5.4 Risk management processes and concepts Flashcards
Risk management: how to assess a risk ?
1/ Identify assets that could be affected by an attack: hardware, customer data, intellectual property
2/ Identify threats
3/ Determine the risk: high, medium, low
Risk management: how to manage the risk ?
You can accept it, avoid it (stop the high risk activity), transfer it (via buying insurance), mitigate it (decrease the risk level with certain measure)
Risk analysis: how to evaluate a risk ?
likehood (probability that it occurs) x impact (on the organization)
Risk analysis: what is the inherent risk ?
risk that exists in the absence of ocntrols
Risk analysis: what is the residual risk ?
risk that exists after controls are considered
Risk analysis: what is the risk appetite ?
amount of risk an organization is going to take
Risk analysis: what is SLE ?
Single Loss Expectancy is the monetary loss if a single event occurs
Risk analysis: what is ALE ?
Annualized Loss Expectancy = likehood (ARO) x SLE
Business Impact Analysis: what is RTO?
Recovery time objective describe how long a service would take to get back up and running
Business Impact Analysis: what is RPO?
Recovery point objective: “how much data loss is acceptable, bring the system back online etc”
Business Impact Analysis: what is MTTR?
Mean time to repair: time required to fix issue
Business Impact Analysis: what is MTBF?
Mean time between failures: predict the time between outages
Business Impact Analysis: what is a functional recovery plan?
Step by step guide to recover from an outage
Business Impact Analysis: what is DRP?
Disaster recoevry plan is a detailed plan for resuming operations after a disaster
Business Impact Analysis: what are the impact of a disaster?
- Life (death)
- Property (building, assets)
-Safety - Financial
- Reputational