Lesson 19 + 20 Summarizing Risk Management Concepts Flashcards
Risk management
Risk management is a process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers
Likelihood of occurrence
Likelihood of occurrence is the probability of the threat being realized.
Impact
Impact is the severity of the risk if realized as a security incident.
Some factors are such as the value of the asset or the cost of disruption if the asset is compromised.
External threat actors
External threat
Natural disasters, such as the COVID-19 pandemic, illustrate the need to have IT systems and workflows that are resilient to widespread dislocation.
The most critical type of impact is one that could lead to loss of life or critical injury.
Internal risks
Internal risks come from assets and workflows that are owned and managed by your organization.
Multiparty risk
Multiparty risk is where an undesirable event impacts multiple organizations.
Multiparty risk usually arises from supplier relationships. If a critical event disrupts a supplier or customer, then your own organization will suffer.
IP Theft: Intellectual property (IP)
IP Theft:
Intellectual property (IP) is data of commercial value that is owned by the organization.
This can mean copyrighted material for retail (software, written work, video, and music) and product designs and patents. If IP data is exfiltrated it will lose much of its commercial value
Quantitative risk assessment
Quantitative risk assessment aims to assign concrete values to each risk factor.
Single Loss Expectancy (SLE)
Single Loss Expectancy (SLE)
Amount that would be lost in a single occurrence of the risk factor.
Exposure Factor (EF) is the percentage of the asset value that would be lost.
Annualized Loss Expectancy (ALE)
Annualized Loss Expectancy (ALE)
Amount that would be lost over the course of a year.
Annualized Rate of Occurrence (ARO)
The probability that a risk will occur in a particular year
Qualitative risk assessment
Qualitative risk assessment - identifying significant risk factors.
Inherent risk
Inherent risk is the level of risk before any type of mitigation has been attempted.
Risk posture
Risk posture shows which risk response options can be identified and prioritized
Risk mitigation
Risk mitigation (or remediation) is the overall process of reducing exposure to or the effects of risk factors.
risk deterrence (or reduction)
risk deterrence (or reduction):
If you deploy a countermeasure that reduces exposure to a threat or vulnerability.
Risk Avoidance and Risk Transference
Avoidance means that you stop doing the activity that is risk-bearing.
Transference (or sharing) means assigning risk to a third party, such as an insurance company or a contract with a supplier that defines liabilities.
Risk Acceptance and Risk Appetite
Risk acceptance (or tolerance) means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed.
residual risk
residual risk is the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied
Control risk
Control risk is a measure of how much less effective a security control has become over time.
risk register
risk register is a document showing the results of risk assessments in a clear format
Business impact analysis (BIA)
Business impact analysis (BIA) is the process of assessing what losses might occur for a range of threat scenarios.
business continuity planning (BCP)
business continuity planning (BCP) identifies controls and processes that enable an organization to maintain critical workflows in the face of some adverse event.
continuity of operations planning (COOP)
continuity of operations planning (COOP) refers to the same sorts of activities when undertaken by a government agency, rather than a business.
