Risk Management Flashcards
What is risk acceptance?
This is a business decision to say, we will take this risk.
We are fine with where we are and we are not going to make any other changes to avoid this risk.
What is risk-avoidance?
This would be to stop participating in a particular high risk activity.
For example you could stop using an outdated EOL server.
What is risk transference?
Instead of taking the full risk a company will choose to do something like purchase cybersecurity insurance, which may help out financially.
What is risk mitigation?
This would be decreasing the risk level by purchasing additional software and hardware to prevent risky security events from occurring.
What is a risk register?
Always associated with a large new project going on.
This allows you to identify any significant risks associated with a project you are doing at every possible step as well as some possible solutions to get you through any of these risky situations.
This also allows you to monitor the results and see what impact risk had overall on that project.
What is a risk matrix/risk heat map?
This allows you to visually see the results of a risk assessment.
And visually identify risk based on color.
This usually combines the likelihood of an event with the potential impact, and assists with making strategic decisions.
What is inherent risk?
This is risk that exists in the absence of controls.
This means that if we didn’t add any controls there would be this level of risk that we would have to undertake. This may also include the existing set of controls you currently have without adding any new ones to determine your inherent risk.
What is residual risk?
This is when you take the inherent risk that exists and you combine it with the effectiveness of your security controls.
Inherent risk+control effectiveness=residual risk
For example, connecting your web server to the internet without a firewall gives a great deal of inherent risk. But once you add in that firewall and it is considered effective, your residual risk ends up being significantly lower.
Some models will do this though as where your inherent risk is your current setup, and the residual risk is how things will be after adding NEW stuff to your setup.
What is risk appetite?
The amount of risk an organization is willing to take.
What is a risk control assessment?
This takes place after all the risk has already been determined and heat maps have been created.
Now it is time to build the cybersecurity requirements.
Risk control assessments will typically involve a formal audit.
You will determine if existing controls are compliant or non-compliant with out new risk policies, and make changes accordingly.
What is HIPAA’s main concern?
PRIVACY
Privacy of patient health records.
What is the difference between a qualitative risk assessment and a quantitative risk assessment?
Qualitative risk assessments are designed to get a better understanding of where you sit with this particular risk. You may want to get opinions from others. You use things like colors to determine how risky something is, based on things like impact, annualized rate of occurance, cost of controls, overall risk, etc. This would be more abstract in our ratings, rather than using actual numbers and figures.
Quantitative risk assessments are concerned with specific figures and numbers. Things like ARO (annualized rate of occurance) will determine the likelihood. As well as SLE(single loss expectancy) for determining how much we will lose if a single event occurs, based on AV(asset value). From these we can determine the ALE(annualized loss expectancy), this is the AROxSLE.
What is RTO? What about RPO?
Recovery time objective
RTO is a way of quantifying how long we would like things to get back up and running after some type of outage to a particular service level.
This doesn’t need we are trying to get up to 100% service, but we do want things to be semi up and running.
Recovery point objective
RPO is the other end of this equation, this means we would set an objective with a minimum set of requirements to get an organization back up and running. This means that part of it may be available, but part is unavailable. We need to understand how much is acceptable.
What is MTTR?
Mean time to repair.
This is the time required to fix an issue.
This is a good estimation of how long it will take to get back up and running if there is an outage
What is MTBF?
This is mean time between failures.
This is used to predict the time between outages.
If an outage happens, how long will it probably be before the next one?
