Chapter 2: Risk Management Flashcards
Risk management
process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level
ISRM policy
information systems risk management policy; provides foundation/direction for the org’s security risk management processes and procedures and should address all issues of information security
Threat
a potential cause of an unwanted incident, which may result in harm to a system or org
Risk assessment methodology
NIST SP 800-30
FRAP
Facilitated Risk Analysis Process
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation
FMEA
Failure Modes and Effect Analysis
FMEA
Failure Modes and Effect Analysis; method for determining functions, identifying functional failures, and assessing the causes of failure and their effects through a structured process
Fault tree analysis
a useful approach to detect failures which can take place within complex environments and systems
Quantitative risk analysis
attempts to assign monetary values to components within the analysis
Qualitative risk analysis
Uses judgment and intuition instead of numbers because qualitative items cannot be quantified with precision; involves people with requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience
SLE
Single loss expectancy
ARO
annual rate of occurrence; frequency per year
ALE
annualized loss expectancy
Annualized loss expectancy calculation
SLE x ARO = ALE
Risk treatments
transferred, avoided, reduced, or accepted
Total risk calculation
Threats x vulnerability x asset value = total risk
Residual risk calculation
(Threats x vulnerability x asset value) x controls gap = residual risk
Three categories of controls
administrative technical, and physical
Types of controls (depending on their purpose)
Preventive, detective, corrective, deterrent, recovery, and compensating
Security control verification
“did we implement the control right?”
Security control validation
“did we implement the right control?”
Supply chain
sequence of suppliers involved in delivering some product
BCM
business continuity management; overarching approach to managing all aspects of BCP and DRP
BCP
business continuity plan; strategy documents which detail procedures to ensure critical business functions are maintained and help minimize losses of life, operations, and systems
BCP contents
provides procedures for emergency responses, extended backup operations, and post-disaster recovery. Should have enterprise-wide reach, with each individual org having its own detailed continuity and contingency plans. Needs to prioritize critical apps and provide a sequence for efficient recovery. Requires senior executive management support for initiating the plan and final approval; can quickly become outdated due to personnel turnover, reorganizations, and undocumented changes