Chapter 1: Managing Risk Flashcards
Anything that can harm your resources. There are three types:
A threat; Environmental, Manmade, Internal vs. External
A graphical tool that is often used to identify threats
A risk register
Deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities or a loss of information itself.
Risk Assessment (a.k.a risk analysis or risk calculation)
A weakness that could be exploited by a threat
Vulnerability
Three chief components of a risk assessment:
- ) Risks to Which the Organization Is Exposed
- ) Risks That Need Addressing
- ) Coordination with BIA (Business Impact Analysis)
A monetary measure of how much loss you could expect in a year.
Annual Loss Expectancy (ALE)
Monetary value that represents how much you could expect to lose at any one time
Single Loss Expectancy (SLE)
The value of the item
Asset value (AV)
the percentage of the asset threatened
Exposure Factor (EF)
The likelihood, often drawn from historical data, of an event occurring within; a year
Annualized Rate of Occurence (ARO)
To compute Risk Assessment:
SLE(AV * EF) * ARO = ALE
A score representing the the possibility of threat initiation.
Likelihood
Used to look at the vendors your organization works with strategically and potential risks they introduce.
Supply chain assessment
The way in which an attacker poses a threat
Threat vector
The measure of the anticipated incidence of failure for a system or component.
Mean Time Between Failures (MTBF)
The average time to failure for a nonrepairable system.
Mean Time to Failure (MTTF)
The measurement of how long it takes to repair a system or component once a failure occurs.
Mean Time to Restore (MTTR)
The maximum amount of time that a process or service is allowed to be down and then consequences still to be considered acceptable.
Recovery Time Objective (RTO)
Defines the point at which the system needs to be restored
Recovery Point Objective (RPO)
Often associated with a business impact analysis, and it identifies the adverse impacts that can be associated with the destruction, corruption, or loss of accountability of data for the organization.
Privacy Impact Assessment (PIA)
Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Personally Identifiable Information (PII)
More commonly known as “analysis” rather than “assessment.” This is the compliance tool used in conjunction with PIA.
Privacy Threshold Assessment (PTA)
Involves identifying a risk and making the decision not to engage any longer in the actions associated with that risk.
Risk Avoidance
Share some of the burden of the risk completely to another entity; like moving some services to the cloud.
Risk Transference
Accomplished any time you take steps to reduce risk.
Risk Mitigation
A system that monitors the content of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed.
Data Loss Prevention (DLP)
The choice that you must make when the cost of implementing any of the other responses exceeds the value of harm that would occur that would occur if the risk came to fruition
Risk Acceptance
Hosting services and data on the internet instead of hosting it locally.
Cloud Computing
Vendors allow apps to be created and run on their infrastructure.
Platform as a Service (PaaS) a.k. cloud platform services
Applications are run remotely over the web.
Software as a Service (SaaS)
Utilizes virtualization, and clients pay a cloud service provider for resources used.
Infrastructure as a Service (IaSS)
Allows one set of hardware to host multiple virtual machines
Virtualization
The software that allows the virtual machines to exist.
Hypervisor
Provide the people in an organization with guidance about their expected behavior.
Policies
Outlines what the policy intends to accomplish and which documents, laws, and practices the policy addresses.
Scope statement