Which of the following BEST describes the information needed for each risk on a risk register?
Various risk scenarios with their date, description, impact, probability, risk score, mitigation action and owner
Various risk scenarios with their date, description, risk score, cost to remediate, communication plan and owner
Various risk scenarios with their date, description, impact, cost to remediate and owner
Various activities leading to risk management planning
A. Multifactor authentication safeguards against an account being accessed without authorization. If a malicious hacker has gained access to the account, this control has already been bypassed.
B. Audit logging may be useful in identifying activities undertaken using an administrator account, but it is a lagging indicator unlikely to be effective in time to limit the scope of impact associated with a compromise.
C. Privileged accounts, such as those used by administrators, are typically sought after by malicious hackers because of the perception that they will be exempt from most controls and have permission to do everything. However, except in the smallest organizations, administrators tend to be specialized in particular areas (e.g., specific servers, specific databases, firewalls, etc.). Although employing least privilege will not reduce the potential impact of a compromised account within the scope of its intended use, having specialized administrator accounts can greatly limit the impact to the organization as a whole. Even in small organizations where one person holds all roles, establishing specialized administrator accounts subject to least-privilege restrictions limits the potential impact of loss associated with an account compromise.
D. A password policy requiring frequent changes can limit the reuse value of a compromised account, but it is unlikely that changes will be sufficiently restrictive to affect an account before it has been used by a malicious hacker who controls it.
A. Summarizing project risk does not necessarily lead to an understanding of all risk, e.g., not realizing the benefits or impact of project risk on programs and portfolios or business or strategic objectives. Unintended consequences, reputation and brand risk, and strategic objectives need to be considered in order to assess strategic IT risk.
B. Strategic IT risk is related to the strategy and strategic objectives of the organization. Once this is understood, a conversation with senior executives will provide an enterprise view of the dependencies and expectations for IT, which leads to an understanding of the potential risk.
C. Enterprise architecture (EA) is fundamentally about producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there (preferably by optimizing resource risk while realizing benefits). This view of IT should demonstrate the linkage of IT to organizational objectives and produce a view of current risk, but the development of EA takes significant effort, resources and time. Enterprise architectures also benefit from being informed by an understanding of organizational strategy and the views of the senior executives, which change rapidly in the current business environment and, therefore, need to be regularly reviewed.
D. Developing an understanding of current incidents will not directly provide a strategic view of the objectives of the organization and how the organization is dependent on IT to achieve those objectives.
In the field of information security, the following statements are useful: "Due care are steps that are taken to show that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees." And, "continual activities that make sure the protection mechanisms are continually maintained and operational." (Source: Harris, Shon; All-in-one CISSP Certification Exam Guide, 2nd Edition, McGraw-Hill/Osborne, USA, 2003.) Stockholders, customers, business partners and governments have the expectation that corporate officers will run the business in accordance with accepted business practices and in compliance with laws and other regulatory requirements. So while no entity can protect themselves completely from security incidents, in case of legal action, by demonstrating due care, these entities can make a case that they are actually doing things to monitor and maintain the protection mechanisms and that these activities are ongoing.