CHAPTER SUMMARY

Risk assessments are used to identify and quantify risks. They do this by identifying threats and vulnerabilities and then applying an assessment methodology to prioritize the risks. Once the risks are quantified, controls and safeguards can be identified. A risk assessment can also be used to identify the best controls to implement.

The two primary risk assessment methods are quantitative and qualitative. A quantitative risk assessment is used when historical data is readily available. This data can be used to derive the ALE from SLE and ARO: ALE = SLE × ARO. A qualitative risk assessment uses the opinions of experts. It doesn’t have predefined formulas but instead requires that a scale be created, such as low, medium, and high. The quantitative risk assessment provides a CBA. The qualitative risk assessment, on the other hand, can be accomplished in a shorter period of time.

KEY CONCEPTS AND TERMS

annual loss expectancy (ALE)

annual rate of occurrence (ARO)

exposure factor (EF)

probability

qualitative risk assessment

quantitative risk assessment

redundant array of independent disks (RAID)

safeguard

safeguard value

single loss expectancy (SLE)

single point of failure (SPOF)

uncertainty level

CHAPTER 5 ASSESSMENT

  1. What can be used to help quantify risks?
    1. SLE
    2. ARO
    3. Risk assessment
    4. Risk mitigation plan
    5. All of the above
  2. _______ describes the loss that will happen to the asset as a result of the threat, which is expressed as a percentage value.
  3. Risk assessments are a static process.
    1. True
    2. False
  4. A _______ risk assessment uses SLE.
  5. What elements are included in a qualitative analysis?
    1. SLE, ALE, and ARO
    2. ALE, ARO, and ARP
    3. Probability and impact
    4. Threats and vulnerabilities
  6. What elements are included in a quantitative analysis?
    1. SLE, ALE, and ARO
    2. ALE, ARO, and ARP
    3. Probability and impact
    4. Threats and vulnerabilities
  7. Qualitative analysis is less time consuming than quantitative analysis.
    1. True
    2. False
  8. A primary benefit of a _______ risk assessment is that it can be completed more quickly than other methods.
  9. A primary benefit of a _______ risk assessment is that it includes details for a cost-benefit analysis.
  10. What must be defined when performing a qualitative risk assessment?
    1. Formulas used for ALE
    2. Scales used to define probability and impact
    3. Scales used to define SLE and ALE
    4. Acceptable levels of risk
  11. A _______ risk assessment is objective. It uses data that can be verified.
  12. A _______ risk assessment is subjective. It relies on the opinions of experts.
  13. One of the challenges facing risk assessments is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data?
    1. Probability statement
    2. Accuracy scale
    3. Validity level
    4. Uncertainty level
  14. An IT security team leader is working on a qualitative risk assessment for her company. She is thinking about the final report. What should the IT security team leader consider when providing the results and recommendations? (Select two.)
    1. Resource allocation
    2. Risk acceptance
    3. SLE and ARO
    4. SLE and ALE
  15. Of the following, what would be considered a best practice when performing risk assessments?
    1. Starting with clear goals and a defined scope
    2. Enlisting support of senior management
    3. Repeating the risk assessment regularly
    4. Providing clear recommendations
    5. All of the above
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset