Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

Cybersecurity Risk Management: Concepts, Principles, and Frameworks, Exams of Cybercrime, Cybersecurity and Data Privacy

Glasgow School of Art (GSA)Cybercrime, Cybersecurity and Data Privacy

A comprehensive overview of cybersecurity risk management, covering key concepts, principles, and frameworks. It explores the importance of risk management goals, confidentiality, integrity, availability, and accountability in cybersecurity. The document delves into various aspects of risk management, including vulnerability assessment, threat identification, and risk mitigation strategies. It also discusses relevant laws, policies, and standards related to cybersecurity, such as the computer fraud and abuse act, hipaa, and ferpa. Additionally, the document highlights the nist cybersecurity risk management framework (crmf) and its application in managing cybersecurity risks.

Typology: Exams

2024/2025

Available from 03/01/2025

patrick-maina-2
patrick-maina-2 🇬🇧

309 documents

1 / 10

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cybersecurity Risk Management Final Exam
Risk Management Goal ✔✔To maximize the output of the organization while minimizing the
chance for unexpected outcomes
Confidentiality ✔✔Preventing unauthorized disclosure of information
Integrity ✔✔Ensure information is not modified or destroyed
Availability ✔✔Available when needed
Accountability ✔✔Ability to trace activities to responsible source
Vulnerability ✔✔weakness in an information system
Loss ✔✔Results in a compromise to business functions or assets that adversely affects the
business
Data Breach ✔✔An event in which an individual's information is potentially put at risk
Data Breach Causes ✔✔Malicious or criminal attack, system glitch, or human error
Personally Identifiable Information (PII) ✔✔Any information about an individual maintained by
an agency, including any information that can be used to distinguish or trace an individual's
identity
Threat ✔✔Any activity that represents a possible danger
Risk Management Principles ✔✔ Governance framework is important
• Managing risks is everyone's responsibility
• Risk Management should be integrated into key business processes
• Establishing a risk appetite is key
• Planning fosters a culture of resilience
Inherent Cyber Risk ✔✔Risk without security controls in place
Residual Risk ✔✔The risk with cyber security controls in place
Aggregate Risk ✔✔Total or cumulative amount of exposure associated with a specified risk
Cyber Strategy ✔✔ Understand value of business digital assets
• Prioritize remediation resources based on impact to business assets & financial impacts
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download Cybersecurity Risk Management: Concepts, Principles, and Frameworks and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!

Cybersecurity Risk Management Final Exam

Risk Management Goal ✔✔To maximize the output of the organization while minimizing the chance for unexpected outcomes Confidentiality ✔✔Preventing unauthorized disclosure of information Integrity ✔✔Ensure information is not modified or destroyed Availability ✔✔Available when needed Accountability ✔✔Ability to trace activities to responsible source Vulnerability ✔✔weakness in an information system Loss ✔✔Results in a compromise to business functions or assets that adversely affects the business Data Breach ✔✔An event in which an individual's information is potentially put at risk Data Breach Causes ✔✔Malicious or criminal attack, system glitch, or human error Personally Identifiable Information (PII) ✔✔Any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity Threat ✔✔Any activity that represents a possible danger Risk Management Principles ✔✔• Governance framework is important

  • Managing risks is everyone's responsibility
  • Risk Management should be integrated into key business processes
  • Establishing a risk appetite is key
  • Planning fosters a culture of resilience Inherent Cyber Risk ✔✔Risk without security controls in place Residual Risk ✔✔The risk with cyber security controls in place Aggregate Risk ✔✔Total or cumulative amount of exposure associated with a specified risk Cyber Strategy ✔✔• Understand value of business digital assets
  • Prioritize remediation resources based on impact to business assets & financial impacts
  • Adequate cyber budget for people, processes and tools
  • Consider cyber insurance NIST CRMF (SP 800-37) ✔✔1. Categorize Information systems
  1. Identify and Tailor Security controls
  2. Implement security controls
  3. Access Security controls
  4. Authorize Information systems
  5. Continuous monitoring Measuring Threat ✔✔Evaluate the probability that a particular vulnerability will be exploited by a threat source Unintentional Threats ✔✔1. Environmental: weather, location, public health
  6. Human errors
  7. Accidents
  8. Failures: equipment Intentional Threats ✔✔1. Greed
  9. Espionage
  10. Anger
  11. Desire to damage Exploit ✔✔the act of taking advantage of a vulnerability resulting in a compromise to the system, application or data Active Attack ✔✔Attempt to alter system resources or affect their operation Passive Attack ✔✔Attempt to learn or make use of information from the systems that does not affect system resources Information Technology Domains ✔✔- User
  • Workstation
  • Networks (LAN & WAN)
  • Remote Access
  • Systems & Applications Data Vulnerability Types ✔✔ In Transit ✔✔Data being electronically transmitted between systems In Process ✔✔Protection of data as it is being used by system or application

Sarbanes-Oxley Act (SOX) ✔✔Strict reforms to improve financial disclosures from corporations and prevent accounting fraud Gramm-Leach-Bliley Act (GLBA) ✔✔Requires financial institutions to explain their information-sharing practices to their customers and to guard sensitive data Payment Card Industry Standard (PCI DSS) ✔✔An information security standard for organizations that handle branded credit cards from the major card schemes Freedom of Information Act of 1966 (FOIA) ✔✔Provides any person with the statutory right to obtain access to government information in executive branch agency records Cybersecurity Risk Management Framework/Models (4A) ✔✔ Early integration of security in the SDLC enables agencies to maximize return on investment in their security programs through: ✔✔• Early identification and mitigation of security vulnerabilities

  • Awareness of potential engineering challenges
  • Identification of shared security services, strategies, and tools to reduce development cost
  • Facilitation of informed executive decision making RMF Benefits ✔✔• Provides a structured process for managing risk related to the operation of information systems
  • Provides guidelines for determining the appropriate risk mitigation needed to support organizational processes
  • Balances key mission/business goals and organizational priorities with security requirements and policy guidance
  • Facilitates the development of cost-effective information security solutions to commensurate with strategic goals, mission/business process, and overall tolerance for risk
  • Provides processes for continuous monitoring, resulting in continuous improvement of the organization's security posture
  • Applicable to both new development and legacy information systems, system neutral
  • Operates iteratively within the phases of the SDLC

Risk Management Models ✔✔• Control Objectives for Information and Related Technologies (COBIT)

  • International Organization for Standardization (ISO)
  • National Institute of Standards & Technology NIST
  • FIPS: Federal Information Processing Standards
  • SP: Special Publications
  • CRMF NIST SP 800-53: provides a catalog of security & privacy controls for information systems and organizations to protect organizational operations and assets Risk Assessment ✔✔A process to identify potential hazards and analyze what could happen if a hazard occurs NIST CRMF ✔✔Multi-tiered risk management approach which places information security into the broader organizational context of achieving mission/business success CRMF Tiers ✔✔• CRMF Tier 1 - Senior Executive Level
  • Tier 2 - Business Process Level
  • Tier 3 Implementation/Operation Level CRMF Steps ✔✔• Categorize information systems based on an impact analysis
  • Select an initial set of baseline security controls
  • Implement security controls
  • Assess the controls' implantation
  • Authorize operation
  • Monitor on an ongoing basis Cybersecurity Risk Management Framework (CRMF) Step 1 Data Systems Inventory (5A) ✔✔ NIST 800-37Guide for Applying the Risk Management Framework to Federal Information Systems ✔✔1. Start with the asset inventory
  1. Determine the value of the assets

Risk Mitigation ✔✔Focus on not trying to eliminate the risk but to reduce the risk exposure to an acceptable level NIST 800-53 R4 ✔✔• Security controls are organized into 18 families

  • Each security control family contains security controls related to the security functionality of the family
  • Utilized for risk mitigation and management
  • Controls are identified for EACH SYSTEM, not for each threat or vulnerability
  • Pick what is relevant for your system and level of security needed
  • Security controls for information systems and organizations help satisfy security requirements
  • Each family contains security controls related to the specific topic of the family
  • A two-character identifier uniquely identifies each control family, for example, PS (Personnel Security)
  • First control in EVERY family - write policies and procedures Cybersecurity Risk Management Framework Step 2 Selecting Controls Task 2 (6B) ✔✔• Controls can be viewed as generalized statements that express the security functions or capabilities necessary to ensure compliance with applicable requirements and to manage risk
  • Management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information
  • Controls are selected and implemented to satisfy a set of defined security and privacy requirements and to manage risk
  • The selection and effective implementation of controls are important tasks that can have significant implications on the operations and assets of organizations Risk Appetite ✔✔The amount of risk and organization is willing to accept Ultimate Objective ✔✔to manage the risks through the selection and implementation of security and privacy controls Security control effectiveness addresses the extent to which the controls are: ✔✔• implemented correctly
  • operating as intended
  • producing the desired outcome Risk Register Purpose ✔✔To form a record of the significant risks that have been identifies, serve as a record of the control activities that are currently undertaken Risk Assessment CRMF ✔✔ Risk Assessment Objective ✔✔Verify & reduce risk exposure Risk Exposure ✔✔Combination of likelihood that the threat will exploit the vulnerability, the severity of the exploit, combines with the sensitivity of the asset Risk Assessment ✔✔The process of identifying risks to organizational operations, organizational assets, individuals, and the Nation Risk assessments are often not precise instruments of measurement and reflect: ✔✔• (i) the limitations of the specific assessment methodologies, tools, and techniques employed;
  • (ii) the subjectivity, quality, and trustworthiness of the data used;
  • (iii) the interpretation of assessment results;
  • (iv) the skills and expertise of those individuals or groups conducting the assessments Quantitative ✔✔• Objective method
  • Uses numbers such as actual dollar values
  • Math problem with formulas Qualitative ✔✔• Subjective method
  • Use relative values based on opinions from experts
  • Uses words such as Low, Moderate, High
  • Uses probability and impact Vulnerability Assessment ✔✔Determines the potential impact of disruptive events on the organization's business processes Threat Assessment ✔✔An evaluation of potential threats CRMF Step Risk Assessments: Qualitative ✔✔RISK LEVEL = PROBABILITY * IMPACT Cost-Benefit Analysis (CBA) ✔✔Loss before - loss after - control costs
  • Implementing contingency strategies
  • Testing and revising strategy Authority to Operate Certification & Authentication (12A) ✔✔Ensures there are adequate security measures in place to protect the information Certification ✔✔assessment of the management, operational and technical security controls to determine the extent to which the controls are implemented correctly Accreditation ✔✔the authorization and approval granted to a system to process in an operational environment Authorization to Operate [OMB Circular A-130] ✔✔The official management decision given by a senior Federal official to authorize operation of an information system and to explicitly accept the risk to agency operations POA&Ms identify: ✔✔o The tasks to be accomplished with a recommendation for completion either before or after system implementation o The resources required to accomplish the tasks o Any milestones in meeting the tasks o The scheduled completion dates for milestones Continuous Monitoring CRMF Steps 6 (12B) ✔✔maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions Effectiveness monitoring ✔✔determines the ongoing effectiveness of implemented risk response measures Compliance monitoring ✔✔Verifies that the required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring ✔✔identifies changes to organizational systems and environments of operation that may affect security and privacy risk. Risk Management Plan (RMP) 13A ✔✔a document that a project manager prepares to foresee risks, estimate impacts, and define responses to risks. It also contains a risk assessment matrix.