Risk Assessment & Management Terms (Ch. 1)

Question 1

Agreed-upon principles set forth by a company to govern how the employees of that company may use resources such as computers and Internet access.

Answer 1

acceptable use policy/rules of behavior

Question 2

A calculation used to identify risks and calculate the expected loss each year.

Answer 2

annual loss expectancy (ALE)

Question 3

A calculation of how often a threat will occur.

Answer 3

annualized rate of occurrence (ARO)

Question 4

The assessed value of an item (server, property, and so on) associated with cash flow.

Answer 4

asset value (AV)

Question 5

A study of the possible impact if a disruption to a businesses vital resources were to occur.

Answer 5

business impact analysis (BIA)

Question 6

An agreement between partners in a business that outlines their responsibilities, obligations, and sharing of profits and losses.

Answer 6

business partners agreement (BPA)

Question 7

The potential percentage of loss to an asset if a threat is realized.

Answer 7

exposure factor (EF)

Question 8

As defined by NIST (in Publication 800-47), it is an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations

Answer 8

interconnection security agreement (ISA)

Question 9

The maximum period of time that a business process can be down before the survival of the organization is at risk.

Answer 9

maximum tolerable downtime (MTD)

Question 10

The measurement of the anticipated lifetime of a system or component.

Answer 10

mean time between failures (MTBF)

Question 11

The measurement of the average of how long it takes a system or component to fail.

Answer 11

mean time to failure (MTTF)

Question 12

The measurement of how long it takes to repair a system or component once a failure occurs.

Answer 12

mean time to restore (MTTR)

Question 13

Most commonly known as an MOU rather than MOA, this is a document between two or more parties defining their respective responsibilities in accomplishing a particular goal or mission, such as securing a system.

Answer 13

memorandum of understanding (MOU)/memorandum of agreement (MOA)

Question 14

The point last known good data prior to an outage that is used to recover systems.

Answer 14

recovery point objective (RPO)

Question 15

The maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable.

Answer 15

recovery time objective (RTO)

Question 16

A configuration of multiple hard disks used to provide fault tolerance should a disk fail.

Answer 16

Redundant Array of Independent Disks (RAID)

Question 17

A strategy of dealing with risk in which it is decided the best approach is simply to accept the consequences should the threat happen.

Answer 17

risk acceptance

Question 18

An evaluation of each risk that can be identified. Each risk should be out-lined, described, and evaluated on the likelihood of it occurring.

Answer 18

risk analysis

Question 19

An evaluation of the possibility of a threat or vulnerability existing.

Answer 19

risk assessment

Question 20

A strategy of dealing with risk in which it is decided that the best approach is to avoid the risk.

Answer 20

risk avoidance

Question 21

The process of calculating the risks that exist in terms of costs, number, frequency, and so forth

Answer 21

risk calculation

Question 22

A strategy of dealing with risk in which it is decided that the best approach is to discourage potential attackers from engaging in the behavior that leads to the risk.

Answer 22

risk deterrence

Question 23

A strategy of dealing with risk in which it is decided that the best approach is to lessen the risk.

Answer 23

risk mitigation

Question 24

A strategy of dealing with risk in which it is decided that the best approach is to offload some of the risk through insurance, third-party contracts, and/or shared responsibility.

Answer 24

risk transference

Question 25

An agreement that specifies performance requirements for a vendor. This agreement may use mean time before failure (MTBF) and mean time to repair (MTTR) as performance measures in the SLA.

Answer 25

service-level agreement (SLA)

Question 26

The cost of a single loss when it occurs. This loss can be a critical failure, or it can be the result of an attack.

Answer 26

single loss expectancy (SLE)

Question 27

A single weakness that is capable of bringing an entire system down

Answer 27

single point of failure (SPOF)

Question 28

A flaw or weakness in some part of a systems security procedures, design, implementation, or internal controls that could expose it to danger (accidental or intentional) and result in a violation of the security policy

Answer 28

vulnerability