5.4 Risk Management Flashcards
Define risk register
Identification of risks at each step of a project plan
Define risk matrix/heat map
Assignment of points to every risk based on severity and a color coded visual representation of the risks
Define inherit risk (2)
- A risk that exists or is evaluated with the absence of security controls
- Connecting to the Internet without a firewall for example
Define residual risk (2)
- A risk that exists or is evaluated with security controls in place
- Connecting to the Internet with a firewall in place
Define risk appetite
The level of risk an organization is willing to take
Define risk-control self-assessment
An organization analyzes itself for gaps between current security controls and those identified during analysis of risks
Define security control risk
- Security controls are put in place to reduce risk. There is a risk of these controls failing.
- For example, an old firewall
Define quantitative risk analysis
Using a scoring system to assign point values to risks
Define qualitative risk analysis
When quantitative risk analysis can’t be applied, risk analysis can be based on opinions from other sources, such as experts
Define likelihood of occurrence (2)
- A quantitative analysis of the likelihood of a risk to occur
- Hurricane - likely in Florida but not Montana, for example
Define annual rate of occurrence (ARO)
A quantitative calculation of the likelihood of occurrence over a 1 year period
Define single loss expectancy (SLE)
- The cost of a specific single loss
- A laptop that is stolen costs $1,000 to replace for example
Define annualized loss expectancy (ALE)
- calculated by ARO x SLE
- helps an organization decide their strategy to manage a risk, i.e. acceptance, avoidance, mitigation, etc…
Define 4 risk management strategies
- Acceptance
- Avoidance
- Transference - outsource to a third-party or purchase cybersecurity insurance
- Mitigation - implement controls to reduce
Define asset value
Quantitative risk analysis factor based on just the physical hard cost to replace an item, does not account for other factors - impact
Define impact relative to risk analysis (2)
- Identifying other results of a loss beyond asset value
- i.e. if an employee loses a laptop, sales and productivity may be lost, IT department will lose time ordering a configuring a replacement device
Define recovery time objective (RTO) relative to business impact analysis (2)
- The amount of time it would take to recover from an outage
- Not necessarily full recovery, but to a defined minimum functional point
Define recovery point objective (RPO) relative to business impact analysis
- An acceptable minimum functional point
- Often used in conjunction with RTO
Define mean time to repair (MTTR)
The average amount of time it takes to make a specific repair, useful to help establish RTO
Define mean time between failures (MTBF)
Average time between failures of a specific piece of equipment
Define functional recovery plan (2)
- A pre-established defined set of processes and procedures to resolve and fully recover from an outage
- Includes contact information for all resources necessary
Define single point of failure (2)
- A single entity or device that can cause an outage
- Useful to evaluate if redundancy should be implemented
