Scribd
Upload
22 views19 pages

Practice Questions Risk

The document outlines various aspects of risk management, including the stages of the risk management lifecycle, risk assessment processes, and techniques for formulating and mitigating risks. It discusses the importance of risk profiling, the relationship between risk sensitivity and organizational resources, and the methodologies for evaluating and addressing risks. Additionally, it covers the roles of security controls, assessment techniques, and the prioritization of risks in organizational contexts.

Uploaded by

3houd.hk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views19 pages

Practice Questions Risk

The document outlines various aspects of risk management, including the stages of the risk management lifecycle, risk assessment processes, and techniques for formulating and mitigating risks. It discusses the importance of risk profiling, the relationship between risk sensitivity and organizational resources, and the methodologies for evaluating and addressing risks. Additionally, it covers the roles of security controls, assessment techniques, and the prioritization of risks in organizational contexts.

Uploaded by

3houd.hk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Ch.

2 Management Lifecycle
1. What are the stages in the Risk Management Lifecycle?

2. Why is risk considered a moving target in risk management?

3. What factors may start the revaluation process in risk management?

4. Explain the Risk Management Workflow ?

5. What is resource profiling and how does it fit into the risk assessment process?

6. How are vulnerabilities identified and rated in the risk assessment


process?
7. What is the process involved in a risk assessment?

8. What are the rules of risk management?

9. What are the options for addressing risk?

10. What indirect control costs should be considered when addressing a risk?

11.What details should be captured for each risk finding?

12.What is the focus when mitigating risk?


13.How can risk be mitigated?

14.Why do organizations establish a certification and accreditation (C&A)


process?

15.What are common triggers for reassessing risks?

Ch.3 Risk Profiling


1. What is risk sensitivity?

2. How should you begin profiling environments for risk assessment?


3. What are examples of valuable and vulnerable resources in an
organization?

4. What does risk sensitivity refer to in the context of organizational


resources?

5. What information should be gathered to assess the risk sensitivity of a


resource?

6. What is the relationship between risk threshold and risk sensitivity level?

7. What should a security risk profile questionnaire include?

8. What categories of resources should be profiled in a security risk


assessment?
9. Why is it important to include ownership and administration information
in a resource profile, even if it doesn’t directly affect sensitivity evaluation?

10.What additional information should be included in a security risk profile?

11.What are the most common categories of impact to include in a security


risk profile?

12.What types of questions should be included in a security risk profile


questionnaire, and what types should be avoided?

13.How would you assess the sensitivity of general workstations and laptops
in an organization?
14.What questions should be considered when assessing the risk profile for
printers?

15.How should the sensitivity of a resource be assessed more accurately?

Ch.4 Formulating Risk


1. How do we define risk and develop a model to assess risk exposure?

2. What key questions should be answered in a well-written risk statement?

3. What are the core elements of risk exposure and risk rating?

4. What are the three key variables in measuring risk exposure?


5. How does the SANS Institute define the three ratings used to qualify a risk?

6. When describing risk exposure, what consequences should be considered


for the organization?

7. How can you avoid mixing up threats, vulnerabilities, and risks in a risk
statement?

8. Who is the threat actor and how do they exploit the vulnerability?

9. What is the threat activity?

10.What does severity refer to?

11.What does the term "threat" describe?

12.What are the high-level categories of information security threats?


13.When measuring a threat, what are we evaluating?

14.Which do you think describe a threat source or activity?


• Disgruntled employee
• Password cracking
• Internet-facing router
• Cleartext passwords being sent over the Internet

15.Which of these could be considered a threat source?


• Interruption of operations
• Untrained personnel
• Loss of data from virus infection
• Spear-phishing attack from Russian Business Network
• Lightning strike on the data center

16.How can threats be modeled in threat analysis?

Ch.5 Risk Exposure


1. How does a well-designed qualitative model help organizations identify
the most likely impact of risks?

2. What is severity, and how is it measured with examples?


3. How is severity determined in terms of CIAA, particularly availability?

4. How is severity determined in terms of CIAA, particularly confidentiality?

5. How is severity determined in terms of CIAA, particularly integrity?

6. How is severity determined in terms of CIAA, particularly accountability?

7. What is likelihood in risk assessment?

8. What factors determine likelihood levels in risk assessment?

9. What is the threat universe in risk assessment?

10.How is sensitivity applied in risk assessment?


REVIEW ALL THE TABLES

Ch.6 Security Controls and Services

1. What are the three principles that influence security decisions +


Definition?

2. What are the three categories of controls in information security?

3. What are some nontechnical solutions for mitigating a risk?

4. What are the three states of sensitive information that a control should
focus on protecting?

5. How do threats, vulnerabilities, and sensitivity influence the selection of


appropriate controls for data?
6. What do Security Control Principles describe?

7. What principles are included in Security Control Principles + Explain ?

8. What is the purpose of assurance models in defining a control framework?

9. Which assurance models are commonly used when defining a control


framework + Explain?

10.What are key security services?

11.What factors determine the need for decryption during communications


inspection?
12.Why is communications validation important, and how should non-
standard communications be handled?

13.What are some common attributes to validate during communications


validation?

14.What is the role of communications filtering in security?

15.What are the primary functions of policy enforcement and some common
policy assessment checks?

16.What are some important security requirements for event monitoring?

17.What does vulnerability management include checking for?

18.How can resource resiliency be implemented at various levels, particularly


at the physical and network levels?
Ch.7 Risk Assessment Techniques
1. What will the operational assessments encompass?

2. What are examples of operational risk assessment tasks?

3. What are some formats for operational techniques assessments?

4. What is the difference between questionnaires and interviews in assessments?

5. How can you build an effective questionnaire?

6. What issues can arise with questionnaires, no matter how well they are crafted?

7. What is needed to evaluate the technical vulnerabilities in your environment?

8. How do most security scanners or vulnerability scanners identify vulnerabilities?


9. What are some common tools used for active and passive testing?

10. How can the scope of an active or passive test vary?

11. What are the different types of assessments?

• Enterprise vulnerability assessment


• Penetration testing analysis
• Wireless security assessment
• Blackbox application testing
• Malicious threat assessment
• Internet reconnaissance
• Application code security review

12. What is the purpose of the SAS70 certification?

13. What are the main benefits, goals, and components of the Facilitated Risk Analysis and
Assessment Process (FRAAP)?

14. What are the responsibilities of the facilitator and team and owner based on the FRAAP
agenda?

15. What are the key steps in the FRAAP approach?


16. What are the definitions of probability and impact in the FRAP approach?

Probability:

• High:
• Medium:
• Low:

Impact:

• High:
• Medium:
• Low:
17. What should be included in the Management Summary of the FRAP approach?

Ch.8 Risk Assessment Methodology


1. What activities are included in the Threat and Vulnerability Management (TVM)
program / What are the key responsibilities of the Information Security team in a TVM
program?

2. What are the steps to develop a Threat and Vulnerability Management (TVM) program?

3. What data should be captured in an asset and data inventory?

4. What are some ways to gather asset and data inventory information?

5. How do you rate and analyze vulnerabilities?


6. How do you analyze a vulnerability report for details? (Questions)

7. What is the FAIR approach in risk assessment?

8. What are the basic factors used in the FAIR approach to measure risk?

9. What factors are used to break down Loss Event Frequency (LEF) in the FAIR approach?

10. What are the qualitative and quantitative methodologies for risk analysis?

11. What is the focus of the OCTAVE approach, and what is its key feature?

12. What are the phases of the OCTAVE approach, and what is the final outcome?

13. What is the objective of the CORAS methodology?


14. What is the foundation of the CORAS methodology, and how does it illustrate
relationships?

15. What type of approach is ISRAM, and who participates in the risk analysis?

16. How does ISRAM assess risk, and what is the range of the risk factor?

17. What are the common criteria identified during the analysis of risk assessment
methodologies?

Ch.9 Risk Evaluation, Mitigation Strategies


1. How do you prioritize which risks need to be addressed after measuring and rating them?

2. What are the options for addressing a risk?

3. When is the "Avoid" option for addressing a risk typically used?

4. What does "Mitigate" mean in the context of risk management?


5. Does risk mitigation eliminate a risk completely?

6. What does the "Transfer" option for addressing a risk involve + examples ?

7. How is risk transfer becoming more popular in organizations?

8. Who needs to be involved in negotiating a plan to reduce or accept a risk?

9. Why can addressing a risk be the longest step in the risk management workflow?

10. What criteria should be met for a risk to be considered "addressed" from a tracking
perspective?

11. What information should be documented during the risk decision step?

12. What are the three main choices for addressing risks on the banking customer portal?

13. What factors should be considered when calculating the cost of remediation for a risk
mitigation strategy?

14. How is residual risk defined, and how is it assessed after implementing recommended
controls?
15. What are the three approaches to mitigate a risk?

16. What are the general categories of risk mitigation?

17. How do different types of controls affect risk exposure?

18. What are some good references for control lists, and what do they include?

19. What effects can controls have on risk exposure?

20. What are some reasons why an organization might document a policy exception or accept
a risk?

21. What is the general workflow for submitting and approving an exception request?

22. What information should be captured in the exception request form?

You might also like