Course 5: Assets Threats and Vulnerabilities Flashcards
What is the definition of risk?
Def: anything that can impact the confidentiality, integrity, or availability of an asset.
True or False: Risk is the same for every organization
False: Risk differs by organization
Interpret risk by:
Effects and Events: interpret risk by considering the potential effects that negative events can have on a business
What is the formula for calculating risk?
Likelihood x Impact = Risk
Name 4 reasons why we calculate risk in this field
-Prevent costly and disruptive events
-Identify improvements that can be made to systems and processes
-Determine which risks can be tolerated
-Prioritize the critical assets that require attention
What are the 3 risk categories
-Damage
-Disclosure
-Loss of information
What 5 questions should you ask to determine impact in a risk calculation?
-How would the business be affected?
-What’s the financial harm to the business and its customers?
-Can important operations or services be impacted?
-Are there regulations that can be violated?
-What is the reputational damage to the company’s standing?
What 3 questions should you ask to determine likelihood in a risk calculation?
-Could the risk happen once a day?
-Could the risk happen once a month?
-Could the risk happen once in a year?
What is the definition of an asset?
Def: an item perceived as having value to an organization
Give 4 examples of an asset
-buildings
-equipment
-data
-people
What is the definition of a threat?
Def: any circumstance or event that can negatively impact assets
What are the two types of threats?
- intentional - ex. a malicious hacker who gains access to sensitive information by targeting a misconfigured application
- unintentional - ex. an employee who holds the door open for an unknown person and grants them access to a restricted area
What is a vulnerability?
Def: a weakness that can be exploited by a threat/flaws within an asset (analogy: a weak lock on a front door)
What are the 2 categories of vulnerabilities?
-technical - ex. misconfigured software that might give an unauthorized person access to important data
-human - ex. a forgetful employee who loses their access card in a parking lot
What is the definition of asset management?
Def: The process of tracking assets and the risks that affect them
True or False: You can only protect the things you account for
True
What is the definition of Asset Inventory?
Def: A catalog of assets that need to be protected
What is the definition of Asset Classification?
Def: The practice of labeling assets based on sensitivity and importance to an organization
Asset classification determines whether an asset can be ____, ____, or ____
disclosed, altered or destroyed
True or False: information can have multiple classification values at the same time
True
What are the 4 levels of asset classification?
Public, Internal-only, Confidential, and Restricted
Describe the public level of asset classification
- Lowest level
- Can be shared with anyone
- No negative consequences if released
Describe the internal-only level of asset classification
- Second level
- Asset can be shared w/ anyone within the organization (i.e. employees and business partners)
Describe the confidential level of asset classification
- Third level
- Asset should only be accessed by those working on a specific project.
- Disclosure may lead to a significant negative impact
