Lesson 19 - Summarizing Risk Management Concepts Flashcards
Risk that an event will pose if no controls are put in place to mitigate it.
Inherent risk
The response of reducing risk to fit within an organization’s risk appetite.
Risk mitigation (or remediation)
In risk mitigation, the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario.
risk deterrence (or reduction)
In risk mitigation, the practice of ceasing activity that presents risk.
Avoidance
In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.
Transference (or sharing)
The response of determining that a risk is within the organization’s appetite and no countermeasures other than ongoing monitoring is needed.
Risk Acceptance
Risk that remains even after controls are put into place.
residual risk
Risk that arises when a control does not provide the level of mitigation that was expected.
Control Risk
A document highlighting the results of risk assessments in an easily comprehensible format (such as a “traffic light” grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.
risk register
A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders.
heat map risk matrix
A systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.
Business impact analysis (BIA)
A business or organizational activity that is too critical to be deferrred for anything more than a few hours, if at all.
mission essential function (MEF)
The longest period of time a business can be inoperable without causing irrevocable business failure.
Maximum tolerable downtime (MTD)
The length of time it takes after an event to resume normal business operations and activities.
Recovery time objective (RTO)
The longest period of time that an organization can tolerate lost data being unrecoverable.
Recovery Point Objective (RPO