Chapter 2: Personnel Security and Risk Management Concepts Flashcards
UBA/UEBA
User Behavior Analytics/User and Entity Behavior Analytics
Analyzing the behavior of users, subjects, visitors, customers, etc for some specific goal or purpose
SLA
Service Level Agreement
Ensures that organizations providing services maintain an appropriate level of service agreed upon by both service provider and customer
VMS
Vendor Management System
Risk Management
Process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk
What is the primary goal of risk management?
To reduce risk to an acceptable level
Asset
Anything (person, place, or thing) used in a business process or task whether tangible or intangible
Asset Valuation
Value assigned to asset based on multiple factors such as importance to organization, use in critical process, actual cost, etc
Threats
Any potential occurrence that may cause undesirable/unwanted outcome for an organization or specific asset. Could cause damage, destruction, alteration, loss, disclosure
Threat Events
Accidental occurrences and intentional exploitations of vulnerabilities. Can be natural or man-made
Exposure
Being susceptible to asset loss because of a threat. The possibility that a vulnerability can or will be exploited by a threat agent or event
Risk
Possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result
How is risk calculated?
Risk = Threat x Vulnerability
or
Risk = Probability of Harm x Severity of Harm
What is a primary goal of risk analysis?
To ensure that only cost-effective safeguards are deployed
Hybrid Assessment/Analysis
Combines quantitative and qualitative analysis into a final assessment of organizational risk
Delphi Technique
An anonymous feedback-and-response process used to arrive at a consensus. This consensus gives the responsible parties the opportunity to properly evaluate risks and implement solutions.
Quantitative Risk
Focuses on hard values and percentages
Complete quantitative analysis is not always possible because of intangible aspects of risk
EF
Exposure Factor
Represents the percentage of loss that an org would experience if a specific asset were violated by a realized risk. Also called loss potential.
SLE
Single Loss Expectancy
Potential loss associated w/ a single realized threat against an asset. Indicates potential amount of loss org would/could experience if an asset was harmed by a specific threat.
How is SLE calculated?
SLE = AV x EF
AV= Asset Value
EF= Exposure Factor
ARO
Annualized Rate of Occurrence
Expected frequency with which specific threat or risk will occur
ALE
Annualized Loss Expectancy
Possible yearly loss of all instances of a specific realized threat against a specific asset
How is ALE calculated?
ALE = SLE x ARO
SLE = Single Loss Expectancy
ARO = Annual Rate of Occurrence
Risk appetite
Total amount of risk that an org is willing to shoulder across all assets
Risk capacity
Level of risk an org is ABLE to shoulder
Risk limit
Max level of risk above the risk target that will be tolerated before further risk management actions are taken