Risk Management

Question 1

CIO

Answer 1

Chief Information Officer

The most senior executive in an enterprise who works with information technology and computer systems, in order to support enterprise goals.

They are responsible for the management, implementation, and usability of information and computer technologies.

Question 2

RAID

Answer 2

Redundant Array of Inexpensive Disks

Multiple disks added together to increase performance or provide protection against faults.

Inexpensive way to improve fault tolerance

Common types include:

• RAID-1
• RAID-5
• RAID-6
• RAID-10

Question 3

SECaaS

Answer 3

Security as a Service

Cloud delivered model for outsourcing cybersecurity services

Question 4

SLA

Answer 4

Serviced Level Agreement

A business agreement that defines what services and support are provided to a client

Question 5

PHI

Answer 5

Personal Health Information

Any information in a medical record that can be used to identify an individual and that was created used or disclosed to a covered entity and/or their business associate(s) in the course of providing a health care service such as a diagnosis or treatment.

Question 6

NDA

Answer 6

Non-Disclosure Agreement

A contract that states that an individual will not share certain sensitive information to outside parties under penalty of law

Question 7

ISA

Answer 7

Interconnection Security Agreement

• Document that defines security-relevant aspects of an intended connection between an agency and an external system.
• Specifies the security interface between any two systems operating under two different distinct authorities.

Question 8

TCO

Answer 8

Total Cost of Ownership

Purchase price of an asset plus the costs of operation

Question 9

MTBF

Answer 9

Mean Time Between Failures

The rating of a device or component that predicts the expected time between failures.

Question 10

PIA

Answer 10

Privacy Impact Assessment

A tool for identifying and analyzing risks to privacy during the development life cycle of a program or system.

Question 11

PII

Answer 11

Personally Identifiable Information

Information about individuals that can be used to trace a person’s identity, such as:

• full name
• birth date
• biometric data
• ssn

Question 12

BPA

Answer 12

Business Partners Agreement

Defines how a partnership between organizations will be conducted and what is expected of each organization.

Question 13

BIA

Answer 13

Business Impact Analysis

Process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency.

One phase of Business Continuity Planning.

Question 14

SDLC

Answer 14

Software Development Life Cycle

The process of designing and deploying software from the initial planning stages before the app is deployed all the way to its obsolescence

Question 15

laaS

Answer 15

Infrastructure as a Service

A computing method that uses the cloud to provide any or all infrastructure needs

Question 16

PHI

Answer 16

Personal Health Information

PII that includes health information.

Question 17

RTO

Answer 17

Recovery Time Objective

Length of time it takes after an event to resume normal business operations and activities

Question 18

ARO

Answer 18

Annual/Annualized Rate of Occurrence

Number of times a loss is expected to occur in a year.

Used to quantitatively measure risk with ALE (Annual Loss Expectancy) and SLE (Single Loss Expectancy):

ARO x SLE = ALE

Question 19

ISP

Answer 19

Internet Service Provider

Organization that provides a myriad of services for accessing using or participating in the Internet.

Question 20

ISSO

Answer 20

Information Systems Security Officer

• Executive that establishes and enforces security policies to protect an organization’s computer infrastructure networks and data.
• Similar to CSO and generally reports to the CIO.

Question 21

PIA

Answer 21

Privacy Impact Assessment

A tool for identifying and analyzing risks to privacy during the development life cycle of a program or system.

Question 22

IR

Answer 22

Incident Response

An organized approach to addressing and managing the aftermath of a security breach or cyberattack.

The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

Question 23

EF

Answer 23

Exposure Factor

The subjective potential percentage of loss to a specific asset if a specific threat is realized.

Question 24

SSP

Answer 24

System Security Plan

• Provides an overview of the security requirements of the system
• Describes the controls in place or planned, responsibilities and expected behavior of all individuals who access the system

Question 25

MOU

Answer 25

Memorandum of Understanding * Type of agreement that defines the detailed responsibilities of each party. * Compare with ISA (Interconnection Service Agreement)

Question 26

IRP

Answer 26

Incident Response Plan A document or series of documents that describe procedures for detecting responding to and minimizing the effects of security incidents.

Question 27

AV

Answer 27

Asset Value An element of risk assessment. Identifies the worth of an asset and can include any product, system, or process. The value can be a specific monetary value or a subjective value.

Question 28

SPoF

Answer 28

Single Point of Failure Any component that can cause the entire system to fail if it fails

Question 29

SDLM

Answer 29

Software Development Life Cycle Methodology Methodology for managing software development during all the phases of its life cycle

Question 30

MOA

Answer 30

Memorandum of Agreement * Type of agreement that defines the detailed responsibilities of each party. * Compare with ISA (Interconnection Service Agreement)

Question 31

MSP

Answer 31

Managed Services Provider * Company delivers outsourced services such as network application infrastructure and security via ongoing and regular support. * Location can be: * Client site * MSP site * 3rd party site

Question 32

MTD

Answer 32

Maximum Tolerable Downtime The longest period of time a business can be inoperable without causing irrevocable business failure

Question 33

BCP

Answer 33

Business Continuity Planning The process of creating prevention and recovery systems to deal with potential threats to an organization. Goal is to enable ongoing operations before and during a disaster recovery.

Question 34

CERT

Answer 34

Computer Emergency Response Team An historic term for an expert group that handles computer security incidents.

Question 35

SaaS

Answer 35

Software as a Service A cloud computing model that provides applications over the internet. Webmail is an example of a cloud-based technology. Compare with IaaS and PaaS.

Question 36

CP

Answer 36

Contingency Planning Development of a defined, actionable plan that is to be enacted if an identified risk becomes a reality. It is often used for risk management for an exceptional risk that, though unlikely, would have catastrophic consequences.

Question 37

RAD

Answer 37

Rapid Application Development RAD approaches to software development put less emphasis on planning and more emphasis on an adaptive process. Prototypes are often used in addition to or sometimes even instead of design specifications.

Question 38

PaaS

Answer 38

Platform as a Service A category of cloud computing services that provides a platform allowing customers to develop run and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app.

Question 39

RMF

Answer 39

Risk Management Framework NIST developed set of processes for federal entities to integrate security and risk management activities into their system development life cycle.

Question 40

DRP

Answer 40

Disaster Recovery Plan A documented process or set of procedures to execute an organization's disaster recovery processes and recover and protect a business IT infrastructure in the event of a disaster.

Question 41

ALE

Answer 41

Annual/Annualized Loss Expectancy The expected loss for a year Used to quantitatively measure risk with ARO (Annual Rate of Occurance) and SLE (Single Loss Expectancy): ARO x SLE = ALE

Question 42

AAR

Answer 42

After Action Report A structured analysis of events that can provide insight into how to improve response processes in the future. Report Objectives: * Identifying the problematic issues and needs for improvement * Proposing counteractive measures * Obtaining lessons learned

Question 43

CSIRT

Answer 43

Computer Security Incident Response Team A group of experts that assesses, documents, and responds to a cyber incident so that a network can not only recover quickly but also avoid future incidents.

Question 44

RPO

Answer 44

Recovery Point Objective Longest period of time that an organization can tolerate lost data being unrecoverable

Question 45

ITCP

Answer 45

IT Contingency Plan A component of the business continuity plan (BCP) that specifies alternate IT procedures to switch over to when the organization is faced with an attack or disruption of service leading to a disaster

Question 46

EAL

Answer 46

Evaluation Assurance Level A rating from 1 to 7 that states the level of secure features offered by an operating system as defined by the Common Criteria (CC).

Question 47

ITIL

Answer 47

Information Technology Infrastructure Library * Library of detailed practices for IT service management (ITSM) * Focuses on aligning IT services with the needs of business. * Helps businesses manage risk, strengthen customer relations, establish cost-effective practices, and build a stable IT environment that allows for growth scale and change.

Question 48

COOP

Answer 48

Continuity of Operations Plan A plan to prevent and recover from potential threats and enable ongoing operations before and during execution of disaster recovery. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Question 49

DFIR

Answer 49

Digital Forensics and Incident Response A division of computer forensics that relies on evidence found in filesystems, operating systems, information system hardware, and other evidentiary sources for the sake of criminal reconstruction. It is a specialized cybersecurity functional sub-field traditionally associated with computer emergency response teams (CERT) or computer security incident response teams (CSIRT) called in to respond to a cybercrime or similar emergency.

Question 50

ROI

Answer 50

Return on Investment The ratio between net profit and cost of investment. A high ROI means the investment's gains compare favourably to its cost.

Question 51

CAR

Answer 51

Corrective Action Report A report that lists the action/actions adopted to prevent the problem from occurring again. Part of a quality control system.

Question 52

SLE

Answer 52

Single Loss Expectancy The financial loss expected from a single adverse event

Question 53

CSP

Answer 53

Cloud Service Provider * Third-party company offering a cloud-based platform, infrastructure, application, or storage services. * Top companies include Amazon Web Services, Microsoft Azure, IBM Cloud Services, and VMware

Question 54

MTTF

Answer 54

Mean Time to Failure Average time a device or component is expected to be in operation

Question 55

MTTR

Answer 55

Mean Time to Recover (Repair) Average time taken for a device or component to be repaired replaced or otherwise recover from a failure

Question 56

CIRT

Answer 56

Computer Incident Response Team A carefully selected and well-trained group of people whose purpose is to promptly and correctly handle an incident so that it can be quickly contained, investigated, and recovered from. Their responsibilities may include: * Developing a proactive incident response plan * Testing for and resolving system vulnerabilities * Maintaining strong security best practices * Providing support for all incident handling measures