Chapter 1: Managing Risk Flashcards
Three types of threats
Environmental
Manmade
Internal vs external
Environmental threat
Describe!
Threats caused by environment (ie fire, flood, lightning, etc)
Manmade threats
Threats caused by people (ie hackers, viruses)
Internal threat
Threat by personnel within the company
External threat
Threat by personnel outside the company
Risk register
Scatter plot of possible problem areas
Vulnerability
Weakness that could be exploited by a threat
Risk assessment process
Risks to the organization
Risks worth addressing
Coordination with business impact analysis
ALE
Annual loss expectancy: monetary measure of expected loss per year
BIA
Business impact analysis
SLE
Single loss expectancy: monetary measure of expected loss at a single time
AV
Asset value
EF
Exposure factor: percentage of item threatened
Single loss expectancy can be divided into:
Asset value and exposure factor
ARO
Annualized rate of occurrence: likelihood of an event occurring within a year
Risk assessment formula
SLE x ARO = ALE
NIST
National institute of standards and technology
Appendix G of NIST pub 800-30
Assessment scale for likelihood of threat event initiation
NIST pub 800-30 assessment scale qualitative, semi-quantitative, and description
Very high 10 adversary is almost certain to initiate threat event
High 8 adversary is highly likely to initiate threat event
Moderate 5 adversary is somewhat likely
Low 2 adversary is unlikely
Very low 0 adversary is highly unlikely
Supply chain assessment
Used to look at vendors your organization works with strategically and the potential risks they introduce
Threat vectors
The way in which an attacker poses a threat
MTBF
Mean time between failures
The measure of the anticipated incidence of failure for a system or component
MTTF
Mean time to failure
The average amount of time to failure for a non repairable system
MTTR
Mean time to restore
The measurement of how long it takes to repair a system or component once failure occurs
RTO
Recovery time objective
Maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable
RPO
Recovery point objective
Defines the point at which the system needs to be restored
PIA
Privacy impact assessment
Identifies the adverse impacts that can be associated with the destruction, corruption, or loss of accountability data for the organization; used in conjunction with a business impact analysis
PTA
Privacy threshold assessment
The compliance tool used in conjunction with the privacy impact assessment
Types of testing that can help identify risks
Penetration testing
Vulnerability testing
7 Key measures to prevent unanticipated threats
Likelihood Threat vector Mean time between failures Mean time to failure Mean time to restore Recovery time objective Recovery point objective
Four possible responses to a risk once identified
Risk avoidance
Risk transference
Risk mitigation
Risk acceptance