Risk Assessment Terminology

Question 1

Agreed-upon principles set forth by a company to govern how the employees of that company may use resources such as computers and internet access.

Answer 1

Acceptable Use Policy / Rules of Behavior

Question 2

A calculation used to identify risks and calculate the expected loss each year.

Answer 2

Annual Loss Expectancy (ALE)

Question 3

A calculation of how often a threat will occurrence . For Example; a threat that occurs once every five years has an annualized rate of occurrence of 1/5, or 0.2.

Answer 3

Annualized Rate of Occurrence (ARO)

Question 4

The assessed value of an item (server, property, and so on) associated with cash glow.

Answer 4

Asset Value (AV)

Question 5

A study of the possible importance if a disruption to a business’s vital resources were to occur.

Answer 5

Business Impact Analysis (BIA)

Question 6

An agreement between partners in a business that outlines their responsibilities, obligations, and sharing of profits and losses.

Answer 6

Business Partners Agreement (BPA)

Question 7

The potential percentage of loss to an asset if a threat is realized.

Answer 7

Exposure Factor (EF)

Question 8

As defined by NIST (in Publication 800-47), it is “an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations.”

Answer 8

Interconnection Security Agreement (ISA)

Question 9

The maximum period of time that a business process can be down before the survival of the organization is at risk.

Answer 9

Maximum Tolerable Downtime (MTD)

Question 10

The measurement of the anticipated lifetime of a system or component.

Answer 10

Mean Time Between Failures (MTBF)

Question 11

The measurement of the average of how long it takes a system or component to fail.

Answer 11

Mean Time To Failure (MTTF)

Question 12

The measurement of how long it takes to repair a system or component once a failure occurs.

Answer 12

Mean Time To Restore (MTTR)

Question 13

Most commonly known as a MOU rather than MOA, this is a document between two or more parties defining their respective responsibilities in accomplishing a particular goal or mission, such as securing a system.

Answer 13

Memorandum of Understanding (MOU)/Memorandum of Agreement (MOA)

Question 14

The point last known good data prior to an outage that is used to recover systems.

Answer 14

Recovery Point Objective (RPO)

Question 15

The maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable.

Answer 15

Recovery Time Objective (RT0)

Question 16

A configuration of multiple hard disks used to provide fault tolerance should a disk fail. Different levels of RAID exist.

Answer 16

Redundant Array of Independent Disks (RAID)

Question 17

The probability that a particular threat will occur, either accidentally or intentionally, leaving a system vulnerable and the impact of this occurring.

Answer 17

Risk

Question 18

A strategy of dealing with risk in which it is decided the best approach is simply to accept the consequences should the threat happen.

Answer 18

Risk Acceptance

Question 19

An evaluation of each risk that can be identified. Each risk should be out-lined, described, and evaluated on the likelihood of it occurring.

Answer 19

Risk Analysis

Question 20

An evaluation of the possibility of a threat or vulnerability existing. An assessment must be performed before any other actions - such as how much to spend on security in terms of dollars and manpower - can be decided.

Answer 20

Risk Assessment

Question 21

A strategy of dealing with risk in which it is decided that the best approach is to avoid the risk.

Answer 21

Risk Avoidance

Question 22

The process of calculating the risks that exist in terms of costs, number, frequency, and so forth.

Answer 22

Risk Calculation

Question 23

A strategy of dealing with risk in which it is decided that the best approach is to lessen the risk.

Answer 23

Risk Deterrence

Question 24

A strategy of dealing with risk in which it is decided that the best approach is to discourage potential attackers from engaging in the behavior that leads to the risk.

Answer 24

Risk Mitigation

Question 25

A strategy of dealing with risk in which it is decided that the best approach is to offload some of the risk through insurance, third-party contracts, and/or shared responsibility.

Answer 25

Risk Transference

Question 26

An agreement that specifies performance requirements for a vendor. This agreement may use mean time before failure (MTBF) and mean time to repair (MTTR) as performance measures in the SLA.

Answer 26

Service-Level Agreement (SLA)

Question 27

The cost of a single loss when it occurs. This loss can be a critical failure, or it can be the result of an attack.

Answer 27

Single Loss Expectancy (SLE)

Question 28

A single weakness that is capable of bringing an entire system down.

Answer 28

Single Point of Failure (SPOF)

Question 29

A flaw or weakness in some part of the system’s security procedures, design, implementation, or internal controls that could expose it to danger (accidental or intentional) and result in a violation of the security policy.

Answer 29

Vulnerability