Information Risk Management Flashcards
What is Risk ?
Risk = Threat * Vulnerability
Risk Management Lifecycle is
iterative
What is the Lifecycle phases?
IT Risk Identification
IT Risk Assessment
Risk Response And Mitigation
Risk and Control Monitoring and Reporting
What are the steps to do Risk Managing as in program management
Identify our Risk Management team
What is in and what is out of scope?
Which methods are we using?
Which tools are we using?
What are the acceptable risk levels, which type of risk appetite do we have in our enterprise?
Identify our assets: Tangible and Intangible
What are the steps of Risk Assessment?
Quantitative and Qualitative Risk Analysis
Uncertainty analysis
Everything is done on a cost-benefit analysis
Risk Mitigation/Risk Transference/ Risk Acceptance/ Risk Avoidance
Risk Rejection is NEVER acceptable
We assess the current countermeasures: Are they god enough? Do we need to improve on them? Do we need to implement entirely new countermeasures?
Describe Qualitative Risk Analysis
How likely is it to happen and how bad is it if it happens?
This is a vague guess or a feeling, and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis
Describe Quantitative Risk Analysis
What will actually cost in $? This is fact based analysis, Total $ value of asset, math is involved
What is a Threat?
A potentially harmful incident (Tsunami, earthquake, tornado…)
What is vulnerability?
A weakness that can allow the threat to do harm. having a data center in the tsunami flood area, not earthquake resistant, not applying patches and antivirus,..
How do you describe the Impact?
Can at times be added to give a more full picture. Risk= ThreatVulnerabilityImpact (How bad is it?)
What is Total risk defined?
TR= Threat * Vulnerability * Asset Value
What is Residual Risk?
Total Risk - Countermeasures
What tool is usually used to make a qualitative risk analysis?
A Risk Analysis Matrix usually 6 by 6 where the columns can starts from (left to right) insignificant, Minor, Moderate, Major, and Catastrophic; and the Rows start (top left to bottom left) with Almost Certain, Likely, Possible, unlikely, and Rare
How would you rate the loss of a laptop?
How likely is one get stolen or left somewhere? (Possible or Likely) and the risk could be L= Low; M = Medium; H = High; E= Extreme)
How bad if it happens? it would depend if the laptop is encrypted or has PII/PHI content
What other tool is also used for qualitative analysis?
Risk Registers: a spreadsheet with the following columns: Category, Name, Risk #, Probability, Impact, Mitigation, Contingency, Risk Score after Mitigation, Action By, and Action When
Describe Quantitative Analysis
Is when we want exactly enough security for our needs: This is where we put a number on that. We find the asset’s value : How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year.
What is AV?
Asset value - How much is the asset worth?
What is EF?
Exposure Factor - Percentage of Asset Value Lost?
What is SLE - (AV*EF) ?
What does it cost if it happens once?
Annual Rate of Occurrence (ARO)
How often will this happen each year?
