Risk Assessments Flashcards
Risk Transfer
A strategy that passes the risk to a third party
Risk Acceptance
A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized
Residual Risk
The risk remaining after trying to avoid, transfer, or mitigate the risk
Qualitative Risk
Qualitative analysis uses intuition, experience, and other methods to assign a relative value to risk
Experience is critical in qualitative analysis
Quantitative Risk
Quantitative analysis uses numerical and monetary values to calculate risk
Quantitative analysis can calculate a direct cost for each risk
SLE
Single Loss Expectancy:
Cost associated with the realization of each individualized threat that occurs
ARO & ALE
Annualized Rate of Occurrence:
Number of times per year that a threat is realized
Annualized Loss Expectancy:
Expected cost of a realized threat over a given year
Security Assessments: Active Assessments
Utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilities
Security Assessments: Passive Assessments
Utilize open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems
Passive techniques are limited in the amount of detail they find
Security Controls
Physical Controls
Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it
Technical Controls
Safeguards and countermeasures used to avoid, detect, counteract, or minimize security risks to our systems and information
Administrative Controls
Focused on changing the behavior of people instead of removing the actual risk involved
Security Controls: NIST Categories
(Management, Operational, & Technical Controls)
Management Controls
Security controls that are focused on decision-making and the management of risk
Operational Controls
Focused on the things done by people
Technical Controls
Logical controls that are put into a system to help secure it
Preventative, Detective, & Corrective Controls
Preventative Controls
Security controls that are installed before an event happens and are designed to prevent something from occurring
Detective Controls
Used during the event to find out whether something bad might be happening
Corrective Controls
Used after an event occurs
Compensating Control
Used whenever you can’t meet the requirement for a normal control
Residual risk not covered by a compensating control is an accepted risk
Types of Risks
External Risk
Risks that are produced by a non-human source and are beyond human control
Internal Risk
Risks that are formed within the organization, arise during normal operations, and are often forecastable
Legacy Systems
An old method, technology, computer system, or application program which includes an outdated computer system still in use
Multiparty
A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent risks
IP Theft
Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of a competitive edge, or a slowdown in business growth occurs
Software Compliance/Licensing
Risk associated with a company not being aware of what software or components are installed within its network
Risk Register
Every project has a plan, but also has risk
Identify/document risk associated with each step of project
Apply possible solutions & monitor results