Personnel Security and Risk Management Concepts Flashcards
What does the Exposure Factor (EF) represent?
The percentage of loss that an organization would expect to experience if a specific asset were violated by a realized risk. Expressed in a %
What does the Single Loss Expectancy (SLE) represent?
The amount of loss an organization would experience if an asset were harmed by a specific threat occurring. It is a SINGLE event of loss.
How do you calculate the Single Loss Expectancy (SLE)?
SLE= AV (Asset Value) * EF (Exposure Factor) SLE= AV x EF
What is the ARO (Annualized Rate of Occurrence)?
The expected frequency with which a specific threat or risk will occur in ONE year.
How do you calculate the ARO?
It can be derived by historical records . Multiply the likelihood of an occurrence by the number of users who could initiate the threat.
What is the ALE (Annualized Loss Expectancy)?
The possible yearly costs of all instances of a specific realized threat against a specific asset.
How do you calculate the ALE (Annualized Loss Expectancy)?
SLE (Single Loss Expectancy) * ARO = SLE
What does a Safeguard do?
Reduces the ARO (Annual Rate of Occurrence) but does not affect the Exposure Factor (EF). Reduces the likelihood of the event occuring.
What type of calculations should you do when looking to apply a safeguard?
You should do a Cost/Benefit analysis of applying the safeguard. If safeguard costs more than the asset you are protecting, why do it?
How do you calculate Safeguard benefit?
(ALE1 - ALE2) -ACS = Safeguard Value
(ALE Before Safeguard - ALE After Implementing Safeguard) - Annual Cost of Safeguard ACS = Value of Safeguard to the company
How do you calculate the Annual Cost of a Safeguard (ACS)?
Cost of Safeguard/ # Years
How do you calculate Residual Risk?
Total Risk - Controls Gap = Residual Risk
It is the RISK that remains AFTER countermeausrres are in place
Define a Control Gap?
The difference between the Total Risk and the Residual Risk
Name the 7 different types of CONTROLS?
- Deterrent
- Peventative
- Detective
- Compensating
- Corrective
- Recovery
- Directive
What is a Deterrent control used to prevent?
- Discourage viloation of security policies.
What is a Preventative control used to prevent?
Stop unwanted or unauthorized activity from occuring.
What is a Detective control used for?
To discover or detect unwanted or unauthorized activity.
What is a Compensating control used for?
They are controls used in addtion to, or in place of. Aids in enforcement and support of security policies.
What is a Corrective access control used for?
Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occured.
What are Recovery controls used for?
Extension of Corrective access controls but usually will restore things back to prior state. i.e. system imaging, server clustering, anti-virus software, database or VM shadowing.
What are Directive access control?
It is deployed to direct, confine, or control the actions of subjects to force or encourage complaince with security policies. e.g., security policy requirements or criteria, posted notifcations, escape route signs, montioring, supervision, etc.
What are the steps in the Risk Management Framework (RMF)?
- Categorize- Information- stroed, processed, transmitted
- Select - Intial set of baseline controls
- Implement - security controls
- Assess - security controls
- Authorize - Information system operation
- Monitor - the security control in the information system
Which of the follwing is not an element of the risk analysis process?
a. Analysing an environment for risks
b. Creating a cost/benefit report for safeguards to present to upper management
c. Selecting appropriate safeguards and implementing them
d. Evaluating each threat event as to its likelihood of occuring and cost of the resulting damage
When a safeguard or countermeasure is not present or sufficient _______ remains.
Vulnerability
When evaluating safeguards __________
The annual cost of safeguards should not exceed the expected annual cost of assett loss.
