Risk Management Flashcards Preview

CISSP CBK > Risk Management > Flashcards

Flashcards in Risk Management Deck (76)
Loading flashcards...
1

IRM

Information Risk Management - process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level

2

Risk assessment

Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls

3

Cost / benefit Comparison

Compares the annualized cost of controls to the potential cost of loss

4

Project Sizing

Understand what assets and threats should be evaluated

5

Loss potential

What a company would lose if a threat agent actually exploited a vulnerability

6

Delayed loss

Loss that occurs after the initial vulnerability is exploited

7

NIST SP 800-30

Risk Management Guide for Information Technology Systems

8

FRAP

Facilitated Risk Analysis Process - Focus on assessing one system at a time, only the most critical
- Based on experience and risk not quantified for expediency.

9

OCTAVE

Operationally Critical Threat, Asset, and Vulnerability Evaluation - Carnegie Mellon methodology that allows people within an organization to make security evaluation decisions. Wider scope than FRAP.

10

AS/NZS 4360

Broad approach to risk management encompassing financial, capital, human safety, and business decision risks. Business, not security, focused.

11

ISO/IEC 27005

International standard for risk management in ISMS (Information Security Management System)

12

FMEA

Failure Modes and Effect Analysis - method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process

13

Fault tree analysis

Method used to identify possible failures that could occur in complex environments and systems

14

CRAMM

Central Computing and Telecommunications Agency Risk Analysis and Management Method - risk analysis and management method developed in the UK and tools sold by Siemens

15

Quantitative risk analysis

Assign monetary and numeric values to all elements of the risk analysis process

16

Qualitative risk analysis

Softer approach to the data elements of risk analysis. Does not assign numerical values to risk elements.

17

SLE

Single Loss Expectancy - dollar amount assigned to a single event that represents the company's potential loss amount. SLE = Asset value x Exposure factor

18

Exposure Factor

Represents the percentage of loss a threat could have on a certain asset.

19

ALE

Annual Loss Expectancy
ALE = SLE x Annualized Rate of Occurrence (ARO)

20

ARO

Annualized Rate of Occurrence
Value that estimates frequency of a specific threat taking place within a 12 month period.

21

Uncertainty

Degree to which you lack confidence in an estimate

22

Delphi Technique

A group decision method that uses anonymity to obtain a consensus.

23

Cost / benefit analysis

“(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company”

24

Residual Risk

Amount of risk left over when safeguards / countermeasures are implemented
(threats × vulnerability × asset value) × controls gap = residual risk
total risk – countermeasures = residual risk

25

Total Risk

Risk a company faces if it chooses not to implement any safeguards
threats × vulnerability × asset value = total risk

26

Transfer Risk

If total risk is too much for a company to deal with they may purchase insurance which transfers the risk

27

Risk Avoidance

Remove risk by terminating the activity causing the risk

28

Risk Mitigation

Risk reduced to level acceptable enough to continue doing business

29

Accept Risk

Company understands level of risk and decides to live with it. Cost of countermeasure may outweigh potential loss value.

30

Security Policy

Overall general statement by senior management that dictates role of security within organization