Risk Assessments Flashcards
A process used inside of risk management to identify how much risk
exists in a given network or system
Risk Assessments
§ The probability that a threat will be realized
Risk
§ Weaknesses in the design or implementation of a system
Vulnerability
Any condition that could cause harm, loss, damage, or compromise to
our information technology systems
Threat
A strategy that requires stopping the activity that has risk or
choosing a less risky alternative
Risk Avoidance
- A strategy that passes the risk to a third party
Risk Transfer
- A strategy that seeks to minimize the risk to an acceptable level
Risk Mitigation
A strategy that seeks to accept the current level of risk and the
costs associated with it if the risk were realized
Risk Acceptance
The risk remaining after trying to avoid, transfer, or mitigate the
risk
Residual Risk
uses intuition, experience, and other methods to assign a
relative value to risk
Qualitative analysis/risk
uses numerical and monetary values to calculate risk
Quantitative analysis/Risk
An estimation of the amount of damage that a negative risk might
achieve
Magnitude of Impact
Cost associated with the realization of each individualized threat
that occurs
Single Loss Expectancy (SLE)
Number of times per year that a threat is realized
Annualized Rate of Occurence (ARO)
- Expected cost of a realized threat over a given year
Annualized Loss Expectancy (ALE)
Verify that the organization’s security posture is designed and configured
properly to help thwart different types of attacks
Security Assessments
Utilize more intrusive techniques like scanning, hands-on
testing, and probing of the network to determine
vulnerabilities
Active Assessments
Utilize open source information, the passive collection and
analysis of the network data, and other unobtrusive
methods without making direct contact with the targeted
systems
Passive Assessments
§ Methods implemented to mitigate a particular risk
Security Controld
Any security measures that are designed to deter or prevent
unauthorized access to sensitive information or the systems that
contain it
Physical Controls
Safeguards and countermeasures used to avoid, detect,
counteract, or minimize security risks to our systems and
information
Technical Controls
Focused on changing the behavior of people instead of removing
the actual risk involved
Administrative Controls
Security controls that are focused on decision-making and the
management of risk
NIST MANAGEMENT CONTROLs
- Focused on the things done by people
NIST Operational Controls
