Domain 2 - Risk Management Flashcards
what is an asset
something of tangible or intangible value worth protecting
what is a vulnerability
weakness in the design, implementation, operation, or internal control process that could expose a system to adverse threats - lack of adequate controls
what is a threat
something that could pose loss to all or part of an asset
what is probability
the likelihood the risk will occur
what is impact
damage caused if the risk event occurs. refereed to as severity
what is a threat agent
what carries out the attack
what is an exploit
an instance of compromise
what is needed for something to be considered a risk
- asset
- vulnerability
- threat
what are the two things the gives a risk value
- probability
- impact
what is risk called in the future and onces its happened
- future risk is a risk
- once a risk has occured its called an incident
what is inherent risk
with all businiess endeavors there is some degree of risk
what is residual risk
risk that remains after a cotnrol has been implemented
how much mitigation should be applied to a risk
until the residual risk is withing the level that management is willing to accept (management risk tolerance)
what is secondary risk
one risk may cause a second risk or the risk created after applying a control
what is risk appetite
s
senior management approach to risk - what they are willing to accept
* risk seeking
* risk neutral
* risk adverse
what is risk tolerance
acceptable level of varation that management is willing to allow for any particular risk
what is risk profile
an organizations current exposure to risk
what is risk threshold
a quantified lit beyond which your organziation is not willing to go
what is risk capacity
amount of risk an organization can absorb without threanening is viability
what is risk utility
the positive outcome desired from taking a risk
controls
proactive and reactive mechanisms put in place to manage risks
what is systemic risk
catory of risk that describes threats to system, market or econimic segment
contagious risk
events that impact multiple organaizations in a short time
* dyn DDOS to many orgs - amazon, twitter, google etc.
* loss of trust and confidents in the payment and settlement systems
what is obsure risk
risk that has not yet occrurred and is unlikely or difficult to fathom (black swan event)
what are the steps to creating a risk management program
- establish context and purpose
* frame out environment what is the purpse of the program - define scope and charter
* authority of project manager is defined (who takes the lead)
* who has ultimate accountability
* who are the owners of data - define authority, structure and reporting
- ensure asset identification, classification and ownership
- determine objectives
- determine methodologies
- designate program development team
* we want a cross functional team with a wide varieity of exposure to risk and knowledge not just yes people
what 4 things do data owners do
- involved in day-to-day risk management
- follow risk process
- apply internal controls and risk responses
- responsible for making decisions about their data
governance does what 3 things
- oversee and challenge risk management
- provide guidance and direction
- develp risk management framework
per NIST 800-30 what are the 4 steps to a risk management process
- address how your organization frame risk or establish risk context
* describe th eenvironment in which risk-based decisions are made. the framing component is to produce a risk management strategy
* this addresses how the ogranization assess risk, respond to risk and monitor risk - addresses how organizations assess risk
* the purpose of risk assessment is to identify threats to the organization (i.e., operations, assets and individuals) or threats directed through oganizations agains other oganizations or the nation
* vulnerabilities internal and external to organizations
* the harm (i.e.,adverse imact) that may occur given the potential for threats exploiting vulnerabilites
* the likelihood that harm will occur
* typically a function of the degreeo fharm and lielihood of harm to occur - how organizations respond to risk. The purpose of risk response is to provide a consistant, organizational-wide response to risk in accordance with the organizational risk frame
* developing alternative courses of action
* evaluate alternative courses of action
* determine appropriate courses of action consistent with the organizational risk tolerance
* implementing risk responses based on selected courses of action - how organizations monitor risk over time
* determine ongoing effectiveness of risk responses (consistent with the organization risk frame)
* identify risk-impacting changes to informational systems and the environment
* verify that planned risk responses are implemented
do we focus on IT risk just because they are IT risk
no, we only focus on business impacting risks
3 assessment approaches
- threat orientation - starts with identification of threat sources and events; focuses on threat scenario development
- asset/impact-oriented - starts with the identification of impacts or consequences of concnern and critical assets, possibly using the results of business impact analyses
- vulnerability-oriented - starts with a set of predisposing conditions or exploitable weaknesses/deficiences in the oganizational information systems or environment; identifites threat events that could exploit those vulnerabilites