Fundamentals Flashcards
What are four examples of intangible assets?
1) Data
2) Brand
3) Reputation
4) Intellectual Property
What is Risk Tolerance/Acceptable Risk?
The level of risk and organization is willing to accept.
What is a Risk Treatment/Control? What 3 methods are there? What should a control or treatment not do?
The method used to lower/eliminate a risk. Examples in include isolation of, insurance for, elimination of, sharing of risk. These methods could be administrative, technical, procedural, substitution measures. Ensure that a control/treatment does not introduce new risks or that the new risks are easier to address/less serious than the initial risk.
What is a Risk Registry? What is it used for?
A list of identified risks and characteristics, severity and likelihood of the risks. The Registry is often used to compare risks from many different sources.
What 3 elements should be included at a minimum to cost effectively manage risk?
1) Protecting the Organization and its value chain.
2) Responding to events
3) Continuing Operations while recovering from events.
Define CCP.
Critical Control Point-A point, step, or process at which controls can be applied to modify risk.
What is a management system?
A framework of policies, processes, and procedures used to ensure that an organization can fulfill all tasks required to achieve its objectives.
What is a risk driver?
An event, individual, process or trend having impact on the objectives of the organization.
What is risk?
The effect of uncertainty on the achievement of strategic, tactical, and operational objectives.
What is the difference between Risk Appetite, Tolerance, and Aversion?
Appetite: The risk an entity is willing to pursue, retain, or take. (The general level of risk you accept)
Tolerance: The risk an entity is ready to bear after risk treatment. (The ability to bear a realized risk)
Aversion: The risk a company is not willing to undertake.
What is Risk Management Context?
Describes the scope, as well as risk control parameters, methods and plans currently in place for the risk management activities.
What is a Risk Portfolio?
A complete collection and range of uncertainties that affect an organization’s future. Sometimes called a Risk Universe.
What are the 5 Avenues to avoid risk?
1) Risk Avoidance
2) Risk Transfer
3) Risk Spreading (spread valuables over multiple sites)
4) Risk Reduction
5) Risk Acceptance
What is risk management?
The systematic approach that identifies risk, calculates risk impact, eliminates or minimizes risk to an acceptable level. Risk management includes risk assessment as a sub-component.
What is the difference between observability and exploitablity?
Observablity is an adversary’s ability to see a vulnerability.
Exploitablity is an adversary’s ability to take advantage of a vulnerability.
What does mitigation focus on?
Soley on reducing consequences.
What two things is a threat a combination of?
1) Adversary capabilities, motivation, and intent
2) Likelihood of attack (measured in terms of probability, and frequency
What is the Threat Spectrum?
A summary of the threat actors and their motivations, intents, tools, and capabilities that could attack a facility.
What are the six steps for carrying out both qualitative and quantitative performance based analysis?
1) Create an adversary sequence diagram
2) Conduct a path analysis
3) Perform Scenario Analysis
4) Complete a neutralization analysis
5) Determine system effectiveness and risk
6) Develop and analyze system effectiveness upgrades if risk is not acceptable.
What three tools are used by a security program use to execute its mission?
1) Systems
2) Personnel
3) Regulations
What are the 5 options of Risk Mitigation?
1) Assumption
2) Avoidance
3) Limitation (control implementation)
4) Transference
5) Site hardening
What are consequential event threats?
Occurs because of a relationship between an event and another party. ex. a data-breach at a provider affects all of the providers clients.
What is the difference between a threat and a hazard?
A hazard is a source of potential danger or adverse conditions (commonly natural).
A threat is the intention to cause damage or injury and is associated with humans.
What is a loss event profile?
A list of the kinds of threats affecting the assets to be safeguarded.
What is Risk? What three components does it take into account?
The potential for loss of or damage to an asset.
1) Asset Value
2) Threats or Hazards
3) Vulnerability
