Risk Assessment Terminology Flashcards

Learn these terms and definitions

1
Q

Agreed-upon principles set forth by a company to govern how the employees of that company may use resources such as computers and internet access.

A

Acceptable Use Policy / Rules of Behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A calculation used to identify risks and calculate the expected loss each year.

A

Annual Loss Expectancy (ALE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A calculation of how often a threat will occurrence . For Example; a threat that occurs once every five years has an annualized rate of occurrence of 1/5, or 0.2.

A

Annualized Rate of Occurrence (ARO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The assessed value of an item (server, property, and so on) associated with cash glow.

A

Asset Value (AV)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A study of the possible importance if a disruption to a business’s vital resources were to occur.

A

Business Impact Analysis (BIA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An agreement between partners in a business that outlines their responsibilities, obligations, and sharing of profits and losses.

A

Business Partners Agreement (BPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The potential percentage of loss to an asset if a threat is realized.

A

Exposure Factor (EF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

As defined by NIST (in Publication 800-47), it is “an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations.”

A

Interconnection Security Agreement (ISA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The maximum period of time that a business process can be down before the survival of the organization is at risk.

A

Maximum Tolerable Downtime (MTD)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The measurement of the anticipated lifetime of a system or component.

A

Mean Time Between Failures (MTBF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The measurement of the average of how long it takes a system or component to fail.

A

Mean Time To Failure (MTTF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The measurement of how long it takes to repair a system or component once a failure occurs.

A

Mean Time To Restore (MTTR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Most commonly known as a MOU rather than MOA, this is a document between two or more parties defining their respective responsibilities in accomplishing a particular goal or mission, such as securing a system.

A

Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The point last known good data prior to an outage that is used to recover systems.

A

Recovery Point Objective (RPO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable.

A

Recovery Time Objective (RT0)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A configuration of multiple hard disks used to provide fault tolerance should a disk fail. Different levels of RAID exist.

A

Redundant Array of Independent Disks (RAID)

17
Q

The probability that a particular threat will occur, either accidentally or intentionally, leaving a system vulnerable and the impact of this occurring.

A

Risk

18
Q

A strategy of dealing with risk in which it is decided the best approach is simply to accept the consequences should the threat happen.

A

Risk Acceptance

19
Q

An evaluation of each risk that can be identified. Each risk should be out-lined, described, and evaluated on the likelihood of it occurring.

A

Risk Analysis

20
Q

An evaluation of the possibility of a threat or vulnerability existing. An assessment must be performed before any other actions - such as how much to spend on security in terms of dollars and manpower - can be decided.

A

Risk Assessment

21
Q

A strategy of dealing with risk in which it is decided that the best approach is to avoid the risk.

A

Risk Avoidance

22
Q

The process of calculating the risks that exist in terms of costs, number, frequency, and so forth.

A

Risk Calculation

23
Q

A strategy of dealing with risk in which it is decided that the best approach is to lessen the risk.

A

Risk Deterrence

24
Q

A strategy of dealing with risk in which it is decided that the best approach is to discourage potential attackers from engaging in the behavior that leads to the risk.

A

Risk Mitigation

25
Q

A strategy of dealing with risk in which it is decided that the best approach is to offload some of the risk through insurance, third-party contracts, and/or shared responsibility.

A

Risk Transference

26
Q

An agreement that specifies performance requirements for a vendor. This agreement may use mean time before failure (MTBF) and mean time to repair (MTTR) as performance measures in the SLA.

A

Service-Level Agreement (SLA)

27
Q

The cost of a single loss when it occurs. This loss can be a critical failure, or it can be the result of an attack.

A

Single Loss Expectancy (SLE)

28
Q

A single weakness that is capable of bringing an entire system down.

A

Single Point of Failure (SPOF)

29
Q

A flaw or weakness in some part of the system’s security procedures, design, implementation, or internal controls that could expose it to danger (accidental or intentional) and result in a violation of the security policy.

A

Vulnerability