How Can We Help?
CompTIA Security Plus: Section 9 Risk Management
Section 9: Risk Management Study Guide
4.3 Risk Management Processes and Concepts
Risk Terminology
- Risk = Threat × Vulnerability × Impact
- Threat, Vulnerability, Likelihood, Impact
- Risk Appetite vs. Risk Tolerance
- Residual Risk
Risk Assessment Types
- Qualitative: High/Med/Low, risk matrices
- Quantitative: ALE = SLE × ARO; SLE = Asset Value × Exposure Factor; ARO = frequency per year
- Hybrid: Combined qualitative and quantitative
Risk Assessment Steps
- Identify: Assets, threats, vulnerabilities
- Analyze: Determine likelihood and impact
- Evaluate: Prioritize against risk criteria
Risk Treatment Options
- Accept: Monitor residual risk
- Avoid: Eliminate the risk source
- Mitigate: Apply controls to reduce likelihood/impact
- Transfer: Shift risk via insurance or outsourcing
Risk Register
- Columns: ID, Description, Likelihood, Impact, Score, Treatment, Owner, Status, Review Date
- Tracks identified risks and remediation status
Monitoring and Reporting
- Metrics: Number of risks accepted/mitigated/transferred, residual risk trends
- Dashboards/Heat Maps: Visualize likelihood vs. impact
- Review Frequency: Continuous for high-risk, periodic for others
4.1 Policies, Plans, and Procedures
- Policy: High-level management directive
- Standard: Mandatory actions to enforce policy
- Procedure: Step-by-step instructions
- Guideline: Recommended practices
Business Impact Analysis (BIA)
- RTO: Maximum acceptable downtime
- RPO: Maximum acceptable data loss
- MTPoD: Maximum tolerable period of disruption
- Criticality ranking of business functions
4.5 Frameworks and Concepts
- NIST RMF: Categorize, Select, Implement, Assess, Authorize, Monitor
- ISO 31000: Principles and guidelines for risk management
- FAIR: Quantitative risk analysis model
- Bow-Tie Analysis: Visual mapping of cause, event, impact and controls
Common Pitfalls
- Mixing qualitative and quantitative methods incorrectly
- Failing to track residual risk
- Confusing treatment options (accept, avoid, mitigate, transfer)
- Policy vs. procedure confusion
Sample Scenarios
| Scenario | Objective | Response |
|---|---|---|
| Calculate ALE for $50k asset, 40% EF, ARO=2 | Quantitative Assessment | SLE=20k, ALE=40k |
| Transfer risk via SLA after vendor breach | Risk Transfer | SLA with breach notification clause |
| Risk register missing owner/status | Risk Register | Add Owner, Status, Review Date columns |
| Appetite 15%, Tolerance 5% | Risk Appetite/Tolerance | Accept ≤5%, Monitor up to 15%, Mitigate >15% |
| Which document defines step-by-step assessment? | Policy vs. Procedure | Risk Assessment Procedure |
Exam-Focus Study Techniques
- Flashcards by objective (e.g., ALE formula, residual risk definition, NIST RMF steps)
- Mini risk register exercise
- Heat map plotting for hypothetical risks
- Risk management process flowchart
- Framework comparison table (NIST RMF, ISO 31000, FAIR)
- Topic audits for practice errors