lecture 3 Flashcards

1
Q

COSO ERM framework, every risk management decision either increases, decrease or erodes value:

A
  • Aligning risk appetite
  • reducing operational suprises
  • enhancing risk response
  • identifying and managing multiple and cross enterprise risks
  • seizing opportunities
  • improving deployment of capital
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk identification

A

Processes for identifying the risks and opportunities that ccould impact on an organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

risk assessment

A

the identification and analysis of risks to the achievement of business objectives. it forms a basis for determining how risks should be managed. Includes development of risk treatment strategies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Strategic understanding of information value

A

the strategic objectives, how, why, what information is most critical. value of other information assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

risk appetite

A

is a high level view of how much risk management is willing to accept

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Risk identification mini steps

A

Identify information/ICT processes and then develop a set of risk indicators relative to these

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

threat

A

potential cause of an unwanted incident, which may result in harm to a system or organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

likelihood

A

the probability of a risk eventuating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Consequence

A

the impact of an adverse change to the level of business objectives achieved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

existing controls

A

safeguards and countermeasures in place to manage risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Jacobsons window

A

Isolates four classes of risk, low-low, high-low

low-high and hihgh-high. these four are easily broken down into either inconsequential or significant risk classes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

options available for risks

A
accept = monitor 
avoid = eliminate 
reduce = institute controls 
share = partner with someone
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Key elements of impact analysis

A

Assess the degree of harm or loss that can occur as a result of exploitation of vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

determining acceptable risk levels

A

evaluating risks on the basis of the likelihood of and consequences provides two factors that can be used to prioritize risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Expected value of risk

A

EVR = estimated loss from specific risk * % likelihood of loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

enterprise risk management (effective IT security strategy needs a holistic security conscious enviroment in entire organisation and commitment to:) `

A

Ensure stakeholders confidence and trust through the integrity of the business and its information assets

  • Maintaining the confidentialllity of personal and financial information
  • safeguarding sensitive business information from unauthorised disclosure
  • ensuring availability to business critical information assets
17
Q

Confidentiality

A

meaning that the information assets can be accessed and disclosed only by authorised parties

18
Q

integrity

A

meaning that the information assets can only be modified or deleted by authorised ways, therefore they are always complete and true

19
Q

availability

A

meaning that the information assets are accessible to the authorised parties in a timely manner

20
Q

non-repudiation

A

meaning the ability to prove that a sender sent or receiver received a message even if the sense or receiver wishes to deny it later

21
Q

Authenticity

A

Meaning both genuineness and validility of an information asset

22
Q

privacy

A

meaning to protect the confidentiality and identity of a user

23
Q

accountability

A

meaning the ability to audit the level of protection provided for information assets and the ability to identify where the responsibility lies to provide such protection

24
Q

Assurance

A

meaning the measurement of confidence in the level of protection of an information asset and the degree to which a particular control enforces information security policy requirements