5.3 Risk management processes and concepts Flashcards
Threat assessment
Compiling a prioritized list of probable and possible threats.
Environmental
Threats caused by some sort of failure in the surrounding environment. These could include power or telecoms failure, pollution, or accidental damage (including fire).
Man-made
Intentional man-made threats such as terrorism, war, or vandalism/arson or unintentional threats, such as user error or information disclosure through social media platforms.
Risk assessment
A
SLE
(Single Loss Expectancy) The amount that would be lost in a single occurrence of a particular risk factor.
ALE
(Annual Loss Expectancy) The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).
ARO
Annual Rate of Occurence
Asset value
A
Risk register
A document showing the results of risk assessments in a comprehensible format
Likelihood of occurrence
The probability of the threat being realized.
Impact
The severity of the risk if realized as a security incident. This may be determined by factors such as the value of the asset or the cost of disruption if the asset is compromised.
Quantitative risk assessment
Aims to assign concrete values to each risk factor.
Qualitative risk assessment
Focused on identifying significant risk factors
Penetration testing authorization
There are difficult issues regarding employee privacy and data confidentiality to resolve, especially if the test involves third-party consultants. All staff and contractors involved in the pen test must have written authorization to proceed.
Accept
(or retention) means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed.
