Risk Assessments Flashcards

1
Q

Risk Transfer

A

A strategy that passes the risk to a third party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk Acceptance

A

A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Residual Risk

A

The risk remaining after trying to avoid, transfer, or mitigate the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Qualitative Risk

A

Qualitative analysis uses intuition, experience, and other methods to assign a relative value to risk

Experience is critical in qualitative analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Quantitative Risk

A

Quantitative analysis uses numerical and monetary values to calculate risk

Quantitative analysis can calculate a direct cost for each risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SLE

A

Single Loss Expectancy:
Cost associated with the realization of each individualized threat that occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ARO & ALE

A

Annualized Rate of Occurrence:
Number of times per year that a threat is realized

Annualized Loss Expectancy:
Expected cost of a realized threat over a given year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security Assessments: Active Assessments

A

Utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Security Assessments: Passive Assessments

A

Utilize open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems

Passive techniques are limited in the amount of detail they find

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Security Controls

A

Physical Controls
Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it

Technical Controls
Safeguards and countermeasures used to avoid, detect, counteract, or minimize security risks to our systems and information

Administrative Controls
Focused on changing the behavior of people instead of removing the actual risk involved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security Controls: NIST Categories
(Management, Operational, & Technical Controls)

A

Management Controls
Security controls that are focused on decision-making and the management of risk

Operational Controls
Focused on the things done by people

Technical Controls
Logical controls that are put into a system to help secure it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Preventative, Detective, & Corrective Controls

A

Preventative Controls
Security controls that are installed before an event happens and are designed to prevent something from occurring

Detective Controls
Used during the event to find out whether something bad might be happening

Corrective Controls
Used after an event occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Compensating Control

A

Used whenever you can’t meet the requirement for a normal control
Residual risk not covered by a compensating control is an accepted risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Types of Risks

A

External Risk
Risks that are produced by a non-human source and are beyond human control

Internal Risk
Risks that are formed within the organization, arise during normal operations, and are often forecastable

Legacy Systems
An old method, technology, computer system, or application program which includes an outdated computer system still in use

Multiparty
A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent risks

IP Theft
Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of a competitive edge, or a slowdown in business growth occurs

Software Compliance/Licensing
Risk associated with a company not being aware of what software or components are installed within its network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk Register

A

Every project has a plan, but also has risk
Identify/document risk associated with each step of project
Apply possible solutions & monitor results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Risk Matrix/Heat Map

A

View results of risk assessment
Visually identify risk based on color
Combines likelihood of event with potential impact

17
Q

Risk Appetite

A

Amount of risk an organization is willing to take