Case Study 1: Risk Identification, Containment, and Prioritization Processes
Q1. Your company is being targeted by a hacktivist group who are launching a DDOS attack against your e-commerce portal on a random day each month throughout the year. The portal generates $500,000 dollars each month and each attack reduces revenue by 10%. What is the annual loss expectancy of this malicious activity? What use is the ALE in determining selection of security controls?
Q2. What is the role of the blue team during a pen test?
Q3. True or false? Most pen tests should be defined with an open-ended scope to maximize the chance of detecting vulnerabilities.
Case Study 2: Frameworks, Policies, and Procedures
Q1. What is a maturity model?
Q2. Which type of framework allows greater local factors to have more influence over security control selection?
Q3. What is the difference between an audit and an evaluation?
Q4. What part of the NIST Cybersecurity Framework is used to provide a statement of current cybersecurity outcomes?