Chapter 10: Governance, Risk, and Compliance Flashcards
this entails evaluating the risk and then deciding not to take any action as you believe that the probability of it happening is very low or that the impact is low.
Risk Acceptance
where you decide that the risk is great and you want to offload the responsibility to a third party.
–Insurance of any kind
Risk Transferrence
is where the risk is deemed too high, so you decide not to carry out the task.
Risk Avoidance
you evaluate the risk and decide whether or not the risk as it stands will result in financial loss, loss of service, or being vulnerable to attack.
Risk Mitigation
is used to get a visual representation of the risks affecting a company. The heat map shows the severity of the situation, with the most severe risks being in red.
–areas in red cause severe damage to the company
Risk Matrix/Heat Map
this occurs when a company checks that the risk controls that they have in place are still effective with changing technology
Risk Control Assessment
this is the process of making all employees aware of the risk and motivating them to take responsibility for looking at risks
Risk Awareness
this is the amount of risk mitigation that a company is willing to do so that they can be compliant with regulations
Risk Appetite
severity of the risk—low medium high
Qualitative Risk
numerical value gained by multiplying probability with impact
Quantitative Risk
is to do with the loss of one item
Single Loss Expectancy (SLE)
is the number of times an item has been lost in a year
Annualized Rate of Occurance (ARO)
calculated by multiplying SLE by the ARO
Annualized Loss Expectancy (ALE)
the process of looking into disasters and calculating the loss of sales, regulatory fines, and the purchase of new equipment
Business Impact Analysis (BIA)
any single component that would prevent a company from remaining operational
single point of failure
how long a company can last without its data before the lack of data starts to affect operations—also known as acceptable downtime
Recover Point Objective (RPO)
the time that a company needs to be returned to an operational state.
Recovery Time Objective (RTO)
the average time it takes to repair a system
Mean Time to Repair (MTTR)
shows the reliability of a system
Mean Time Between Failures (MTBF)
no information because they are not authorized by the company (Threat Actors)
Black Hat