Risk Identification Flashcards
What should be the first step in risk identification?
work with business process owners to understand the way in which the organisation operates that is broad enough to include not only the organisation itself, but also any external dependencies and assumptions. This includes understanding the goals, values, objectives and ethics of the organisation
How is risk capacity typically defined?
the objectives amount of loss an enterprise can tolerate without its continued existence being called into question
Who in the organisation typically sets the risk appetite?
The owners or board of directors
How is risk appetite typically defined?
The amount of risk that an entity on a broad level is willing to accept in pursuit of its mission.
How is risk tolerance typically defined?
The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives
Why should risk appetite and risk tolerance levels be communicated across an organisation?
- consistent implementation across units
- effective monitoring and communication of risk and changes in risk appetite
- consistent understanding of risk appetite and related tolerances or each organisational unit
- consistency between risk appetite, objectives and relevant reward systems
Willingness to embrace, cautiously accept or avoid are commonly levels of what?
Risk culture
What are the 3 elements of risk culture?
- Behaviour towards taking risk
- Behaviour towards policy compliance
- Behaviour toward negative outcomes
What are the benefits of open communication on risk?
- More informed risk decisions by executive management due to an improved understanding of actual exposure and potential business impact
- stakeholders integrating risk management into their daily duties
- transparency to external stakeholders regarding risk management processes in use and level of risk facing the organisation
What are some of the consequences of poor risk communication?
- False sense of confidence and unintentional acceptance due to ignorance of risk that exceeds organisations appetite
- Lack of direction or strategic planning
- Unbalanced communication of risk to external stakeholders, potentially leading to incorrect or negative perceptions by third parties.
- Perception that the organisation is trying to hide risk from stakeholders
What are the 3 main types of IT risk information that should be communicated to the business?
- Expectation
- Capability
- Status
What is the definition of an impact analysis?
A study to prioritise the criticality of information resources for the enterprise based on cost or consequences of adverse events. Threats to assets are identified and potential business losses determined for different time periods. Used to justify the extent of safeguards, recovery time frames and recovery strategy
What is an impact assessment?
A review of the possible consequences of a risk
What is the difference between a threat and threat vector?
A threat is something capable of acting against an asset that could cause harm whereas a threat vector is the path or route used by the adversary to gain access to the target.
What are the 4 common risk factors that should be considered when protecting an organisations assets?
- External Context
- Internal Context
- Risk Management Capabilities
- IT-related capabilities
When discussing Risk Factors, what does the acronym EDM refer to?
Evaluate, direct and monitor
When discussing Risk Factors, what does the acronym APO refer to?
Align, plan and organise
When discussing Risk Factors, what does the acronym BAI refer to?
Build, acquire and implement
When discussing Risk Factors, what does the acronym DSS refer to?
Deliver, service and support
When discussing Risk Factors, what does the acronym MEA refer to?
Monitor, evaluate and assess
The following statement describes which Intellectual Property Term? (Trademark, Copyright, Patent, Trade secret)
A sound, colour, logo, saying or other distinctive symbol that is closely associated with a certain product or company
Trademark
The following statement describes which Intellectual Property Term? (Trademark, Copyright, Patent, Trade secret)
Protection of any work that is captured in a tangible form (e.g. written works, recordings, images, software, music, sculpture, dance)
Copyright
The following statement describes which Intellectual Property Term? (Trademark, Copyright, Patent, Trade secret)
Protection of research and ideas that led to the development of a new, unique and useful product to prevent the unauthorised duplication of the idea
Patent
The following statement describes which Intellectual Property Term? (Trademark, Copyright, Patent, Trade secret)
A formula, process, design, practice or other form of secret business information that provides a competitive advantage to the organisation that possesses the information
Trade secret
What are highly skilled attackers who are determined (persistent) in their attempts to exploit systems commonly referred as?
Advanced Persistent Threat (APT)
What type type of threat best describes a situation that includes unusual activity on a system, repeated alarms, slow system or network performance, or new or excessive activity in logs where the organisation had evidence of those issues, but it wasn’t noticed or there wasn’t effective enough monitoring in place?
Emerging threats
The emergence of new technologies introduced into an organisation often fall into which threat category?
- Internal threats
- External threats
- Emerging threats
Emerging threats
What 3 categorised do threats typically fall under?
- Internal Threats
- External Threats
- Emerging Threats
The capability to perform analysis of data from various sources of structured and unstructured data is generally called what?
Big Data
What are 3 common risks to consider when leveraging Big Data services?
- Amplified technical impact
- Privacy (Data collection)
- Privacy (Re-identification)
What is Amplified Technical Impact in relation to Big Data?
If an unauthorised user were to gain access to centralised repositories, it puts the entirety of that data in jeopardy rather than a subset
What are two forms of impact that a risk practitioner should consider?
- Impact due to loss of compromise of information
- Impact due to loss of compromise of an information system
What are the 2 typical principles of confidentiality that should be considered when assessing risk?
Need to know and least privilege
What does RACI stand for in relation to risk management?
Responsible
Accountable
Consulted
Informed
Which role in a RACI model does the following sentence describe:
Individuals tasked with getting the job done, performing the actual work effort to meet the stated objectives
Responsible
Which role in a RACI model does the following sentence describe:
The single person liable or answerable in the completion of the task, who oversees or manages the people responsible for the work effort
Accountable
Which role in a RACI model does the following sentence describe:
Individuals who provide input data, advice feedback or approvals
Consulted
Which role in a RACI model does the following sentence describe:
Individuals who are kept up to date on progress and deliverables but not necessarily involved in work effort
Informed
