Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

PCS CISM > Domain 2 - Risk Management > Flashcards

Domain 2 - Risk Management Flashcards

1
Q

what is an asset

A

something of tangible or intangible value worth protecting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what is a vulnerability

A

weakness in the design, implementation, operation, or internal control process that could expose a system to adverse threats - lack of adequate controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what is a threat

A

something that could pose loss to all or part of an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

what is probability

A

the likelihood the risk will occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

what is impact

A

damage caused if the risk event occurs. refereed to as severity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what is a threat agent

A

what carries out the attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

what is an exploit

A

an instance of compromise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what is needed for something to be considered a risk

A
  1. asset
  2. vulnerability
  3. threat
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what are the two things the gives a risk value

A
  1. probability
  2. impact
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

what is risk called in the future and onces its happened

A
  1. future risk is a risk
  2. once a risk has occured its called an incident
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

what is inherent risk

A

with all businiess endeavors there is some degree of risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

what is residual risk

A

risk that remains after a cotnrol has been implemented

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

how much mitigation should be applied to a risk

A

until the residual risk is withing the level that management is willing to accept (management risk tolerance)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

what is secondary risk

A

one risk may cause a second risk or the risk created after applying a control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

what is risk appetite

s

A

senior management approach to risk - what they are willing to accept
* risk seeking
* risk neutral
* risk adverse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

what is risk tolerance

A

acceptable level of varation that management is willing to allow for any particular risk

17
Q

what is risk profile

A

an organizations current exposure to risk

18
Q

what is risk threshold

A

a quantified lit beyond which your organziation is not willing to go

19
Q

what is risk capacity

A

amount of risk an organization can absorb without threanening is viability

20
Q

what is risk utility

A

the positive outcome desired from taking a risk

21
Q

controls

A

proactive and reactive mechanisms put in place to manage risks

22
Q

what is systemic risk

A

catory of risk that describes threats to system, market or econimic segment

23
Q

contagious risk

A

events that impact multiple organaizations in a short time
* dyn DDOS to many orgs - amazon, twitter, google etc.
* loss of trust and confidents in the payment and settlement systems

24
Q

what is obsure risk

A

risk that has not yet occrurred and is unlikely or difficult to fathom (black swan event)

25
Q

what are the steps to creating a risk management program

A
  1. establish context and purpose
    * frame out environment what is the purpse of the program
  2. define scope and charter
    * authority of project manager is defined (who takes the lead)
    * who has ultimate accountability
    * who are the owners of data
  3. define authority, structure and reporting
  4. ensure asset identification, classification and ownership
  5. determine objectives
  6. determine methodologies
  7. designate program development team
    * we want a cross functional team with a wide varieity of exposure to risk and knowledge not just yes people
26
Q

what 4 things do data owners do

A
  1. involved in day-to-day risk management
  2. follow risk process
  3. apply internal controls and risk responses
  4. responsible for making decisions about their data
27
Q

governance does what 3 things

A
  1. oversee and challenge risk management
  2. provide guidance and direction
  3. develp risk management framework
28
Q

per NIST 800-30 what are the 4 steps to a risk management process

A
  1. address how your organization frame risk or establish risk context
    * describe th eenvironment in which risk-based decisions are made. the framing component is to produce a risk management strategy
    * this addresses how the ogranization assess risk, respond to risk and monitor risk
  2. addresses how organizations assess risk
    * the purpose of risk assessment is to identify threats to the organization (i.e., operations, assets and individuals) or threats directed through oganizations agains other oganizations or the nation
    * vulnerabilities internal and external to organizations
    * the harm (i.e.,adverse imact) that may occur given the potential for threats exploiting vulnerabilites
    * the likelihood that harm will occur
    * typically a function of the degreeo fharm and lielihood of harm to occur
  3. how organizations respond to risk. The purpose of risk response is to provide a consistant, organizational-wide response to risk in accordance with the organizational risk frame
    * developing alternative courses of action
    * evaluate alternative courses of action
    * determine appropriate courses of action consistent with the organizational risk tolerance
    * implementing risk responses based on selected courses of action
  4. how organizations monitor risk over time
    * determine ongoing effectiveness of risk responses (consistent with the organization risk frame)
    * identify risk-impacting changes to informational systems and the environment
    * verify that planned risk responses are implemented
29
Q

do we focus on IT risk just because they are IT risk

A

no, we only focus on business impacting risks

30
Q

3 assessment approaches

A
  1. threat orientation - starts with identification of threat sources and events; focuses on threat scenario development
  2. asset/impact-oriented - starts with the identification of impacts or consequences of concnern and critical assets, possibly using the results of business impact analyses
  3. vulnerability-oriented - starts with a set of predisposing conditions or exploitable weaknesses/deficiences in the oganizational information systems or environment; identifites threat events that could exploit those vulnerabilites

PCS CISM (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions