5.2 Flashcards
Risk management, risk analysis, risk management strategies, business impact analysis
A type of risk assessment that occurs before a particular project starts, to help better understand the risks of that project.
One-time
A type of risk assessment that occurs every time the change control process is implemented.
Continuous
A type of risk assessment that occurs for one specific purpose. The scope of this type of assessment is very narrow.
Ex. A specific new attack type
This type of assessment proceeds by creating a committee to perform a risk assessment of that one specific thing. After that, the committee is disbanded.
Ad hoc
A type of risk assessment that is performed in a specified schedule. This assessment is done internally, without the need of a third-party.
This assessment might also be mandated by governmental regulations to ensure compliance.
Recurring
A type of risk assessment that uncovers underlying reasons and context of each risk, including ARO, impact, cost of controls, and overall risk value.
Qualitative
A type of risk assessment that measures and quantifies specific variables, such as AV, EF, and SLE, ALE, and ARO.
Quantitative
SLE stands for
Single Loss Expectancy
AV stands for
(not antivirus)
Asset Value
ALE stands for
Annualized Loss Expectancy
EF stands for
Exposure Factor
The value of the asset to the organization
Includes cost, effect on company operations, potential regulatory fines, etc.
AV
The percentage of the value lost due to an incident
Losing a quarter of the value is 0.25, losing the entire asset is 1.0, etc.
EF
How likely a threat is to occur in a year
ARO
The monetary loss if a single event occurs
SLE
The monetary loss to incidents within a year
ARO x SLE
ALE
5 types of impact you should consider during risk assessment
Life
Property
Safety
Finance
Reputation
Difference between risk likelihood and risk probability
Risk likelihood is a qualitative measurement of risk. “Rare, possible, almost certain,” etc.
Risk probability is a quantitative measurement of risk. It is statistical and can be based on historical performance.
A broad description of risk-taking deemed acceptable.
The amount of accepted risk before taking any action to reduce that risk.
Risk appetite
Difference between risk appetite and risk tolerance
Risk appetite is a broad-sweeping description.
For example, the govt puts up speed limits and you are not, under any circumstances, allow to go above that limit.
Risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives.
For example, most police officers only give you a speeding ticket if you go 5+ miles over the speed limit.
Or, if there is bad weather, you might be expected to drive a lot slower than the speed limit.
Or if you’re having a medical emergency, police officers might even escort you at higher speeds to the hospital.
A detailed list of risks associated with implementing a project
May provide options or solutions to avoid or mitigate those risks. Includes key risk indicators, risk severity, and risk owners.
Risk register
Metrics that predict potential risks that can negatively impact business.
Ex. Turnover rate, employee satisfaction, number of applicants per job, etc.
Typically appear in a risk register as the risk description.
Ex. “Project design and deliverable definition is incomplete.”
Key risk indicators
The person listed on a risk register who is responsible for managing a particular risk
Risk owner
A measure of the level of risk exposure above which action must be taken to address risks proactively, and below which risks may be accepted.
In other words, it helps to determine whether taking action against the risk is worth it. Will mitigating the risk be more costly than just accepting it?
Risk threshold
A risk management strategy where you move the risk to a third party
Ex. a cybersecurity insurance company
Transferrence
A risk management strategy where you do nothing to mitigate or avoid the risk
Acceptance
A risk management strategy where you accept the risk with approval to not follow certain policies or regulations at all.
Ex. A third-party supplier says that they do not provide or support patches to their firmware.
Acceptance with exemption
A risk management strategy where you accept the risk, and also allow a one-time instance of not following policies or regulations.
Ex. The policy is to have vulnerabilities patched within 3 days of vulnerability discovery. But this specific patch causes critical software failures, so you don’t enforce the rule this time.
Acceptance with exception
A risk management strategy where you stop participating in the risky activity.
Avoidance
A risk management strategy where you decrease the risk level.
Mitigation
A formal list of all risks that a company is tracking as well as their descriptions and how to handle them.
Commonly referenced by upper management.
Risk report
Difference between risk report and risk register
Risk report is all the risks that an organization is tracking.
Risk register tracks only the risks for a specific project.
RTO stands for
Recovery Time Objective
RPO stands for
Recovery Point Objective
MTTR stands for
Mean Time To Repair
MTBF stands for
Mean Time Between Failures
The maximum acceptable amount of time for restoring a network or application and regaining access to data after an unplanned disruption.
RTO
The measurement of how much data - measured in time - that a company MUST have in order to be considered up and running after an incident has occurred.
Ex. The database must have at least the last 12 months of data to be considered fully functional.
It defines how much data loss is acceptable.
RPO
The average amount of time it takes to resolve a problem.
Includes diagnosing the problem, replacing equipment, and configuring new equipment.
MTTR
The average amount of time between repairable outages.
Can be calculated as total uptime divided by number of breakdowns, or be based upon historical data.
MTBF