAN - inside firewall, Includes equipment required to create an internal LAN, such as hubs, switches, and media 4. LAN - WAN - trusted/untrusted area needs high security, the transition area between the LAN and the WAN, including the router and firewall 5. WAN - Internet. Includes routers and circuits connecting the wide area network. 6. System/Application - serversIncludes applications you run on your network, such as e-mail, database and Web applications. 7. Remote Access - access LAN, How remote or traveling users use your network, as in a Virtual Private Network (VPN). What are characteristics of threats? - answer- Threats can't be eliminated but they may be controlled. § Threats have independent probabilities of occurring that often are unaffected by an organizational action. § Threats are attempts to exploit vulnerabilities that result in the loss of confidentiality, integrity, or availability of a business asset. Risk management - answer- the practice of identifying, assessing, controlling, and mitigating risks. Threats and vulnerabilities are key drivers of risk. What are the risk management elements/processes? - answer- 1. Assess Risk 2. Identify risks to manage 3. Select controls, 4. evaluate controls 5. Implement and test controls Reasonableness - answer- a test that can be applied to risk management to determine if the risk should be managed. Cost to manage risk vs. the impact How does the perception of risk differ by role? - answer- Management - costs of risk, profitability vs. suvivability System admin - protection systems, lock systems down Tier 1 admin - system availability Developer - including security as the design stage vs patching at the end of development End user - usability What is the risk identification process? - answer- 1. identify threats 2. Identify vulnerabilities 3. Estimate likelihood of a threat exploiting a vulnerability