Information Security Risk Management Flashcards
Risk management is the process that allows business managers to …
balance operational and economic costs of protective measures and achieve gains in mission capability by protecting business processes that support the business objectives or mission of the enterprise
Risk assessment provides a …
process to systematically identify threats and then assign risk levels based on the specific organization conducting the assessment.
What is the Risk Management goal?
to identify, control and minimize the impact of
uncertain events.
What is a Risk Analysis?
It is a technique to identify and assess factors that may jeopardize the success of a project or achieve a
goal.
What is a Risk Assessment?
It is the computation of risk. Risk is a threat that exploits some vulnerability that could cause harm to an asset (Asset * Threat * Vulnerability).
What is a Risk Mitigation?
It is the process in which an organization implements controls and safeguards to prevent identified risks from ever occurring, while at the same time implementing a means of recovery should the risk become a reality in spite of all efforts.
Risk management is made up of several distinct processes:
risk analysis, risk assessment, risk mitigation, vulnerability assessment, and controls evaluation.
Risk Management Activities as per the SDLC - Analysis:
identified risks are used to support the development of system requirements, including security needs.
Risk Management Activities as per the SDLC - Design:
Security needs lead to architecture and design tradeoffs.
Risk Management Activities as per the SDLC - Development:
The security controls and safeguards are created or implemented as part of the development process.
Risk Management Activities as per the SDLC - Test:
Safeguards and controls are tested to ensure that decisions regarding risks identified are reduced to acceptable levels prior to moving to production.
Risk Management Activities as per the SDLC - Maintenance:
Controls and safeguards are re-examined when changes or updates occur or at regularly scheduled intervals.
Risk analysis is a technique …
used to identify and assess factors that may jeopardize the success of a project or achieving a goal.
When risk analysis should be conducted?
Whenever money or resources are to be spent.
Organizations use the risk assessment to determine …
what threats exists to a specific asset and the associated risk level of that threat which allows threat prioritization.
What are the risk assessment steps?
1) Asset definition, 2) Threat identification, 3) Determine probability of occurrence, 4) Determine the impact of the Threat, 5) Controls recommended, 6) Documentation.
What are the typical deliverable of a risk assessment?
Threat identified, risk levels established, possible controls identified.
What is a threat source?
Any circumstance or event with the potential to cause harm to the asset under review.
Typical categories of threat source are:
Natural threats, human threats, environmental threats.
How to obtain a complete list of threat sources?
Threat source checklist, and historical data.
What is the advantage of use a checklist to identify the threat source?
Checklist does not provide an exhaustive list of threat sources. Checklist should be used to make sure that everything was covered or identified.
ARO
Annual Rate of Occurrence