15A - Risk Management Processes & Concepts Flashcards
What are the five phases of Risk Management?
1) Identify Essential Functions
2) Identify Vulnerabilities
3) Identify Threats
4) Analyze Business Impacts
5) Identify Risk Response
Quantitative Risk Analysis
A numerical method that is used to assess the probability and impact of risk and measure the impact.
Qualitative Risk Analysis
The process of determining the probability of occurrence and the impact of identified risks by using logical reasoning when numeric data is not readily available.
Single Loss Expectancy (SLE)
ASSET VALUE * EXPOSURE FACTOR
The amount that would be lost IN A SINGLE OCCURRENCE of the risk factor.
This is determined by multiplying the value of the asset by an exposure factor (EF). EF is the percentage (%) of the asset value that would be lost.
For example, it may be determined that a tornado weather event will damage 40% of a building. The exposure factor in this case is 40% because only part of the asset is lost. If the building is worth $200,000, this event SLE is 200,000*0.4 or $80,000.
Annualized Loss Expectancy (ALE)
SLE * ARO
The amount that would be lost OVER THE COURSE OF A YEAR.
This is determined by multiplying the SLE by the Annualized Rate of Occurrence (ARO). ARO describes the number of times in a year that an event occurs.
In our previous (highly simplified) example, if it is anticipated that a tornado weather event will cause an impact twice per year, then the ARO is considered to be simply “2”.
The ALE is the cost of the event (SLE) multiplied by the number of times in a year it occurs. In the tornado example, SLE is $80,000 and ARO is 2 so the ALE is $160,000.
This number is useful when considering different ways to protect the building from tornados. If it is known that tornados will have a $160,000 per year average cost, then this number can be used as a comparison when considering the cost of various protections.
What are Key Risk Indicators ?
Key Risk Indicators (KRIs) are critical predictive indicators organizations use to monitor and predict potential risks.
What is Inherent Risk ?
The result of a quantitative or qualitative analysis is a measure of inherent risk. Inherent risk is the level of risk before any type of mitigation has been attempted.
What is Residual Risk ?
Where inherent risk is the risk before mitigation, residual risk is the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied.
What is a Risk Register ?
A risk register is a document showing the results of risk assessments in a comprehensible format and includes information regarding risks, their severity, the associated owner of the risk, and all identified mitigation strategies.
What is Business Impact Analysis (BIA) ?
Systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations. It involves identifying and assessing the impact of various unplanned threat scenarios on the business, such as accidents, emergencies, and disasters.
By conducting a BIA, businesses can proactively create recovery strategies to minimize the impact of disruptions and ensure operational resilience.
For instance, if a DDoS attack suspends an e-commerce portal for five hours, the business impact analysis will be able to quantify the losses from orders not made and customers moving permanently to other suppliers based on historic data. The likelihood of a DoS attack can be assessed on an annualized basis to determine annualized impact in terms of costs. This information is used to assess whether a security control, such as load balancing or managed DDoS mitigation, is worth the investment.
What are mission essential functions ?
Business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.
What are Primary Business Functions (PBFs) ?
Functions that act as support for the business or an MEF, but are not critical in themselves, are referred to as primary business functions (PBF).
What is Maximum Tolerable Downtime ?
The longest period of time that a business function outage may occur for without causing irrecoverable business failure. This includes the time taken for the disaster to occur and be fully remediated.
What is Recovery Time Objective (RTO) ?
The maximum time allowed to restore a system after a failure event.
Focus: It focuses on how quickly operations can resume and not on how much data might be lost.
Example: If an organization sets an RTO of 2 hours, it means they aim to have their systems back online and operational within 2 hours of an outage.
What is Recovery Point Objective (RPO) ?
The longest period that an organization can tolerate lost data being unrecoverable.
Focus: It focuses on how much data can be lost before it becomes unacceptable for business operations.
Example: If backups occur every hour, the RPO cannot be less than one hour, as the disaster may strike during a backup or at any time in the 60 minutes since the last backup. If RPO is 15 minutes, backups must be performed much more frequently. If a database is destroyed by a virus, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected.
What is Mean Time Between Failures (MTBF) ?
Mean time between failures (MTBF) represents the expected lifetime of a product. The calculation for MTBF is the total operational time divided by the number of failures.
For example, if you have 10 appliances that run for 50 hours and two of them fail, the MTBF is 250 hours/failure (10*50)/2.
A higher MTBF suggests greater reliability and longer intervals between failures.
What is Mean Time To Repair (MTTR) ?
Mean time to repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation. This can also be described as mean time to replace or recover.
MTTR is calculated as the total number of hours of unplanned maintenance divided by the number of failure incidents. This average value can be used to estimate whether a recovery time objective (RTO) is achievable.
A lower MTTR indicates quicker restoration of functionality, reducing downtime and potential disruptions to operations.
What is Work Time Recovery (WRT) ?
In disaster recovery, time additional to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event.