Section 21 Risk Assessments Flashcards
(33 cards)
A process used inside of risk management to identify how much risk exists in a given network or system.
Risk Assessments
The probability that a threat will be realized.
Risk
Weaknesses in the design or implementation of a system.
Vulnerabilities
Any condition that could cause harm, loss, damage, or compromise to our information technology systems.
Threat
A strategy that requires stopping the activity that has risk or choosing a less risky alternative.
Risk Avoidance
A strategy that passes the risk to a third party.
Risk Transfer
A strategy that seeks to minimize the risk to an acceptable level.
Risk Mitigation
A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized.
Risk Acceptance
The risk remaining after trying to avoid, transfer, or mitigate the risk.
Residual Risk
An estimation of the amount of damage that a negative risk might acheive.
Magnitude of Impact
Cost associated with the realization of each individualized threat that occurs.
Single Loss Expectancy (SLE)
SLE = AV x EF
Asset value x Exposure factor
Number of times per year that a threat is realized.
Annualized Rate of Occurrence (ARO)
Expected cost of a realized threat over a given year.
Annualized Loss Expectancy (ALE)
Verify that the organizations security posture is designed and configured properly to help thwart different types of attacks.
Security Assessments
Utilizes more intrusive techniques like scanning, hands on testing, and probing of the network to determine vulnerabilities.
Active Assessments
Utilizes open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems.
Passive Assessments
Methods implemented to mitigate a particular risk.
Security Controls
Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it.
Physical Controls
Safeguards and countermeasures used to avoid, detect, counteract, or minimize, security risks to our systems and information.
Technical Controls
Focused on changing the behavior of people instead of removing the actual risk involved.
Administrative Controls
Security controls that are focused on decision making and the management of risk.
Management Controls
Focused on the things done by people.
Operational Controls
Security controls that are installed before an event happens and are designed to prevent something from occurring.
Preventative
