Ch-17 Flashcards
(10 cards)
Enterprise Risk Management
enterprise risk management (ERM) program - organizations take a formal approach to risk analysis that begins with identifying risks, continues with determining the severity of each risk, and then results in adopting one or more risk management strategies to address each risk.
Important Terms
Threats - any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of our information or information systems.
Vulnerabilities - weaknesses that could be exploited by a threat.
Risk - occur at the intersection of a vulnerability and a threat that might exploit that vulnerability. A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability without a corresponding threat.
Risk Identification
risk identification - process requires identifying the threats and vulnerabilities that exist in your operating environment.
External - originate from a source outside the organization
Internal - originate from within the organization
Multiparty - those that impact more than one organization. For example, a power outage to a city block
Legacy Systems - outdated systems often do not receive security updates and cybersecurity professionals must take extraordinary measures to protect them against unpatchable vulnerabilities.
Intellectual Property - company possesses trade secrets or other proprietary information which, if disclosed, could compromise the organization’s business advantage.
Software Compliance/Licensing - organization licenses software from a vendor and intentionally or accidentally runs afoul of usage limitations that expose the customer to financial and legal risk.
Risk Calculation
Risk Severity = Likelihood * Impact
Risk Assessment Methodologies
Quantitative risk assessments - use numeric data in the analysis, resulting in assessments that allow the very straightforward prioritization of risks.
Qualitative risk assessments - substitute subjective judgments and categories for strict numerical analysis, allowing the assessment of risks that are difficult to quantify.
Business Impact
Business Impact Analysis (BIA) - a formal process designed to identify the mission essential functions within an organization and facilitate the identification of the critical systems that support those functions. Four Key Parts- MTBF - Mean Time Between Failures MTTR - Mean Time To Repair RTO - Recovery Time Objective RPO - Recovery Point Objective
Disaster Recovery Plan
disaster recovery planning process creates a formal, broad disaster recovery plan for the organization and, when required, develops specific functional recovery plans for critical business functions.
Classifications
Sec+ Labels -
Public, Private, Sensitive, Confidential, Critical, Proprietary
Military Labels -
Most to least - top secret, secret, confidential, unclassified
Data Roles
Data controllers - are the entities who determine the reasons for processing personal information and direct the methods of processing that data.
Data stewards - are individuals who carry out the intent of the data controller and are delegated responsibility from the controller.
Data custodians - are individuals or teams who do not have controller or stewardship responsibility but are responsible for the secure safekeeping of information.
Data processors are service providers that process personal information on behalf of a data controller.
Data Protection Officers - Organizations should identify a specific individual who bears overall responsibility for carrying out the organization’s data privacy efforts. This person, often given the title of chief privacy officer, bears the ultimate responsibility for data privacy and must coordinate across functional teams to achieve the organization’s privacy objectives.
Data Privacy Technology
de-identification/data obfuscation - process removes the ability to link data back to an individual, reducing its sensitivity.
Hashing - uses a hash function to transform a value in our dataset to a corresponding hash value. Data becomes non-convertible.
Tokenization - replaces sensitive values with a unique identifier using a lookup table. Data is convertible.
Data masking - partially redacts sensitive information by replacing some or all of sensitive fields with blank characters. For example, we might replace all but the last four digits of a credit card number with X’s or *’s
