Chapter 4: Risk Management Flashcards
Understand the Risk Management Process
Risks can be divided into what two categories?
- Internal
- External
{Blank} risks are thoses that arise from within the organization.
Internal
{Blank} risks are those where the treat originates outside of the organization.
External
{Blank} are risks that sre shared among many different organizations.
Multiparty Risks
{Blank} is the process of idenfying and triaging the risks facing an organization based on the liklihood of their occurence and their expected impact on the organization.
Risk Identification and Assessment
{Blank} are external forces that jeopardize the security of your information and systems. These might be naturally occuring, such as hurricanes and wildfires, or human-made, such as hacking and terrorism. You can’t normally control what {blank} are out there. They exist independently of you and your organization.
Threats
{Blank} are weaknesses in your security controls that a threat might exploit to undermine the confidentiality, integrity, or availability of your information or systems.These might include missing patches, promiscuous firewall rules, or security misconfigurations. You do have control over the {blank} in your environment, and security professionals spend much of their time hunting down and remediating them.
Vulnerabilities
{Blank} occur when your environment contains both a vulnerability and a corresponding threat that might exploit the vulnerability.
Risks
A {blank} is the method that an attacker uses to get to a target. This might be a hacker toolkit, social engineering, or physical intrusion.
Threat Vector
The {blank} of a risk is the probability that it will actually occur.
Likelihood
The {blank} of a risk is the amount of damage that will occur if the risk materializes.
Impact
{Blank} use subjective judments to assess risks, typically categorizing them as low, medium, or high on both the likelihood and impact scales.
Qualitative Techniques
{Blank} use objective numeric rating to assess the likelihood and impact of a risk.
Quantitative Techniques
{Blank} is the process of systematically analyzing potential responses to each risk and implementing strategies to control those risks appropriately.
Risk Treatment
What are the four risk treatment strategies?
- Avoid the risk
- Transfer the risk
- Mitigate the risk
- Accept the risk
When you practice {blank}, you change your organization’s business practices so that you are no longer in a position where that risk can affect your business.
Risk Avoidance
{BLANK} attempts to shift the impact of a risk from your organization to another organization.
Risk Transference
{Blank} takes actions designed to reduce the likelihood and/or impact of a risk.
Risk Mitigation
{Blank} should only take place as part of a thoughtful analysis that determines that the cost of performing another risk management action outweighs the benefit of controlling the risk.
Risk Acceptance
The combination of risks that affect an organization are known as its {blank}.
Risk Profile
The initial level of risk that exists in an organization before any controls are put in place is the organization’s {blank}.
Inherent Risk
The risk that remains afetr the inherent risk is reduced by controls is known as the {blank}.
Residual Risk
Controls themselves may introduce some new risk. The new risk that results from adding controls is known as {blank}.
Control Risk
An organization will need to accept some ongoing risk in order to continue operations. Business leaders must decided how much risk they choose to accept. This is a process known as determining the organization’s {blank}.
Risk Tolerance
Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done?
A. Removed the threat
B. Reduced the threat
C. Removed the vulnerability
D. Reduced the vulnerability
Removed the vulnerability
Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of senstive personal information due to a type of attack called SQL injection. She is considering a variety of approaches to managing the risk.
Grace’s first idea is to add a web application firewall to protect her organization against SQL injection attacks. Which risk management strategy does this approach adopt?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Risk Mitigation