Week 2 Flashcards
(15 cards)
What is Business Continuity Management (BCM)?
A holistic management program that:
-Identifies potential threats to an organization.
-Builds resilience and response capabilities.
-Safeguards stakeholders, environment, reputation, and critical operations.
What are the key goals of BCM?
-Identify threats.
-Use risk-based methodologies.
-Develop resiliency in business operations.
What are the three stages of the BCM lifecycle?
-Development – Establish a business continuity program.
-Implementation – Deploy strategies and plans.
-Maintenance – Update, test, and refine plans.
What is a Business Impact Analysis (BIA)?
-Assesses the impact of disruptions on operations.
-Establishes recovery objectives (RTO/RPO).
-Determines critical resources needed for recovery.
Define Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
-RTO: Max time to resume operations (e.g., 5 mins for a bank’s payment system).
-RPO: Latest point to recover lost data (e.g., 5 mins for a hospital’s patient records).
What is a Single Point of Failure (SPOF)? How can it be mitigated?
-SPOF: A critical resource whose failure cripples operations.
-Mitigation:
Resilience (e.g., load-balancing servers).
Redundancy (e.g., backup systems).
What are the key components of BCM maintenance?
-Training & Awareness – Ensure employees know how to respond.
-Testing & Exercises – Simulate disruptions to evaluate plans.
-Plan Updates – Adapt to new threats or business changes.
What is the relationship between BCM and Risk Management?
-Risk Management: Preventative (identifies/mitigates risks).
-BCM: Recovery-focused (ensures continuity after an incident).
What is the NIST definition of security risk?
A measure of threat exposure based on:
-Likelihood of occurrence.
Impact if the event happens.
(Reference: NIST SP800-30 R1)
What is the risk formula? Provide an example.
Risk = Threat × Vulnerability × Impact
Example:
-High Threat + High Vulnerability = High Risk.
-Low Threat + High Vulnerability = Medium Risk.
What are the four steps in the Security Risk Management lifecycle?
-Identify Risks (assets, threats, vulnerabilities).
-Analyze Risks (assess impact/likelihood).
-Treat Risks (apply controls).
-Monitor Risks (continuous review).
Name five key assets to protect in risk management.
-Financial assets.
-Physical assets (e.g., hardware).
-Information/data.
-People (employees, customers).
-Intangibles (reputation, trust).
What are common sources for identifying vulnerabilities?
CVE Details (e.g., Log4j vulnerability CVE-2021-44228).
NIST National Vulnerability Database (NVD).
OWASP (web application risks).
What are five common cyberattack types?
-Malware (ransomware, viruses).
-Phishing.
-Denial of Service (DoS).
-SQL Injection.
-Zero-day Exploits.
How is a security risk statement structured? Provide an example.
-Asset: Customer database.
-Threat: Cyberattack.
-Vulnerability: Weak passwords.
-Impact: Data breach, financial loss.
