Risk Management Flashcards

1
Q

CIO

A

Chief Information Officer

The most senior executive in an enterprise who works with information technology and computer systems, in order to support enterprise goals.

They are responsible for the management, implementation, and usability of information and computer technologies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

RAID

A

Redundant Array of Inexpensive Disks

Multiple disks added together to increase performance or provide protection against faults.

Inexpensive way to improve fault tolerance

Common types include:

  • RAID-1
  • RAID-5
  • RAID-6
  • RAID-10
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

SECaaS

A

Security as a Service

Cloud delivered model for outsourcing cybersecurity services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SLA

A

Serviced Level Agreement

A business agreement that defines what services and support are provided to a client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

PHI

A

Personal Health Information

Any information in a medical record that can be used to identify an individual and that was created used or disclosed to a covered entity and/or their business associate(s) in the course of providing a health care service such as a diagnosis or treatment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

NDA

A

Non-Disclosure Agreement

A contract that states that an individual will not share certain sensitive information to outside parties under penalty of law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ISA

A

Interconnection Security Agreement

  • Document that defines security-relevant aspects of an intended connection between an agency and an external system.
  • Specifies the security interface between any two systems operating under two different distinct authorities.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

TCO

A

Total Cost of Ownership

Purchase price of an asset plus the costs of operation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

MTBF

A

Mean Time Between Failures

The rating of a device or component that predicts the expected time between failures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

PIA

A

Privacy Impact Assessment

A tool for identifying and analyzing risks to privacy during the development life cycle of a program or system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

PII

A

Personally Identifiable Information

Information about individuals that can be used to trace a person’s identity, such as:

  • full name
  • birth date
  • biometric data
  • ssn
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

BPA

A

Business Partners Agreement

Defines how a partnership between organizations will be conducted and what is expected of each organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

BIA

A

Business Impact Analysis

Process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency.

One phase of Business Continuity Planning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SDLC

A

Software Development Life Cycle

The process of designing and deploying software from the initial planning stages before the app is deployed all the way to its obsolescence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

laaS

A

Infrastructure as a Service

A computing method that uses the cloud to provide any or all infrastructure needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

PHI

A

Personal Health Information

PII that includes health information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

RTO

A

Recovery Time Objective

Length of time it takes after an event to resume normal business operations and activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

ARO

A

Annual/Annualized Rate of Occurrence

Number of times a loss is expected to occur in a year.

Used to quantitatively measure risk with ALE (Annual Loss Expectancy) and SLE (Single Loss Expectancy):

ARO x SLE = ALE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

ISP

A

Internet Service Provider

Organization that provides a myriad of services for accessing using or participating in the Internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

ISSO

A

Information Systems Security Officer

  • Executive that establishes and enforces security policies to protect an organization’s computer infrastructure networks and data.
  • Similar to CSO and generally reports to the CIO.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

PIA

A

Privacy Impact Assessment

A tool for identifying and analyzing risks to privacy during the development life cycle of a program or system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

IR

A

Incident Response

An organized approach to addressing and managing the aftermath of a security breach or cyberattack.

The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

EF

A

Exposure Factor

The subjective potential percentage of loss to a specific asset if a specific threat is realized.

24
Q

SSP

A

System Security Plan

  • Provides an overview of the security requirements of the system
  • Describes the controls in place or planned, responsibilities and expected behavior of all individuals who access the system
25
Q

MOU

A

Memorandum of Understanding

  • Type of agreement that defines the detailed responsibilities of each party.
  • Compare with ISA (Interconnection Service Agreement)
26
Q

IRP

A

Incident Response Plan

A document or series of documents that describe procedures for detecting responding to and minimizing the effects of security incidents.

27
Q

AV

A

Asset Value

An element of risk assessment.

Identifies the worth of an asset and can include any product, system, or process.

The value can be a specific monetary value or a subjective value.

28
Q

SPoF

A

Single Point of Failure

Any component that can cause the entire system to fail if it fails

29
Q

SDLM

A

Software Development Life Cycle Methodology

Methodology for managing software development during all the phases of its life cycle

30
Q

MOA

A

Memorandum of Agreement

  • Type of agreement that defines the detailed responsibilities of each party.
  • Compare with ISA (Interconnection Service Agreement)
31
Q

MSP

A

Managed Services Provider

  • Company delivers outsourced services such as network application infrastructure and security via ongoing and regular support.
  • Location can be:
    • Client site
    • MSP site
    • 3rd party site
32
Q

MTD

A

Maximum Tolerable Downtime

The longest period of time a business can be inoperable without causing irrevocable business failure

33
Q

BCP

A

Business Continuity Planning

The process of creating prevention and recovery systems to deal with potential threats to an organization.

Goal is to enable ongoing operations before and during a disaster recovery.

34
Q

CERT

A

Computer Emergency Response Team

An historic term for an expert group that handles computer security incidents.

35
Q

SaaS

A

Software as a Service

A cloud computing model that provides applications over the internet. Webmail is an example of a cloud-based technology. Compare with IaaS and PaaS.

36
Q

CP

A

Contingency Planning

Development of a defined, actionable plan that is to be enacted if an identified risk becomes a reality.

It is often used for risk management for an exceptional risk that, though unlikely, would have catastrophic consequences.

37
Q

RAD

A

Rapid Application Development

RAD approaches to software development put less emphasis on planning and more emphasis on an adaptive process. Prototypes are often used in addition to or sometimes even instead of design specifications.

38
Q

PaaS

A

Platform as a Service

A category of cloud computing services that provides a platform allowing customers to develop run and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app.

39
Q

RMF

A

Risk Management Framework

NIST developed set of processes for federal entities to integrate security and risk management activities into their system development life cycle.

40
Q

DRP

A

Disaster Recovery Plan

A documented process or set of procedures to execute an organization’s disaster recovery processes and recover and protect a business IT infrastructure in the event of a disaster.

41
Q

ALE

A

Annual/Annualized Loss Expectancy

The expected loss for a year

Used to quantitatively measure risk with ARO (Annual Rate of Occurance) and SLE (Single Loss Expectancy):

ARO x SLE = ALE

42
Q

AAR

A

After Action Report

A structured analysis of events that can provide insight into how to improve response processes in the future.

Report Objectives:

  • Identifying the problematic issues and needs for improvement
  • Proposing counteractive measures
  • Obtaining lessons learned
43
Q

CSIRT

A

Computer Security Incident Response Team

A group of experts that assesses, documents, and responds to a cyber incident so that a network can not only recover quickly but also avoid future incidents.

44
Q

RPO

A

Recovery Point Objective

Longest period of time that an organization can tolerate lost data being unrecoverable

45
Q

ITCP

A

IT Contingency Plan

A component of the business continuity plan (BCP) that specifies alternate IT procedures to switch over to when the organization is faced with an attack or disruption of service leading to a disaster

46
Q

EAL

A

Evaluation Assurance Level

A rating from 1 to 7 that states the level of secure features offered by an operating system as defined by the Common Criteria (CC).

47
Q

ITIL

A

Information Technology Infrastructure Library

  • Library of detailed practices for IT service management (ITSM)
  • Focuses on aligning IT services with the needs of business.
  • Helps businesses manage risk, strengthen customer relations, establish cost-effective practices, and build a stable IT environment that allows for growth scale and change.
48
Q

COOP

A

Continuity of Operations Plan

A plan to prevent and recover from potential threats and enable ongoing operations before and during execution of disaster recovery.

The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

49
Q

DFIR

A

Digital Forensics and Incident Response

A division of computer forensics that relies on evidence found in filesystems, operating systems, information system hardware, and other evidentiary sources for the sake of criminal reconstruction.

It is a specialized cybersecurity functional sub-field traditionally associated with computer emergency response teams (CERT) or computer security incident response teams (CSIRT) called in to respond to a cybercrime or similar emergency.

50
Q

ROI

A

Return on Investment

The ratio between net profit and cost of investment. A high ROI means the investment’s gains compare favourably to its cost.

51
Q

CAR

A

Corrective Action Report

A report that lists the action/actions adopted to prevent the problem from occurring again.

Part of a quality control system.

52
Q

SLE

A

Single Loss Expectancy

The financial loss expected from a single adverse event

53
Q

CSP

A

Cloud Service Provider

  • Third-party company offering a cloud-based platform, infrastructure, application, or storage services.
  • Top companies include Amazon Web Services, Microsoft Azure, IBM Cloud Services, and VMware
54
Q

MTTF

A

Mean Time to Failure

Average time a device or component is expected to be in operation

55
Q

MTTR

A

Mean Time to Recover (Repair)

Average time taken for a device or component to be repaired replaced or otherwise recover from a failure

56
Q

CIRT

A

Computer Incident Response Team

A carefully selected and well-trained group of people whose purpose is to promptly and correctly handle an incident so that it can be quickly contained, investigated, and recovered from.

Their responsibilities may include:

  • Developing a proactive incident response plan
  • Testing for and resolving system vulnerabilities
  • Maintaining strong security best practices
  • Providing support for all incident handling measures