What Do You Know About Risk Management? Quiz

Risk management plays a key role in the overall security program. Managing risk is a daunting task because therre are so many risks to content with.

Performing a risk analysis will provide a means to justify the expense and the countermeasure that must be implemented. It will outline the possible threats and current weaknesses, which is necessary in building a case for purchasing and implementing a countermeasure.

Rejecting risk and threat potential is a violation of the due care responsibility that each company's management team is held liable for. Rejecting risk means ignoring it exists and neglecting to take any steps to mitigate the risk.

An organization's acceptable risk level needs to be set by the people ultimately responsible - senior management. Often they will work witha security analyst to help them understand their current risk level, government regulation requirements, and other items which all factor into establishing it. But senior management has to "sign" off on the level, thus they are ultimately the ones who set it.

When a company decides to accept a risk, it should be a decision based on cost (countermeasure costs more than potential loss) and pain (company can live with the vulnerability and threat). But the company must also understand that accepting a specific risk, is a visibility decision in that it may impact their industry reputation.

The policy provide sthe infrastructure for the organizaition's risk management processes and procedures and should address all issues of information security, from personnel secreening and the insider threat to physical securfity and firewalls. It should provide direction on how the IRM team should relay information on company risks to senior management and how to properly execute management's decisions on risk mitigation tasks.

The correct answer is B because it accurately lists the specific steps and objectives of a proper risk analysis. It includes identifying assets and their values, identifying vulnerabilities and threats, quantifying the probability and business impact of these potential threats, and providing economical countermeasure recommendations. This comprehensive approach ensures that all necessary factors are considered and addressed in order to effectively manage and mitigate risks.

Chrissy has performed the risk analysis step of assigning values to assets. In this step, she assesses the value of the asset to the company, the cost of maintaining it, its role in the company, and its worth to the competition. By assigning values to assets, Chrissy is able to determine their importance and potential impact on the company's overall risk. This step is crucial in identifying and prioritizing risks in order to develop effective risk management strategies.

The security policy has several important characteristics that need to be understood and implemented:

* Business obejctives shold drive the policy's creation, implementation, and enforcement. The policy should not dictate business objectives.

* It should be an easily understodd document that is used as a reference point for all employees and management.

* It should be developed and used to integrate security into all business function and processes.

* It should be derived from and support all necedssary legistlation and regulation applicable to the company.

* It should be reviewed and modified as a company changes through adotping of new business models, merging with another company, or being purchased.

* Each iteration of the policy should be dated and under version control.

A major them in Qualitative Risk Analysis is that it includes opinions based on people'[s experience and knowledge. While this is typcially true, the underlying difference between qualitative and quantitative is that qualitative categorizes threats and losses and quantitative places actual numeric and monetary value on them.

Residual risk is the amount of risk remaining after the countermeasure has been implemented. To figure out the actual resdidual risk, the team must identify and calculate the risk, which is: threats x vulnerability x asset value. Then, the team must calculate the control gap, which is what the countermeasure cannot provide protection for. The result is residual risk. A company must decide if the residual risk falls within their acceptable level or risk. If it does, and a cost-benefit analysis has been carried out, then the countermeasure can be purchased and installed.

A compnay may identify a vulnerability, which is a weakness or a lack of a safeguard. Then they need to identify the threat agent that could capitalize on this vulnerability. The threats lies in the possibility that soneone would exploit this vulnerability. The probability of this taking place is the risk, which has to be calculated.