CH21 Risk Assessment Flashcards
What is a Risk?
The probability that a threat will be realized
What is a vulnerabilities?
weaknesses in the design or implementation of a system.
Vulnerability is within your control
What is a Threat?
Any condition that could cause harm, loss, damage, or compromise to our information technology systems.
Threats are external and beyond your control
What are the 4 things that you can do with risk?
you can avoid it, you can transfer it, you can mitigate it, and you can accept it.
- Avoid – stopping the activity that has risk or choosing a less risky alternative.
- Transfer – passes the risk to a third party (most commonly, an insurance company)
- Mitigate – seeks to minimize the risk to an acceptable level.
- Accept – accept the current level of risk and the costs associated with it if the risk were realized
What is a Residual Risk ?
the risk remaining after trying to avoid, transfer, or mitigate the risk.
What is a Qualitative Risk ?
Qualitative Risk analysis uses intuition, experience, and other methods to assign a relative value to risk. Experience is critical in qualitative analysis.
What is Quantitative Risk?
uses numerical and monetary values to calculate risk. It can calculate a direct cost for each risk.
What is Single Loss Expectancy (SLE) ?
Cost associated with realization of each individualized threat that occurs.
SLE = Asset Value (AV) x Exposure Factor (EF)
What is Annualized Rate of Occurrence (ARO)?
Number of times per year that threat is realized
What is Annualized Loss Expectancy (ALE) ?
Expected cost of a realized threat over a given year
ALE = SLE x ARO
What is Security Assessments?
Security Assessments – verify that the organization’s security posture is designed and configured properly to help thwart different types of attacks. Assessments might be required by contracts, regulations, or laws
What is Active Security Assessment ?
utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilities
What is Passive Security Assessment?
utilize open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems. Passive techniques are limited in the amount of detail they find.
What are physical, technical, or administrative security controls?
- Physical Controls – security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it by physical access. (fences, lock doors, etc)
- Technical Controls – safeguards and countermeasures used to avoid, detect, counteract, or minimize security risks to our systems and information. (passwords, access controllers, encryption of the hard drive, etc)
- Administrative Controls – focused on changing the behavior of people instead of removing the actual risk involved. (Policies and procedures… employees need to lock your workstation when you are stepping away, mandatory vacation)
For the exam : be able to categorize things into these different types of controls based on the ten types of security controls. Something things can go into multiple categories
What are National Institute of standards and Technology (NIST) Security control categories ?
- Management Controls – Security controls that are focused on decision-making and the management of risk. (policies, procedures, legal compliance, software development methodologies). It is about how your system’s security is going to be managed and overseen.
- Operational Controls – focused on the things done by people by controlling their action. (user training, configuration management, testing disaster recovery plans, and conducting incident handling)
- Technical Controls – Logical controls that are put into a system to help secure it. (AAA – Authentication, Authorization, and Account), Access Control, encryption technology, passwords, and configuring your security devices
For the exam : be able to categorize things into these different types of controls based on the ten types of security controls. Something things can go into multiple categories
