5.2 Flashcards

1
Q

Risk Management

A

the process involving identification, analysis, treatment, monitoring and reporting of risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk identification

A

roactive process recognizing potential risks
● Goal
○ Create a comprehensive list based on events hindering objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Risk Analysis

A

● Evaluate likelihood and potential impact
● Qualitative or quantitative methods
● Outcome
○ Prioritized list for guiding risk treatmen

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Risk Treatment

A

● Develop strategies
○ Avoidance
○ Reduction
○ Sharing
○ Acceptance
Strategy choice based on potential impact and risk tolerance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk Monitoring

A

● Ongoing process tracking identified risks
● Monitor residual risks, identify new risks, and review risk management
effectiveness
● Ensures dynamic responsiveness to organizational change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Risk Reporting

A

● Communicate risk information and effectiveness of risk management to
stakeholders
● Various forms
○ Dashboards
○ Heat Maps
○ Detailed Reports
● Crucial for accountability and informed decision-ma

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When are ad-hoc risk assessments used

A

when needed often for specific things like launching a new product

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

one time risk assessment

A

used for a new it system for example not repeated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Techniques for risk identification

A

brainstorming, checklists, interviews and scenario analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

BIA

A

business impact analysus
■ Evaluates effects of disruptions on business functions
■ Identifies and prioritizes critical functions
■ Assesses impact of risks on functions
■ Determines required recovery time for function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

RTO

A

recovery time objective
max acceptable time before there is a severe impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

RPO

A

recovery point objective
max acceptable data loss measured in time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

MTTR

A

average time to repair a failed component or system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

MTBF

A

a high MTBF means system doesnt fail often
mean time between failures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk register

A

■ Records identified risks, descriptions, impacts, likelihoods, and mitigation actions
■ Key tool in risk management
■ May resemble a heat map risk matrix
■ Facilitates communication and risk tracking
■ Key component of project and business operations
its a document
includes risk description, impact, likelihood,outcome, level and threshold

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Risk impact

A

potential consequences of risk occurence
rated on scale low medium or high

17
Q

Risk likelihood

A

probability of risk occurence
rated on scale numerically or descriptive

18
Q

Risk outcome

A

result of the risk if it occurs related to impact and likelihood of

19
Q

Risk level or threshold

A

determined by combining the impact and likelihood
prioritize risks high medium and low

20
Q

Risk Tolerance/Acceptance

A

● An organization or individual’s willingness to deal with uncertainty in
pursuit of their goals
● Maximum amount of risk they are willing to accept
● Acceptance without countermeasures

21
Q

Risk Appetite

A

willingess to pursue risk
expansionary
conservative
neutral

22
Q

KRIs

A

key risk indicators
Predictive metrics signaling increasing risk exposure
■ Provide early warning of potential risks
■ Tied to the organization’s objectives
■ Used to monitor risk changes and take proactive step

23
Q

Risk owner

A

■ Responsible for managing the risk
■ Monitors, implements mitigation actions, and updates Risk Register
■ Accountable for risk management

24
Q

Qualitative Risk Analysis

A

■ Primary method in risk management
■ Assesses risks based on potential impact and likelihood
■ Categorizes risks as high, medium, or low
■ Subjective and relies on expertise and experience
■ Avoids quantitative complexity
includes low medium and high impact

25
Q

Quantitative Risk Analysis

A

■ Provides objective and numerical evaluation of risks
■ Used for financial, safety, and scheduling decisions
■ Utilizes key components
● Single Loss Expectancy (SLE)
● Exposure Factor (EF)
● Annualized Rate of Occurrence (ARO)
● Annualized Loss Expectancy (ALE)

26
Q

EF

A

exposure factor
● Proportion of asset lost in an event (0% to 100%)
● Indicates asset loss severity
ex flooding hitting headquarters would be 70% loss in assets

27
Q

SLE

A

single loss expectancy
Calculated as Asset Value x Exposure Factor (EF)
70% x say $5,000 (cost of asset)

28
Q

ARO

A

annualized rate of occurrence
● Estimated frequency of threat occurrence within a year
● Provides a yearly probability

29
Q

ALE

A

Annualized Loss Expectancy (ALE)
SLE x ARO

30
Q

Give an example of risk transference

A

insurance

31
Q

Contract indemnity clauses

A

■ A contractual agreement where one party agrees to cover
the other’s harm, liability, or loss stemming from the
contrac

32
Q

Risk Acceptance

A

Used when cost of managing the risk outweighs potential loss or risk is
unlikely to have a significant impac

33
Q

exception

A

Exception (allows party to avoid rule under specific conditions)

34
Q

Risk avoidance

A

● Change plans or strategies to eliminate a specific risk
● Chosen when the risk is too great to accept or transfer

35
Q

Risk mitigation

A

● Take steps to reduce likelihood or impact of risk
● Common strategy involving various actions

36
Q

Risk Monitoring

A

● Tracking identified risks
● Monitoring residual risks
● Identifying new risks
● Evaluating risk response plan

37
Q

Residual Risk

A

The likelihood and impact of the risk after mitigation,
transference, or acceptance measures have been taken on the
initial risk assessment

38
Q

Control Risk

A

○ Assessment of how a security measure has lost effectiveness over
time