Your company decides to invest in solutions, in the coming year, to support salespeople as road warriors and boost sales. Laptops, mobile phones, VPN, wireless networks, and customer relationship management (CRM) systems are parts of the selected solution. As a CISO, which of the following is the least concern when developing a risk management strategy?
A. Foreign ownership, control, or influence over suppliers
B. Investment strategies
C. The impact of the solution upon business processes
D. Laws and regulations
You are considering solutions to connect multiple branches to the headquarters. You select MPLS and RIP as the solution in the end. Between which layers are the protocols in terms of the ISO OSI model?
A. Data Link, Network
B. Transport, Physical
C. Data Link, Internet
D. Network, Transport
Today is the first workday after the Chinese lunar new year. One of the certificates for private use expired on the customer’s web server. Because the Chrome browser requires Subject Alternative Names, the certificate request file needs more attributes to add. If not, Chrome will pop up an insecure web site warning as follows:
This server could not prove that it is elux.crm.tw; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.
- Use the Certificate (for Computer) snap-in in Microsoft Management Console
- Create custom requests (PKCS #10 Request file and Subject Alternative Names: DNS)
- Request X.509 Certificate from Microsoft Certificate Services
- Install the new certificate on the web server
Subject Alternative Names
As a security professional, you are attending the risk management meeting. A member points out a maintenance service provider for the ERP system is suffering financial problems that might hinder the service level. Which of the following should be conducted first?
A. Escalate this problem to the management and suggest sourcing a backup provider
B. Activate the information system contingency plan (ISCP)
C. Train in-house team members to support the system as a backup solution
D. Identify affected business processes and related resources
Wentz’s Governance Model is a generic governance model derived from the concept of GRC (Governance, Risk Management, and Compliance). It highlights the philosophy of governance for values and introduces seven risk-aware governance practices reorganized per the definition of governance by the IT Governance Institute.
Sound governance achieves the ultimate goals of creating and delivering values while considers risk and compliance. That relies on three crucial factors: risk-aware governance practices, well-crafted strategy and well-structured organization, which can be examined from the perspectives of the static organizational structure and dynamic organizational processes and the holistic view of enterprise architecture.
The seven risk-aware governance practices derived from the definition of governance by the IT Governance Institute and the discipline of GRC are listed as follows:
- Institute the organization to support the mission
- Communicate the vision to guide the strategic direction for value delivery
- Derive goals and intended outcomes to align strategies
- Allocate and optimize resources to maximize values
- Measure and monitor performance to achieve objectives
- Manage risks to respond to changes and ensure success
- Behave responsibly to maintain integrity and compliance
They can be mapped into the following diagram:
You are the manger authorized to make decisions on the acceptance of risk. After risk treatment, you are considering a case that the cost of handling the residual risk is much higher than the risk acceptance criteria. Even though quantitative economic benefits cannot justify it, you deeply believe the risk with low likelihood is not urgent but brings a significant impact on the organization and should be handled. Which of the following decisions best meets the risk acceptance principles?
A. No further treatment because it doesn’t meet the risk acceptance criteria
B. No further treatment because subjective judgment is not reliable
C. Revise the risk acceptance criteria if possible, and implement risk treatment
D. Implement exception risk treatment but comment and justify your decision.
To address security concerns, you align the software development life cycle to ISO 15288, which consists of four families or groups of system life cycle processes: agreement, organizational project-enabling, technical management, and technical processes. Which of the following belongs to the process family, Technical Processes?
A. Configuration Management
B. Life Cycle Model Management
C. Quality Assurance
D. Business or Mission Analysis
Your organization adopts the NIST FARM risk management approach to frame, assess, respond to, and monitor risks that arise from a variety of sources or tiers such as information systems, business processes, or the organization. As a CISO, you are considering the governance structures from the organizational perspective to address risk. Which of the following is not your primary concern?
A. Strategies for internal development and external acquisition of IT products
B. Risk management strategy
C. Approaches to replacing legacy information systems
D. Enterprise Architecture
Source: NIST SP 800-30 R1
According to NIST SP 800-30 R1, risk assessment is the process of identifying, estimating, and prioritizing information security risks. This definition matches the one in ISO 31000; estimating refers to the analysis, while prioritizing refers to evaluation.
However, the guideline uses two terms in the risk assessment process that may confuse people: assessment approach and analysis approach.
- Assessment approach: e.g., quantitative, qualitative, or semi-qualitative
- Analysis approach: e.g., threat-oriented, asset/impact-oriented, or vulnerability-oriented
Risk Framing Components
The assessment approach defined in the Frame stage should apply to the “risk assessment process” as a whole, while the analysis approach should refer to the approach used to “estimate” risk as a part of the risk assessment process.
FIGURE 2: RELATIONSHIP AMONG RISK FRAMING COMPONENTS (NIST SP 800-30 R1)
FIGURE 5: RISK ASSESSMENT PROCESS (NIST SP 800-30 R1)
Risk Assessment “Slash” Analysis?
It seems that both ISO and NIST distinguish risk assessment from risk analysis. However, it’s common for people to use them interchangeably. I think it’s a good practice to use them precisely.
You learned from the news that the World Health Organization (WHO) is closely monitoring a novel deadly coronavirus under spreading. As a CISO, which of the following will you do first?
A. Implement emergent update for latest antivirus signatures
B. Conduct the exercise of the Occupant Emergency Plan (OEP)
C. Enable the incident response plan and security incident response team
D. Review and test the business continuity plan (BCP)