Risk Flashcards
Impact combined with likelihood give rise to______
Risk
Threats and vulnerabilities help determine the likelihood of what?
An impact occuring
Allows organisations to discover and share threat and vulnerability information
Threat intelligence and sharing
What is WARPS
Warning, Advice & Reporting Points
What is CERTs
Computer Emergency Response Teams
What are WARPs and CERTs?
Freely available sources
What is threat categorisation?
Understanding the difference between different types of threats, such as accidental, deliberate, internal and external threats and to anticipate that threats may arise from unexpected sources
What are accidental threats?
Hazards, which are generally environmental in nature eg pandemics, human errors, simple failures of systems and software; fire, floods and power failures. Accidental threats are frequently things that the organisation cannot avoid, it must anticipate and be prepared to deal with
What are deliberate threats?
Hacking; malicious software, sabotage, eg DDoS attacks and cyber terrorism, whether by individual groups or nation states; high-tech crime, either by individuals, corporations or criminal gangs. Again, anticipation is the key factor.
What are some other sources of threats?
Threats from the Dark Web, vulnerabilities of Big Data and the Internet of Things
What are sources of unintentional threat?
Internal employees and contractors, trusted partners; poor software design, weak procedures and processes, managed services and social media. Unintentional threats are frequently the result of failing to follow procedures or cutting corners in order to save time and effort
What are sources of deliberate threat?
Internal(possibly disgruntled) employees and contractors, random attackers, targeting attackers, especially where there is a strong motive. Part of the art of risk management is understanding the likely motivations of attackers, which leads to improved risk assessment and the introduction of more appropriate controls
What is Vulnerability categorisation?
Weaknesses or design failures in both software and hardware, location of or poor design of buildings and facilities, people who may be susceptible to coercion and undocumented, poorly written or unenforced procedures. As with threats, it is important to think outside the box to identify possible vulnerabilities
What are some examples of specific vulnerabilities?
personal computers, laptops, hand held devices such as tablets and smartphones, uncontrolled ‘Bring Your Own Device’ usage, system servers, network devices, wireless systems, web servers and email systems
What contributes to overall risk?
Threat, Vulnerabilities & Asset Values
What risks should an organisation do detailed examination and treatment proposals on?
Higher or Critical Risks
Threats should be impact assessed in terms of what?
Loss of confidentiality, integrity or availability leading to service failures, financial loss, brand damage or loss of
customer confidence
Who should impact assessments be conducted with and why?
Impact assessments should be conducted with the information owner to ensure that
the true impacts are identified, not what another person thinks they may be.
They should be conducted with the information owner to ensure that the true impacts are identified, not what another person thinks they might be
What are the steps in the risk management process?
⎻ Define the context in which the organisation operates. ⎻ Identify the risks. ⎻ Analyse them for level of risk. ⎻ Evaluate them for criticality. ⎻ Treat them.
Who must you communicate with throughout?
Stakeholders
What needs to be done regularly with impact assessment?
Monitor & Review
What are the four options for dealing with risk?
- Avoid or terminate the risk
- Share or transfer the risk
- Reduce or Modify the risk
- Accept the risk
What is avoiding or terminating the risk?
Don’t do it or stop doing it – but this may introduce additional risks
What is sharing or transferring the risk?
Share or transfer the risk to a third party e.g. insurance, but retain overall ownership
