This chapter covered many of the details that should be considered when turning a risk assessment into a risk mitigation plan. The starting point is to thoroughly review the countermeasures, a process that often includes matching threats with vulnerabilities and identifying all the costs associated with them, including any hidden costs. If the costs change, the cost-benefit analysis may need to be redone.
If much time has passed since the risk assessment was approved, the existence of the risk elements and the effectiveness of the countermeasures in mitigating the risks must be verified. Two key goals while executing the plan are to stay within budget and on schedule. Last, a follow-up should be done to ensure that the approved countermeasures are implemented and that they actually mitigate the risks as expected.
A(n) ________ countermeasure is one that has been approved and has a date for implementation.
A single risk can be mitigated by more than one countermeasure.
True
False
The formula for risk is Risk = ________.
What would an account management policy include?
Details on how to create accounts
Details on when accounts should be disabled
Password policy
A and B only
A, B, and C
What could a password policy include?
Length of password
List of required passwords
User profiles
All of the above
The ________ plan will include details on how and when to implement approved countermeasures.
A countermeasure is being reviewed to be added to the mitigation plan. What costs should be considered?
Initial purchase costs
Facility costs
Installation costs
Training costs
All of the above
Which of the following items are considered facility costs for the implementation of a countermeasure?
Installation and air-conditioning
Installation and training
Power and air-conditioning
Power and training
What’s a reasonable amount of time for an account management policy to be completed and approved?
Twenty minutes
One day
One month
One year
What can be used to determine the priority of countermeasures?
Cost-benefit analysis
Threat likelihood/impact matrix
Disaster recovery plan
Best guess method
A risk assessment was completed three months ago and has recently been approved. What should be done first to implement a mitigation plan?
Verify risk elements
Purchase countermeasures
Redo risk assessment
Redo the CBA
Two possible countermeasures are being evaluated to mitigate a risk, but management wants to purchase only one. What can be used to determine which countermeasure provides the better cost benefits?
Threat likelihood/impact matrix
Threat score
CBA
CIA
A cost-benefit analysis is being performed to determine whether a countermeasure should be used. Which of the following formulas should be applied?
Loss before countermeasure – Loss after countermeasure
Loss after countermeasure – Loss before countermeasure
Projected benefits – Cost of countermeasure
Cost of countermeasure – Projected benefits
Of the following items, what one(s) should be included in a cost-benefit analysis report?
Recommended countermeasure
Risk to be mitigated
Costs
Annual projected benefits
A and C only
A, B, C, and D
NIST 800-63 provides guidance on risk management strategies and policies.