Risk Assessment & Mangement Terms (Ch. 1) Flashcards

1
Q

Agreed-upon principles set forth by a company to govern how the employees of that company may use resources such as computers and Internet access.

A

acceptable use policy/rules of behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A calculation used to identify risks and calculate the expected loss each year.

A

annual loss expectancy (ALE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A calculation of how often a threat will occur.

A

annualized rate of occurrence (ARO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The assessed value of an item (server, property, and so on) associated with cash flow.

A

asset value (AV)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A study of the possible impact if a disruption to a busi-ness’s vital resources were to occur.

A

business impact analysis (BIA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An agreement between partners in a business that outlines their responsibilities, obligations, and sharing of profits and losses.

A

business partners agreement (BPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The potential percentage of loss to an asset if a threat is realized.

A

exposure factor (EF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

As defined by NIST (in Publication 800-47), it is “an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations.”

A

interconnection security agreement (ISA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The maximum period of time that a business pro-cess can be down before the survival of the organization is at risk.

A

maximum tolerable downtime (MTD)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The measurement of the anticipated lifetime of a system or component.

A

mean time between failures (MTBF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The measurement of the average of how long it takes a system or component to fail.

A

mean time to failure (MTTF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The measurement of how long it takes to repair a system or component once a failure occurs.

A

mean time to restore (MTTR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Most commonly known as an MOU rather than MOA, this is a document between two or more parties defining their respective responsibilities in accomplishing a particular goal or mission, such as securing a system.

A

memorandum of understanding (MOU)/memorandum of agreement (MOA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The point last known good data prior to an outage that is used to recover systems.

A

recovery point objective (RPO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable.

A

recovery time objective (RTO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A configuration of multiple hard disks used to provide fault tolerance should a disk fail.

A

Redundant Array of Independent Disks (RAID)

17
Q

A strategy of dealing with risk in which it is decided the best approach is simply to accept the consequences should the threat happen.

A

risk acceptance

18
Q

An evaluation of each risk that can be identified. Each risk should be out-lined, described, and evaluated on the likelihood of it occurring.

A

risk analysis

19
Q

An evaluation of the possibility of a threat or vulnerability existing.

A

risk assessment

20
Q

A strategy of dealing with risk in which it is decided that the best approach is to avoid the risk.

A

risk avoidance

21
Q

The process of calculating the risks that exist in terms of costs, number, frequency, and so forth.

A

risk calculation

22
Q

A strategy of dealing with risk in which it is decided that the best approach is to discourage potential attackers from engaging in the behavior that leads to the risk.

A

risk deterrence

23
Q

A strategy of dealing with risk in which it is decided that the best approach is to lessen the risk.

A

risk mitigation

24
Q

A strategy of dealing with risk in which it is decided that the best approach is to offload some of the risk through insurance, third-party contracts, and/or shared responsibility.

A

risk transference

25
Q

An agreement that specifies performance requirements for a vendor. This agreement may use mean time before failure (MTBF) and mean time to repair (MTTR) as performance measures in the SLA.

A

service-level agreement (SLA)

26
Q

The cost of a single loss when it occurs. This loss can be a critical failure, or it can be the result of an attack.

A

single loss expectancy (SLE)

27
Q

A single weakness that is capable of bringing an entire system down

A

single point of failure (SPOF)

28
Q

A flaw or weakness in some part of a system’s security procedures, design, implementation, or internal controls that could expose it to danger (accidental or intentional) and result in a violation of the security policy.

A

vulnerability