href="#u0364c4e9-2ad1-5e4f-a052-52d29e9303fb">Chapter 4
Chapter 1 Risk Management
THE CASP+ EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
Domain 1: Risk Management1.1 Summarize business and industry influences and associated security risks.Risk management of new products, new technologies, and user behaviorsNew or changing business models/strategiesPartnershipsOutsourcingCloudAcquisition/merger—divestiture/demergerData ownershipData reclassificationSecurity concerns of integrating diverse industriesRulesPoliciesRegulationsExport controlsLegal requirementsGeographyData sovereigntyJurisdictionsInternal and external influencesCompetitorsAuditors/audit findingsRegulatory entitiesInternal and external client requirementsTop-level managementImpact of de-perimeterization (e.g., constantly changing network boundary)TelecommutingCloudMobileBYODOutsourcingEnsuring third-party providers have requisite levels of information security1.2 Compare and contrast security, privacy policies, and procedures based on organizational requirements.Policy and process life cycle managementNew businessNew technologiesEnvironmental changesRegulatory requirementsEmerging risksSupport legal compliance and advocacy by partnering with human resources, legal, management, and other entities.Understand common business documents to support security.Risk Assessment (RA)Business Impact Analysis (BIA)Interoperability Agreement (IA)Interconnection Security Agreement (ISA)Memorandum of Understanding (MOU)Service-Level Agreement (SLA)Operating-Level Agreement (OLA)Non-Disclosure Agreement (NDA)Business Partnership Agreement (BPA)Master Service Agreement (MSA)Research security requirements for contracts.Request for Proposal (RFP)Request for Quote (RFQ)Request for Information (RFI)Understand general privacy principles for sensitive information.Support the development of policies containing standard security practices.Separation of dutiesJob rotationMandatory vacationLeast privilegeIncident responseForensic tasksEmployment and termination proceduresContinuous monitoringTraining and awareness for usersAuditing requirements and frequencyInformation classification1.3 Given a scenario, execute risk mitigation strategies and controls.Categorize data types by impact levels based on CIA.Incorporate stakeholder input into CIA impact-level decisions.Determine minimum-required security controls based on aggregate score.Select and implement controls based on CIA requirements and organizational policies.Extreme scenario planning/worst-case scenarioConduct system-specific risk analysis.Make a risk determination based upon known metrics.Magnitude of impact based on ALE and SLELikelihood of threatMotivationSourceAROTrend analysisReturn on Investment (ROI)Total cost of ownershipTranslate technical risks in business terms.Recommend which strategy should be applied based on risk appetite.AvoidTransferMitigateAcceptRisk management processesExemptions—Deterrence—Inherent—ResidualContinuous improvement/monitoringBusiness continuity planningRTORPOMTTRMTBFIT governanceAdherence to risk management frameworksEnterprise resilience1.4 Analyze risk metric scenarios to secure the enterprise.Review effectiveness of existing security controls.Gap analysisLessons learnedAfter-action reportsReverse engineer/deconstruct existing solutions.Creation, collection, and analysis of metricsKPIsKRIsPrototype and test multiple solutions.Create benchmarks and compare to baselines.Analyze and interpret trend data to anticipate cyber defense needs.Analyze security solution metrics and attributes to ensure they meet business needs.PerformanceLatencyScalabilityCapabilityUsabilityMaintainabilityAvailabilityRecoverabilityROITCOUse judgment to solve problems where the most secure solution is not feasible.
1 One of the biggest tasks as a security professional is identifying vulnerabilities. What is the difference between a vulnerability and a threat?A vulnerability is a weakness in system design, procedure, or code. A threat is the circumstance or likelihood of a vulnerability being exploited.A vulnerability is the driving force behind the activity. A threat is the probability of an attack.A vulnerability is the value to an institution where a threat is the source of the risk, internal or external.A vulnerability is the probability of the realization of a threat. A threat is the driving force behind the activity.
2 Which of the following BEST defines risk in IT?You have a vulnerability with a known active threat.You have a threat with a known vulnerability.You have a risk with a known threat.You have a