Module 4 - Risk Management Flashcards
The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.
Risk management
The recognition, enumeration, and documentation of risks to an organization’s information assets
Risk identification
A determination of the extent to which an organization’s information assets are exposed to risk.
Risk assessment
The application of safeguards or controls that reduce the risks to an organization’s information assets to an acceptable level.
Risk treatment (risk control)
The overall structure of the strategic planning and design for the entirety of the organization’s RM efforts.
The RM framework
The implementation of risk management, as specified in the framework
The RM process
The RM framework consists of five key stages:
- Executive governance and support
- Framework design
- Framework implementation
- Framework monitoring and review
- Continuous improvement
Risk Management Policy
This policy converts the instructions and perspectives provided to the RM framework team by the governance group into cohesive guidance that structures and directs all subsequent risk management efforts within the organization.
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility
Risk appetite
The risk to information assets that remains even after current controls have been applied
Residual risk
The assessment of the amount of risk an organization is willing to accept for a particular information asset.
Risk tolerance (risk threshold)
Prepare for the risk process by performing the following tasks (5):
- Identify the purpose of the assessment;
- Identify the scope of the assessment;
- Identify the assumptions and constraints associated with the assessment;
- Identify the sources of information to be used as inputs to the assessment;
- Identify the risk model and analytic approaches.
The final step in the risk identification process is to:
prioritize, or rank-order, the assets.
During the identification of risk, managers must(4):
- Identify the organization’s information assets
- Classify them
- Categorize them into useful groups
- Prioritize them by overall importance
If a vulnerability is fully managed by an existing control:
it can be set aside
Assesses the relative risk for each vulnerability and assigns a risk rating or score to each information asset.
Risk analysis
The overall rating—a numerical value on a defined scale—of the probability that a specific vulnerability will be exploited or attacked, commonly referred to as a threat event.
Likelihood
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability
The level of impact from a threat event
likelihood of threat event (attack) x impact (or consequence), plus or minus an element of uncertainty
risk
If residual risk is greater than risk, look for:
treatment strategies to further reduce the risk.
Four basic risk treatment strategies:
- Mitigation
- Transference
- Acceptance
- Termination
Attempts to prevent the exploitation of the vulnerability.
Risk mitigation
Attempts to shift risk to another entity
Transference risk treatment strategy, AKA risk sharing or risk transfer
The key to an effective transference risk treatment strategy is the implementation of an effective:
service level agreement (SLA)
