Risk Flashcards
Impact combined with likelihood give rise to______
Risk
Threats and vulnerabilities help determine the likelihood of what?
An impact occuring
Allows organisations to discover and share threat and vulnerability information
Threat intelligence and sharing
What is WARPS
Warning, Advice & Reporting Points
What is CERTs
Computer Emergency Response Teams
What are WARPs and CERTs?
Freely available sources
What is threat categorisation?
Understanding the difference between different types of threats, such as accidental, deliberate, internal and external threats and to anticipate that threats may arise from unexpected sources
What are accidental threats?
Hazards, which are generally environmental in nature eg pandemics, human errors, simple failures of systems and software; fire, floods and power failures. Accidental threats are frequently things that the organisation cannot avoid, it must anticipate and be prepared to deal with
What are deliberate threats?
Hacking; malicious software, sabotage, eg DDoS attacks and cyber terrorism, whether by individual groups or nation states; high-tech crime, either by individuals, corporations or criminal gangs. Again, anticipation is the key factor.
What are some other sources of threats?
Threats from the Dark Web, vulnerabilities of Big Data and the Internet of Things
What are sources of unintentional threat?
Internal employees and contractors, trusted partners; poor software design, weak procedures and processes, managed services and social media. Unintentional threats are frequently the result of failing to follow procedures or cutting corners in order to save time and effort
What are sources of deliberate threat?
Internal(possibly disgruntled) employees and contractors, random attackers, targeting attackers, especially where there is a strong motive. Part of the art of risk management is understanding the likely motivations of attackers, which leads to improved risk assessment and the introduction of more appropriate controls
What is Vulnerability categorisation?
Weaknesses or design failures in both software and hardware, location of or poor design of buildings and facilities, people who may be susceptible to coercion and undocumented, poorly written or unenforced procedures. As with threats, it is important to think outside the box to identify possible vulnerabilities
What are some examples of specific vulnerabilities?
personal computers, laptops, hand held devices such as tablets and smartphones, uncontrolled ‘Bring Your Own Device’ usage, system servers, network devices, wireless systems, web servers and email systems
What contributes to overall risk?
Threat, Vulnerabilities & Asset Values
What risks should an organisation do detailed examination and treatment proposals on?
Higher or Critical Risks
Threats should be impact assessed in terms of what?
Loss of confidentiality, integrity or availability leading to service failures, financial loss, brand damage or loss of
customer confidence
Who should impact assessments be conducted with and why?
Impact assessments should be conducted with the information owner to ensure that
the true impacts are identified, not what another person thinks they may be.
They should be conducted with the information owner to ensure that the true impacts are identified, not what another person thinks they might be
What are the steps in the risk management process?
⎻ Define the context in which the organisation operates. ⎻ Identify the risks. ⎻ Analyse them for level of risk. ⎻ Evaluate them for criticality. ⎻ Treat them.
Who must you communicate with throughout?
Stakeholders
What needs to be done regularly with impact assessment?
Monitor & Review
What are the four options for dealing with risk?
- Avoid or terminate the risk
- Share or transfer the risk
- Reduce or Modify the risk
- Accept the risk
What is avoiding or terminating the risk?
Don’t do it or stop doing it – but this may introduce additional risks
What is sharing or transferring the risk?
Share or transfer the risk to a third party e.g. insurance, but retain overall ownership
How do you reduce or modify a risk?
Use controls to change the impact or likelihood
What is accepting the risk and when do you do it?
Accept the risk If none of the other options is workable or if they cannot reduce the risk further. Review the risk periodically, but never ignore the risk
What are detective controls?
TACTICAL
Discovering what has happened or is happening, such as antivirus software, CCTV
What are preventative controls?
TACTICAL
Measures to prevent something from happening,
such as barriers, guards
What are directive controls?
TACTICAL
Issuing instructions to prevent or respond, such
as policies and procedures
What are corrective controls?
TACTICAL
Measures to fix a problem, such as installing a software patch
What are examples of physical controls?
OPERATIONAL
Security barriers and access control systems
What are examples of procedural/personal controls?
OPERATIONAL
Enforced password updates, firewall rule sets
What are examples of technical controls?
OPERATIONAL
Intrusion detection/prevention systems, file or disk level encryption
The organisation needs to understand the impact of damage to or loss of assets in order to assess the risks it faces and decide whether to accept the risk, or to treat it in some way
