Módulo 12 - Risk Management Processes Flashcards
What is the primary goal of risk management?
To identify, assess, and mitigate vulnerabilities and threats to mission essential functions while minimizing risk and disruption.
What are the five phases of risk management?
- Identify mission essential functions
- Identify vulnerabilities
- Identify threats
- Analyze business impacts
- Identify risk responses.
What is Maximum Tolerable Downtime (MTD)?
The longest period a business function can be offline without causing irrecoverable failure.
What is the formula for Recovery Time Objective (RTO) and Work Recovery Time (WRT)?
RTO + WRT must not exceed MTD.
What is Recovery Point Objective (RPO)?
The maximum acceptable amount of data loss, measured in time, that a system can tolerate.
What is Mean Time Between Failures (MTBF)?
The average operational time between system or equipment failures.
What is Mean Time to Repair (MTTR)?
The average time required to repair and restore a system to full operation.
What are the four risk response strategies?
- Mitigate
- Avoid
- Transfer
- Accept.
What is risk transference?
Assigning risk to a third party, such as an insurance provider.
What is risk acceptance?
Choosing not to implement countermeasures because the risk level is deemed acceptable.
What is the difference between a risk exception and a risk exemption?
A risk exception is temporary and must be reviewed periodically.
A risk exemption is a strategic decision to allow risk to remain without mitigation.
What is a Mission Essential Function (MEF)?
A function that cannot be deferred and must be performed continuously or restored first after a disruption.
What is the purpose of a Business Process Analysis (BPA)?
To identify inputs, hardware, staff, outputs, and process flow for critical systems supporting mission essential functions.
What is Business Impact Analysis (BIA)?
A process that assesses the effects of disruptions on operations and quantifies potential losses.
What are common methods for identifying risks?
- Vulnerability assessments
- Penetration testing
- Security audits
- Threat intelligence.
What is residual risk?
The remaining risk after applying mitigation, transference, or acceptance measures.
What is risk appetite?
The organization-wide level of residual risk deemed acceptable based on strategic goals and compliance.
Give an example of risk mitigation.
Implementing a sprinkler system to reduce the impact of a fire.
Provide an example of risk avoidance.
Discontinuing a high-risk software project due to its vulnerabilities.
Describe an example of risk transference.
Purchasing cybersecurity insurance to cover potential data breach liabilities.
What are the two main variables used in risk assessment?
Likelihood and impact.
How is likelihood expressed in qualitative and quantitative analysis?
Qualitative: ‘Low,’ ‘Medium,’ ‘High’ or 1-5 scale.
Quantitative: Numerical value (0-1) or percentage.
What is impact in risk assessment?
The severity of a risk event if realized, determined by asset value and cost of disruption.
What is an RCSA?
Risk and Control Self-Assessment—a process for identifying risks and evaluating control effectiveness.
What is a risk register?
A document summarizing risks, their impact, likelihood, owners, and mitigation strategies.
What is the purpose of a heat map in risk assessment?
To visually represent risk severity, likelihood, and priorities using a traffic light system.
What are the four types of risk assessments?
- Ad hoc
- Recurring
- One-time
- Continuous.
Define quantitative risk assessment.
A method assigning concrete values to risks using metrics like Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE).
What is qualitative risk analysis?
A method using subjective judgment and qualitative factors to assess risks without numerical data.
What is Single Loss Expectancy (SLE)?
The monetary loss from a single risk event, calculated as Asset Value × Exposure Factor.
What is Annualized Loss Expectancy (ALE)?
The annual financial loss from a risk, calculated as SLE × Annualized Rate of Occurrence (ARO).
How is exposure factor (EF) used in SLE calculation?
EF represents the percentage of the asset value lost during a risk event.
What is inherent risk?
The risk level before applying any mitigation measures.
What is residual risk?
The risk level remaining after implementing mitigation measures.
How does risk posture differ from risk appetite?
Risk posture reflects the overall state of risk management, while risk appetite defines acceptable levels of risk.
What are Key Risk Indicators (KRIs)?
Predictive metrics used to monitor and assess potential risks.
What is the role of a risk owner?
To manage, monitor, and implement mitigation measures for a specific risk.
What are the four risk response strategies?
- Mitigate
- Avoid
- Transfer
- Accept.
What is risk transference?
Assigning risk to a third party, such as through insurance.
What is risk acceptance?
Choosing not to mitigate a risk due to low likelihood or impact.
What is the difference between MTBF and MTTR?
MTBF: Mean Time Between Failures (average operational time).
MTTR: Mean Time to Repair (average time to restore functionality).
What are the levels of risk appetite?
- Expansionary
- Conservative
- Neutral.
What is risk reporting?
The communication of an organization’s risk profile and risk management effectiveness to stakeholders.
What is the primary purpose of a Business Continuity Plan (BCP)?
To ensure critical business functions (CBFs) continue during disruptions and restore normal operations.
What are the key phases of a BCP during a disaster?
- Identify the disaster and ensure safety.
- Implement short-term recovery.
- Stabilize operations.
- Restore all functions to normal.
What is the role of succession planning in BCP?
To identify and develop internal candidates for future key roles, ensuring smooth leadership transitions.
What is COOP, and how does it differ from BCP?
COOP ensures critical functions continue during a crisis, focusing on immediate response, while BCP covers broader organizational recovery.
What are some COOP strategies for IT systems?
Redundant IT systems, off-site backups, failover systems, and alternative work arrangements.
Why is regular COOP testing important?
To verify effectiveness, identify gaps, and ensure readiness for various disruptions.
Why are backups critical in COOP?
They safeguard data, ensure recoverability, and minimize downtime during disruptions.
What is the importance of testing backups?
To validate data integrity, recovery speed, and compliance with regulatory requirements.
What is capacity planning?
A process to forecast and allocate resources (people, technology, infrastructure) for current and future needs.
What are the methods of capacity planning?
Trend analysis, simulation modeling, and benchmarking.
What risks can poor capacity planning introduce?
Overloaded systems, insufficient security, and resource underutilization.
What are the three types of recovery sites?
- Hot site: Immediate failover, fully operational.
- Warm site: Requires data loading before use.
- Cold site: Empty, requires setup.
What is geographic dispersion in disaster recovery?
Distributing recovery sites across regions to mitigate the impact of localized disasters.
What is failover, and why is it important?
Failover ensures seamless transfer of operations to redundant systems during a failure.
What are the advantages of using cloud services for DR?
Cost efficiency, scalability, geographic diversity, fast deployment, and simplified management.
What are the types of resiliency tests?
- Tabletop exercises
- Failover tests
- Simulations
- Parallel processing tests.
Why is regular testing of resiliency plans critical?
To identify vulnerabilities, refine strategies, and improve preparedness.
What are key components of continuity documentation?
Test plans, test scripts, results, and communication reports.
What are examples of third-party assessments for BCP testing?
ISO 22301, PCI DSS, and SOC 2 evaluations.
Why is destroying outdated BCP versions important?
To avoid confusion and ensure only current procedures are followed during crises.
What are people risks in capacity planning?
Insufficient staffing, skill gaps, and reliance on specific individuals.
How can cross-training help mitigate workforce risks?
By ensuring multiple employees can perform critical tasks, reducing dependency on single individuals.
What technologies support remote work continuity?
VPNs, remote desktop software, cloud-based tools, video conferencing, and project management platforms
What are the main components of third-party risk management processes?
Vendor due diligence, risk identification and assessment, ongoing monitoring, and incident response planning.
Why is third-party vendor assessment critical?
To ensure vendors adhere to security standards, comply with regulations, and mitigate risks to the organization.
What is vendor monitoring?
The continuous evaluation of vendors to ensure adherence to security standards, compliance, and contractual obligations.
What factors are considered during vendor selection?
Security practices, financial stability, regulatory compliance, reputation, and risk profile.
Name three types of third-party relationships in business
Vendor, supply chain partner, and business partner.
How does vendor diversity benefit an organization?
It reduces cybersecurity risks, promotes resilience, fosters innovation, and mitigates vendor lock-in.
What is the purpose of due diligence in vendor assessment?
To evaluate a vendor’s suitability, reliability, and risk profile based on predefined criteria.
Name and describe a key contractual provision used in vendor assessments.
The right-to-audit clause: Allows organizations to audit vendor practices to ensure compliance and security.
What is supply chain analysis in vendor risk management?
Evaluating risks and vulnerabilities in the supply chain to identify weak links and mitigate potential issues.
What tools are used to gather vendor risk information?
Questionnaires, site visits, audits, and penetration testing.
How do organizations validate responses to vendor questionnaires?
By requesting documentation, conducting audits, and using third-party verification services.
What is a conflict of interest in vendor assessments?
A situation where competing interests may compromise the vendor’s ability to act impartially
Name an example of a potential conflict of interest.
Financial incentives from partnerships that bias a vendor’s recommendations.
What is the purpose of Rules of Engagement (RoE) with vendors?
To define responsibilities, security requirements, and communication protocols in vendor relationships.
List three key elements in Rules of Engagement.
Roles and responsibilities, security requirements, and compliance obligations
What is a Non-Disclosure Agreement (NDA)?
A binding agreement ensuring confidentiality of shared sensitive information.
What is the difference between an MOU and an MOA?
An MOU is nonbinding and outlines intentions, while an MOA is binding and defines specific terms and responsibilities.
What is the purpose of a Master Service Agreement (MSA)?
To define overarching terms for a specific contract, such as scope, pricing, and deliverables.
What does a Service Level Agreement (SLA) define?
Performance metrics, quality standards, and service levels expected from a vendor.
What is a Statement of Work (SOW)?
A document detailing a project’s scope, deliverables, timelines, and vendor responsibilities.
What is the main purpose of audits in organizational operations?
To evaluate processes, controls, and compliance with standards and regulations, identifying gaps and recommending improvements.
What do assessments focus on in an organization?
Evaluating the effectiveness of cybersecurity, risk management, and internal controls to identify vulnerabilities and risks
How do audits and assessments support organizational goals
They maintain compliance, mitigate risks, and drive continuous improvement in security and operational performance
What is the key difference between internal and external assessments?
Internal assessments are conducted by employees for continuous improvement, while external assessments are performed by third parties for impartial evaluations.
Name two advantages of combining internal and external audits.
Enhanced risk management capabilities and improved stakeholder trust through transparency and accountability.
Why are external assessments important?
They provide independent, objective evaluations against industry standards and identify areas for improvement missed by internal teams.
What are the three main types of internal assessment methods?
Compliance assessments, audit committees, and self-assessments.
What is the role of an audit committee?
To provide independent oversight of financial reporting, internal controls, and risk management practices.
What is self-assessment, and who conducts it?
A process where internal personnel evaluate their performance against established metrics to identify strengths and weaknesses.
What are common external assessment methods?
Regulatory assessments, external examinations, general assessments, and independent third-party audits.
How do regulatory assessments support compliance?
By ensuring organizations adhere to laws, regulations, and standards through inspections, audits, and reviews.
What is the benefit of independent third-party audits?
They provide unbiased assessments, demonstrating transparency, accountability, and adherence to regulations.
What is attestation in the context of audits and assessments?
The process of verifying the accuracy and effectiveness of security controls, ensuring compliance with standards and best practices.
Who typically conducts attestations?
Qualified and trusted external entities like auditors or assessors.
How do internal and external assessments complement each other?
Internal assessments enable continuous improvement, while external assessments validate compliance and provide independent assurance.
How does collaboration between internal and external auditors benefit organizations?
It facilitates knowledge sharing, improves assessment quality, and fosters professional development.
Acronym:
BCP
Business Continuity Plan
Acronym:
COOP
Continuity of Operations
Acronym:
NIST RMF
National Institute of Standards and Technology Risk Management Framework
Acronym:
PCI-DSS
Payment Card Industry Data Security Standard
Acronym:
CPA
Certified Public Accountant
Acronym:
SLA
Service Level Agreement
Acronym:
SOW
Statement of Work
Acronym:
MOU
Memorandum of Understanding
Acronym:
MOA
Memorandum of Agreement
Acronym:
BPA
Business Partnership Agreement
Define:
Continuity of Operations (COOP)
A strategy to maintain or quickly resume critical functions during disasters or crises
Acronym:
MSA
Master Service Agreement
Define:
Master Service Agreement (MSA)
A contract outlining the general terms and conditions for a specific vendor relationship or engagement.
