Flashcards in Chapter 1 - Measuring and Weighing Risk Deck (25):
What is the Risk Calculator?
SLE x ARO = ALE =>(AV x EF) x ARO = ALE
ALE = Annual Loss Expectancy, measures how much loss you could expect in a year.
ARO = Annualized Rate of Occurance
SLE = Single Loss Expectancy, represents how much you expect to lose at any one time.
AV - Asset Value
EF = Exposure Factor
What are Threat Vectors?
Is the way in which an attacker poses a threat.
Can be anything from a fake email that lures you into clicking (phishing) or an unsecure hotstop.
What is the measure of the anticipated incident of failures for a system or component?
Mean Time Between Failures (MTBF)
What is Risk Assessment?
Deals with the threats, vulnerabilities and impacts of a loss of information-processing capabilities or a loss of information itself.
What is the best way to explain quantitative and qualitative?
Quantitative - think of the goal as determining a dollar amount
Qualitative - think of a best guess or opinion of the loss, including reputation, goodwill and irreplaceable information, pictures or data that get you to a subjective loss amount.
What is the average time to failure for a non-repairable system?
Mean Time to Failure (MTTF)
What involves identifying a Risk and making the decision not to engage any longer the actions associated with that risk?
What is the maximum amount of time that a process or service is allowed to be down and the consequences still be considered acceptable?
Recovery Time Objective (RTO)
What does not imply to shift the risk completely to another entity?
The burden of the risk is shared with someone else, such as an insurance company.
What is similar to RTO, but it defines the point at which the system needs to be restored?
Recovery Point Objective (RPO)
How is Risk Mitigation Achieved?
Anytime you take steps to reduce risk.
* antivirus software
* educating users
* monitoring network traffic
* adding firewall
What is the measure of how long it takes to repair a system or component once a failure occurs?
Mean Time to Restore (MTTR)
What can posting prosecution policies on your login pages and convincing them that you have steps in place to ID intrusions and act on them?
When you choose not to implement any prevention of risk due to costs and accept the potential costs or damage and agree to accept it.
What is cloud computing and examples?
Hosts services and data on the Internet instead of hosting it locally.
Office 365, Google Docs
Google Drive, Sky Drive, Amazon Web Services
What is IaaS?
Infrastructure as a Service
* utilizes visualization and clients pay an outsource for resource used
*closely resembles the traditional utility model used by electric, gas and water providers
* Go Grid is a well known example
What is SaaS?
Software as a Service
* applications are remotely run over the Web, big advantage, no HW required
* Best know model this type is Salesform.com
What is PaaS?
Platform as a Service
* AKA cloud platform services
* vendors allow apps to be created and run on their infrastructure
* two well known models are Amazon Web Services and Google Code
What defines what controls are required to implement and maintain the sanctity of data privacy in the work environment?
Think of the private policy as a legal document that outlines how data collected is secured.
What describes how the employees in an organization can use company systems and resources, both SW and HW?
Acceptable Use Policies, AKA "use policy"
* when portable devices are plugged directly into a PC, they bypass security measures (such as Firewalls) and allow data to be copied in what is known as "pod slurping"
* this can also be done if employees start using free cloud drives instead
What are Security Policies?
They define what controls are required to implement and maintain the security of systems, users and netwroks.
What policy requires all users to take time away from work to refresh?
What is BIA?
Business Impact Analysis
Process of evaluating all the critical systems in an organization to define impact and recovery plans
What refers to the measures used to keep services operational during an outage?