ISACA ®

Trust in, and value from,

information systems
2011 CISM Review Course

Chapter 2
Information Risk
Management
 Course Agenda
• Learning objectives
• Discuss task and knowledge statements
• Discuss specific topics within the chapter
• Case studies
• Sample questions
 Exam Relevance

Ensure that the CISM candidate…

Understands the broad requirements for effective information
security governance, the elements and actions required to
develop an information security strategy and a plan of action to
implement it.
% of Total Exam Questions

The content area in this chapter will

represent approximately 22% of Chapter 5 Chapter 1
14% 23%
the CISM examination
(approximately 44 questions). Chapter 4
24% Chapter 2
Chapter 3 22%
17%
 Chapter 2 Tasks
• Establish a process for information asset classification and
ownership.
• Implement a systematic and structured information risk
assessment process.
• Ensure that business impact assessments are conducted
periodically.
• Ensure that threat and vulnerability evaluations are performed
on an ongoing basis.
• Identify and evaluate information security controls and
countermeasures.
• Integrate risk, threat and vulnerability identification and
management into life cycle processes.
• Report significant changes in information risk to appropriate
levels of management.
 2.1 Definition

• What is risk management?

“The systematic application of management
policies, procedures and practices to the tasks of
identifying, analyzing, evaluating, treating and
monitoring information related risk.”
 2.1 Objective
• The objective of risk management is to
identify, quantify and manage information
security risks to achieve business objectives
− Requires that a number of tasks utilizing the
Information Security Manager’s knowledge of
key risk management techniques be performed
 2.4 Risk Management
Overview
• Risk management is the process of ensuring
that the impact of threats exploiting
vulnerabilities is within acceptable limits at an
acceptable cost
• At a high level, this is accomplished by
– Balancing risk exposure against mitigation costs
– Implementing appropriate countermeasures and
controls
 2.4 Risk Management
Overview (continued)
• Risk is the probability of occurrence of an
event or transaction causing financial loss or
damage to
– The company
– Staff
– Assets
– General reputation
• Risk assessments can be qualitative or
quantitative
 2.4.1 The Importance of
Risk Management
• Risk management is a fundamental function to
Information Security
– Provides rationale and justification for virtually
all information security activities
 2.4.2 Outcomes of Risk
Management
• Understanding of the organization’s threat, vulnerability and
risk profile
• Understanding of risk exposure and potential consequences
of compromise
• Awareness of risk management priorities based on potential
consequences
• Organizational risk mitigation strategy sufficient to achieve
acceptable consequences from residual risk
• Organizational acceptance/deference based on an
understanding of potential consequences of residual risk
• Measurable evidence that risk management resources
are used in an appropriate and cost-effective manner
 2.5 Risk Management
Strategy
•A risk management strategy
−Is an integrated business process
−Has defined objectives
−Incorporates all of the risk management
processes, activities, methodologies and policies
adopted and carried out in an organization
 2.6 Effective Information
Security Risk Management
• Risk management activities must be continuously
supported by all members of the organization
• A culture of quality coupled with senior management
commitment to effective risk management is required
to achieve the objectives of the program
• Personnel must
– Understand their roles and responsibilities
– Be trained in applicable control procedures
• Compliance must be consistently tested and enforced
 2.6.1 Developing a Risk
Management Program
Initial steps in developing a risk management
program will include establishing:
• Context and purpose of the program
• Scope and charter
• Asset identification, classification and
ownership
• Objectives
• The methodology to be used
• The implementation team
 2.6.1 Developing a Risk
Management Program – cont’d
Developing the Program requirements:
• Establish Context and Purpose
• Define Scope and Charter
• Asset Identification, Classification and Ownership
• Determine Objectives
• Determine Methodologies
• Designate Program Development Team
 2.6.2 Roles and
Responsibilities
• Information security risk management is
an integral part of security governance
– Is the responsibility of the board of directors
or the equivalent to ensure that these efforts
are visible

• Management must be involved in and

sign off on acceptable risk levels and risk
management objectives
 2.6.2 Roles and
Responsibilities
• A steering committee must
– Set risk management priorities
– Define risk management objectives in terms of
supporting business strategy

• The ISM is responsible for developing,

collaborating and managing the information
security risk management program to meet
the defined objectives
 2.7 Information Security Risk
Management Concepts
• Although overall risk management in most
organizations is provided by one or more separate
departments, information security-related risk
management falls to the Information Security
Manager
• Many other aspects of risk management that may
not fall under the purview of the ISM may
nevertheless impact information security
– Roles and responsibilities must thus be clearly
defined
 2.7.1 Concepts
Key information security risk
management concepts include:
• Threats • Criticality
• Vulnerabilities • Sensitivity
• Exposures • Recovery Time Objectives (RTOs)
• Risks • Recovery Point Objectives (RPOs)
• Impacts • Service Delivery Objectives (SDOs)
• Controls • Acceptable Interruption Window
• Countermeasures (AIW)
• Resource valuation • Redundancy
• Information asset classification
 2.7.1 Concepts (continued)
Other risk management functions related to
information security can include:
– Service level agreements (SLAs)
– System robustness and resilience
– Business continuity/disaster recovery
– Business process reengineering
– Project management timelines and complexity
– Enterprise and security architectures
– IT and information security governance
– Systems life cycle management
– Policies, standards and procedures
 2.7.2 Technologies
Technologies that the ISM must conceptually
understand include:
− Application security measures − Wireless security
− Physical security measures − Platform security
− Environmental controls − Encryption and PKI
− Logical access controls − Anti-virus/malware software
− Network access controls − Spyware/adware software
− Routers, firewalls and other − Anti-spam software
network components − Telecommunications and VoIP
− Intrusion detection/prevention
 2.8 Implementing Risk
Management
As part of planning a risk management program,
the Information Security Manager needs to
identify all other risk management activities in the
organization
− Will help to integrate functions and leverage
existing activities
− Mechanisms to ensure good communication with
other risk management and assurance functions
must be put in place
 2.8.1 Risk Management
Process
• Risk management is the process of
– Weighing policy alternatives in consultation with
interested parties
– Considering risk assessment and other legitimate
factors
– Selecting appropriate prevention and control options
• Risk management should be a continuous and
dynamic process to ensure that changing
threats and vulnerabilities are addressed in a
timely manner
 2.8.1 Risk Management
Process (continued)
Risk management usually consists of the
following processes:
• Establish scope and boundaries
• Risk assessment
• Risk treatment
• Acceptance of residual risk
• Risk communication and monitoring
 2.8.1 Risk Management
Process (continued)
• Risk acceptance can be considered an
optional process—can be covered by both risk
treatment and risk communication
• Developing a systematic, analytical and
continuous risk management process is critical
to a security program’s success
• Determining the appropriate level of security
depends on the potential risks that an
organization faces
 2.8.2 Defining a Risk
Management Framework
To develop an organization’s systematic risk
management program, a reference model
should be used and adapted to the
circumstances of the organization.
 2.8.2 Defining a Risk
Management Framework (cont’d)
Risk Management frameworks should have
similar risk management requirements,
including:
• Policy
• Planning and resourcing
• Implementation program
• Management review
• Risk management process
• Risk management documentation
 2.8.2 Defining a Risk
Management Framework (cont’d)
In order to define an efficient framework it is
important to:
• Understand the background of the organization
and its risks (e.g., its core processes, valuable
assets, competitive areas etc.);
• Evaluate existing risk management activities
• Develop a structure and process for the
development of risk management initiatives and
controls
 2.8.2 Defining a Risk
Management Framework
(cont’d)
This approach is useful for:
• Clarifying and gaining common understanding of the
organizational objectives;
• Identifying the environment in which these objectives are
set;
• Specifying the main scope and objectives for risk
management, applicable restrictions or specific conditions
and the outcomes required;
• Developing a set of criteria against which the risks will be
measured;
• Defining a set of key elements for structuring the risk
identification and assessment process.
 2.8.3 Defining the External
Environment
Key areas that must be evaluated in order to provide a
comprehensive view of the organization’s internal
environment include:
• Key business drivers (e.g., market indicators, competitive
advances, product attractiveness, etc.);
• The organization’s strengths, weaknesses, opportunities
and threats;
• Internal stakeholders;
• Organization structure and culture;
• Assets in terms of resources (i.e., people, systems,
processes, capital, etc.);
• Goals and objectives, and the strategies already in place
to achieve them.
 2.8.4 Defining the Internal
Environment
As in every significant business process, the most
critical prerequisite is understanding the
organization itself, including:
− Key business drivers
− The organizations SWOT (strengths, weaknesses,
opportunities and threats)
− Internal stakeholders
− Organization structure and culture
− Assets in terms of resources
− Goals and objectives, and the strategies already in
place to achieve them
 2.8.5 Determining the Risk
Management Context
Determining the risk management context
involves defining the:
• Range of the organization and the processes or
activities to be assessed;
• Duration;
• Full scope of the risk management activities;
• Roles and responsibilities of various parts of the
organization participating in the risk
management process.
 2.8.5 Determining the Risk
Management Context
(cont’d)
The criteria by which risks will be evaluated must
be decided and agreed upon. Important criteria
to be considered are:
• impact—the kinds of consequences that will be
considered;
• likelihood
• the rules that will determine whether the risk level
is such that further treatment activities are
required.
 2.10 Risk Assessment

Numerous risk management models are

available including:
• COBIT • AS/NZS 4360-2004
• OCTAVE • ISO/IEC 31000
• ITIL
• NIST 800-30
• CRAMM

The approach selected will be determined by the

best form, fit and function.
 2.10.2 Aggregated and
Cascading Risk
Aggregate risk must also be considered
– This can exist when a particular threat affects a
large number of minor vulnerabilities, that in
combination can have a significant impact
 2.10.2 Aggregated and
Cascading Risk
• Cascading risks can also manifest
unacceptable impacts as a result of one
failure leading to a chain reaction of failures.
 2.10.4 Identification of Risks
• The first step in a risk management program
should be generating a comprehensive list of
sources of threats, risks and events that might
impact achieving each objective
• In general, a risk can be related to or
characterized by
– Its origin
– A certain activity, event or incident
– Its consequences
– A specific reason for its occurrence
– Protective mechanisms and controls
– Time and place of occurrence
 2.10.4 Identification of
Risks (continued)
In selecting a risk identification methodology, the
following techniques should be considered:
• team-based brainstorming where workshops can prove
effective in building commitment and making use of
different experiences;
• structured techniques such as flow charting, system design
review, systems analysis, hazard and operability studies,
and operational modeling;
• “what-if ” and scenario analysis for less clearly defined
situations, such as the identification of strategic risks and
processes with a more general structure.
 2.10.5 Threats
Threats are usually categorized as
• Natural—Flood, fire, cyclones, rain/hail, plagues
and earthquakes
• Unintentional—Fire, water, building
damage/collapse, loss of utility services and
equipment failure
• Intentional physical—Bombs, fire, water and theft
• Intentional nonphysical—Fraud, espionage,
hacking, identity theft, malicious code, social
engineering, phishing attacks and denial-of-
service attacks
 2.10.6 Vulnerabilities
Examples of vulnerabilities include:
• Defective software
• Improperly configured equipment
• Inadequate compliance enforcement
• Poor network design
• Uncontrolled or defective processes
• Inadequate management
• Insufficient staff
• Lack of knowledge to support users or running the
process
 2.10.6 Vulnerabilities
(cont’d)
Examples of vulnerabilities include:
• Lack of security functionality
• Lack of proper maintenance
• Poor choice of passwords
• Untested technology
• Transmission of unprotected communications
• Lack of redundancy
• Poor management communications
 2.10.7 Risks
• The Information Security Manager must
understand the business risk profile of the
organization
• Risk is an inherent part of business
• Since all risks cannot be eliminated, every
organization has a level of risk that it will accept
• To determine the reasonable level of acceptable
risk, the Information Security Manager must
determine the point where cost of losses intersects
with cost of risk mitigation
 2.10.8 Analysis of
Relevant Risks
• Risk analysis is the phase where the level of risk
and its nature are assessed and understood
• Risk analysis involves:
– thorough examination of the risk sources (threats and
vulnerabilities);
– their positive and negative consequences;
– the likelihood that those consequences may occur and
the factors that affect them;
– assessment of any existing controls or processes that
tend to minimize negative risks or enhance positive risks
 2.10.8 Analysis of Relevant
Risks (continued)
• The level of risk can be analyzed using statistical
analysis and calculations combining impact and
likelihood
• Information used to estimate impact and likelihood
usually comes from
– Past experiences or data and records
– Reliable practices, international standards and
guidelines
– Market research and analysis
– Experiments and prototypes
– Economic, engineering or other models
– Specialist and expert advice
 2.10.8 Analysis of Relevant
Risks (continued)
• Risk analysis techniques include:
– Interviews with experts in the area of interest
and questionnaires
– Use of existing models and solutions
• Risk analysis may be
– Quantitative
– Semi-quantitative
– Qualitative
 2.10.8 Analysis of Relevant
Risks (continued)
• Quantitative analysis
– Numerical values are assigned to both impact and
likelihood
– Consequences may be expressed monetarily,
technically, operationally, or in terms of human
impact criteria
– Scales that suit the circumstances can be created
• Semi-quantitative analysis
– Objective is to assign some numerical values to the
scales used in the qualitative assessment
• Qualitative analysis
– Magnitude and likelihood of potential consequences
are analyzed and described in detail
 2.10.9 Evaluation of Risks
• In the evaluation phase decisions must be made
concerning which risks to treat and the treatment
priorities
• Decisions made are usually based on levels of
risk, but may also be related to thresholds
specified in terms of:
– Consequences
– The likelihood of events occurring
– The cumulative impact of a series of events that could
occur simultaneously
 2.10.10 Risk Treatment
Options
• Faced with risk, organizations have four
strategic choices:
– Terminate the activity giving rise to risk
(Terminate)
– Transfer risk to another party (Transfer)
– Reduce risk by using of appropriate control
measures or mechanisms (Mitigate)
– Accept the risk (Tolerate)
 2.10.10 Risk Treatment
Options (continued)
• Terminate the activity
– This is exactly what is says – the activity giving rise
to risk is changed or terminated to eliminate the risk
• Transfer the risk
– Risk may be reduced to acceptable levels by
transferring it to another entity (e.g., an insurance
company)
– Risks may also be transferred by contract to a
service provider or other entity
– The cost of mitigating risk must not exceed the value
of the asset
 2.10.10 Risk Treatment
Options (continued)
• Mitigate the risk
– Controls and countermeasures* are used
• Tolerate/accept the risk
– Sometimes an identified defined risk may be
accepted when the cost of mitigating the risk is
too high compared to the value of the asset
– Accepted risk should be regularly reviewed

* - Countermeasures reduce the magnitude of threats and/or

vulnerabilities
 2.10.11 Impact
• Impact is the bottom line for risk
management.
• Ultimately, all risk management activities are
designed to reduce impacts to acceptable
levels.
• The result of any vulnerability exploited by a
threat that causes a loss is an impact.
• Threats and vulnerabilities that do not cause
an impact are usually irrelevant.
 2.10.11 Impact
Examples of direct and indirect financial losses:
• Direct loss of money (cash or credit)
• Criminal or civil liability
• Loss of reputation/goodwill/image
• Reduction of share value
• Conflict of interests to staff or customers or shareholders
• Breach of confidence/privacy
• Loss of business opportunity/competition
• Loss of market share
• Reduction in operational efficiency/performance
• Interruption of business activity
• Noncompliance with laws and regulations resulting in penalties
 2.10.11 Impact (continued)
• Impacts are determined by performing a business
impact assessment (BIA) and subsequent analysis
– The BIA helps prioritize risk management
– When coupled with asset valuations, the BIA
provides the basis for the levels and types of
protection required and the basis for developing
a business case
 2.11 Controls and
Countermeasures
• The key to risk management is the risk
mitigation process
• After risks are identified
− Existing controls and countermeasures can be
evaluated
− New controls and countermeasures can be
designed
 2.11.3 Control Methods
• Technical controls are safeguards that are
incorporated into computer hardware, software
or firmware
• Non-technical controls include management
and operational controls such as policies,
operational procedures, etc.
• Once risks facing an organization have been
identified and prioritized, the Information
Security Manager can
– Customize the security strategy
– Prioritize options to mitigate the risks
 2.11.4 Control Categories

Controls can be:

• Preventive
• Detective
• Corrective
• Compensatory
• Deterrent
 2.11.5 Control
Recommendations
Elements of controls to consider when evaluating
control strength include whether controls are
• Preventative or detective
• Manual or automated
• Formal (documented in procedure manuals and
evidence of their operation is maintained) or ad hoc
 2.11.5 Control
Recommendations – cont’d
The following factors should be considered in
recommending controls and alternative solutions to
minimize or eliminate identified risks:
• Effectiveness of recommended options
• Compatibility with other impacted systems, processes and
controls
• Relevant legislation and regulation
• Organizational policy and standards
• Organizational structure and culture
• Operational impact
• Safety and reliability
 2.11.6 Residual Risk
Residual risk is the amount of risk that remains
after countermeasures and controls have been
implemented
 2.11.6 Residual Risk
(continued)
Final acceptance of residual risks takes into
account:
• Regulatory compliance
• Organizational policy
• Sensitivity and criticality of relevant assets
• Acceptable levels of potential impacts
• Uncertainty inherent in the risk assessment
approach
• Cost and effectiveness of implementation
 2.11.7 Costs and Benefits
• Whenever controls or countermeasures are
planned, an organization should weigh costs
against benefits
– If the costs of specific controls or
countermeasures (control overhead) exceed the
benefits of mitigating a given risk, the
organization may choose to accept the risk
rather than incur the cost of mitigation
 2.11.7 Costs and Benefits
(continued)
When considering costs, the total cost of ownership (TCO)
must be considered for the full life cycle of the control or
countermeasure. This can include such elements as:
• Acquisition costs
• Deployment and implementation costs
• Recurring maintenance costs
• Testing and assessment costs
• Compliance monitoring and enforcement
• Inconvenience to users
• Reduced throughput of controlled processes
• Training in new procedures or technologies as applicable
• End of life decommissioning
 2.12.2 Information Resource
Valuation Methodologies
Asset or resource valuation can be complex and time
consuming, but it is an essential undertaking required for an
effective information risk management program
• The various information resource valuation methodologies utilize
many different variables
• These variables can include the level of technical complexity and the
level of potential direct and consequential financial loss
• Judgmental valuation may be based upon business knowledge,
executive management directives, historical perspectives, business
goals and environmental factors
• Many information systems managers use a combination of
techniques
 2.12.3 Information Asset
Classification
The ISM must:
– Locate and identify all information resources
– Determine ownership and custodianship of
information
– Assign classes or levels of sensitivity and criticality to
information resources
– Ensure that there are policies, standards and
procedures for marking, handling, processing, storing,
retention and destruction of information
– Make classifications simple
 2.12.3 Information Asset
Classification (continued)
• End-user managers and the security administrator
can use classifications to determine access levels
• Data classification reduces the risk and cost of
over or under protecting information resources by
tying security to business objectives
 2.12.3 Information Asset
Classification (continued)
There are a number of questions that should be asked in
any information asset classification model, including but not
limited to:
• How many classification levels are suitable for the
organization?
• How will information be located?
• What process is used to determine classification?
• How will confidential information be stored and archived?
• How will it be retained according to policy or law?
• Who has access rights?
• Who has authority for determining access to the data?
• What approvals are needed for access?
 2.12.3 Information Asset
Classification (continued)
• A Business Impact Analysis helps to identify
the impact of adverse events
• In performing an impact analysis, the ISM
– May use COBIT, NIST and/or CERT’s Octave
framework
– Should focus on the impact on the organization,
rather than on the typical impact of each specific
event
– Should categorize the loss of information
resources and then base the impact evaluation
on this categorization
 2.12.4 Impact Assessment
and Analysis
A common approach to performing impact
assessments is to identify an asset’s value
proposition to the organization in terms of:
• Replacement cost
• The impact associated with loss of integrity
• The impact associated with loss of availability
• The impact associated with loss of confidentiality
 2.12.4 Impact Assessment
and Analysis (continued)
• The adverse impact of a security event can be
described in terms of loss or degradation of
– Integrity
– Availability
– Confidentiality
• Some impacts (e.g., lost revenue) can be
measured quantitatively, where others (e.g., loss
of public confidence) cannot
 2.13 Recovery Time
Objectives
• As part of the overall evaluation of risk, the
information security manager must understand
recovery time objectives (RTOs) and how they
apply to the organization’s information resources
• Determining RTO can depend upon a number of
factors including the cyclical need (time of day,
week, month or year) of the information and
organization, interdependencies among the
information and the organization’s requirements as
well as the cost of available options.
 2.13 Recovery Time
Objectives (continued)
• The RTO depends upon numerous factors
– The cyclical need (time of day, week, month
or year) of the information and organization
– Interdependencies upon the information
– The organization’s requirements
– Senior management
– Legal and regulatory requirements
– Customer service levels
 2.13 Recovery Time
Objectives (continued)
The organization’s requirements can be based
upon
• Customer needs
• Expectations
• Service level agreements
• Regulatory requirements
 2.13 Recovery Time
Objectives (continued)
Two RTO perspectives that the ISM should
consider are
• The individuals whose job it is to utilize the
information
• Senior management who must consider costs and
may need to arbitrate between business units
competing for resources
 2.13.1 RTO and its Relation to BCP
and Contingency Planning Objectives
and Processes
• RTOs are needed to identify and develop
contingency strategies
• Generally, shorter RTOs require more costly
contingency procedures
• There is a break-even point, where the impact of
the disruption will begin to be greater than the cost
of recovery
• Most organizations can reduce their RTOs, but
there is a cost associated with doing so
 2.13.4 Third-party Service
Providers
• That fact that external organizations may be
reluctant to share details on their information
protection mechanisms can cause complications
for outsourcing information resources
• The ISM must try ensure that adequate levels of
protection are included in SLAs and other
outsourcing contracts
– One commonly used approach is specifying
requirements for specific audits such as SAS 70 level 2
or ISO/IEC 27001 certification.
 2.13.2 Third-party Service
Providers (continued)
Key clauses that should be part of an SLA must
include, but are not restricted to:
• Right to audit vendors books of accounts and
premises
• Right to review their processes
• Insistence on standard operating procedures (SOPs)
• Right to assess the skill sets of the vendor resources
• Advance information if the resources deployed are to
be changed
 2.14 Integration with Life
Cycle Processes
• Any changes to an organization can affect the critical
information that an organization must secure
• Any computer application, network, or hardware changes
may change the overall risks that an organization faces
• Change management is an effective method to maintain
adequate security protection
• A proactive approach enables the Information Security
Manager to better plan and implement security policies
and procedures in alignment with business goals and
objectives
 2.14 Integration with Life
Cycle Processes (continued)
• To integrate risk identification, analysis and
mitigation activities into life cycle processes, the
ISM should know:
– Life cycle-based risk management principles and
practices
– Principles for development of baselines and their
relationship to risk-based assessments of control
requirements
 2.14.3 Life Cycle-based Risk
Management Principles and
Practices
• Risk management has a life cycle
– It is more cost effective to update risk regularly
– It is a more prudent practice to employ the life cycle
approach to identify, analyze, assess and track risks 
– A top-down systematic approach usually can benefit
from supporting tools, training and assistance  
– The Information Security Manager may also employ
software tools designed to track the risk management
life cycle
 2.15 Security Control
Baselines
• Baselines specify minimum security control
requirements
• Principles for developing baselines include
– Be familiar with acceptable security controls specified
by information technology vendors and security
organizations
– Assess of the level of security that is appropriate for
an organization and adjust baselines accordingly
 2.16 Risk Monitoring and
Communication
• Significant changes in risk must be reported
– Reporting significant changes in risk to
appropriate levels of management on a periodic
and event-driven basis is a primary role of the
ISM
– The ISM should have defined processes
whereby each event can be evaluated
according to its impact to the organization
 2.16 Risk Monitoring and
Communication (continued)
• Risk assessment should
– Be updated as the organization changes
– Consider any significant changes to the
organization’s risk profile
– Include a process whereby a significant
security breach or event will trigger a report to
upper management
 2.17 Training and
Awareness
• Since people are generally the greatest risk to
an organization, appropriate training can
significantly mitigate risk
 2.17 Training and
Awareness
End users should receive training on
• The importance of adhering to information security
policies, standards, and procedures
• Clean desk policy
• Responding to incidents and emergencies
• Privacy and confidentiality requirements
• The security implications of logical access in an IT
environment
 2.18 Documentation
• An important part of the risk management life
cycle is continuously evaluating and assessing
risks
• The results and status of this ongoing analysis
needs to be
– Documented
– Reported to senior management
• The ISM is responsible for managing this
process to ensure that it takes place and that
the results are analyzed adequately and acted
upon appropriately
 2.18 Documentation
(continued)
At each stage of the risk management
process, documentation should include:
• Objectives
• Audience
• Information resources
• Assumptions
• Decisions
 2.18 Documentation
(continued)
A risk management policy document may
include information such as:
• Objectives of the policy and rationale for
managing risk
• Scope and charter of information security risk
management
• Links between the risk management policy and
the organization’s strategic and corporate
business plans
 2.18 Documentation
(continued)
A risk management policy document may
include information such as:
• Extent and range of issues to which the policy
applies
• Guidance on what is considered acceptable risk
levels
• Risk management responsibilities
• Support expertise available to assist those
responsible for managing risks
 2.18 Documentation
(continued)
A risk management policy document may
include information such as:
• Level of documentation required for various risk-
management related activities, e.g., change
management
• A plan for reviewing compliance with the risk
management policy
• Incident and event severity levels
• Risk reporting and escalation procedures, format
and frequency
 2.18 Documentation
(continued)
Typical documentation for risk management should
include:
• A risk register
• Consequences and likelihood of compromise
• Initial risk rating
• Vulnerability to external/internal factors
• An inventory of information assets
• A risk mitigation and action plan
• Monitoring and audit documents
 Practice Question

2-1. The overall objective of risk management is

to:
A. eliminate all vulnerabilities, if possible.
B. determine the best way to transfer risk.
C. manage risks to an acceptable level.
D. implement effective countermeasures.
 Practice Question

2-2. The statement “risk = value x vulnerability x

threat” indicates that:
A. risk can be quantified using annual loss
expectancy (ALE).
B. Risk can be quantified, provided magnitude and
frequency are computed.
C. the level of risk is greater when more threats
meet more vulnerabilities.
D. without knowing value, risk cannot be
calculated.
 Practice Question

2-3. To address changes in risk, an effective risk

management program should:
A. ensure that continuous monitoring processes
are in place.
B. establish proper security baselines for all
information resources.
C. implement a complete data classification
process.
D. change security policies on a timely basis to
address changing risks.
 Practice Question
2-4. Information classification is important to
properly manage risk PRIMARILY because:
A. it ensures accountability for information
resources as required by roles and
responsibilities.
B. it has a legal requirement under various
regulations.
C. there is no other way to meet the requirements
for availability, integrity and auditability.
D. it is used to identify the sensitivity and criticality
of information to the organization.
 Practice Question

2-5. Vulnerabilities discovered during an

assessment should be:
A. handled as a risk even though there is no
threat.
B. prioritized for remediation solely based on
impact.
C. a basis for analyzing the effectiveness of
controls.
D. evaluated for threat, impact and cost of
mitigation.
 Practice Question

2-6. Indemnity agreements can be used to:

A. ensure an agreed-upon level of service.
B. reduce impacts on critical resources.
C. transfer responsibility to a third party.
D. provide an effective countermeasure to threats.
 Practice Question

2-7. Residual risks can be determined by:

A. determining remaining vulnerabilities after
countermeasures are in place.
B. a threat analysis.
C. a risk assessment.
D. transferring all risks.
 Practice Question

2-8. Data owners are PRIMARILY responsible for

creating risk mitigation strategies to address
which of the following areas?
A. Platform security
B. Entitlement changes
C. Intrusion detection
D. Antivirus controls
 Practice Question

2-9. A risk analysis should:

A. limit the scope to a benchmark of similar
companies.
B. assume an equal degree of protection for all
assets.
C. address the potential size and likelihood of
loss.
D. give more weight to the likelihood vs. the size
of loss.
 Practice Question

2-10. Which of the following is the FIRST step in

selecting the appropriate controls to be
implemented in a new business application?
A. Business impact analysis (BIA)
B. Cost-benefit analysis
C. Return on investment (ROI) analysis
D. Risk assessment