Risk Management Flashcards
What is risk management?
- systematic process of identifying, assessing, and managing risks to information assets and systems
- understanding potential threats, vulnerabilities, and the impact of potential incidents on an organization’s security posture
Who decides how risks are handled?
management
What is a risk category?
group of potential causes of a risk
What are the different risk categories? Describe each.
- Damage
- results in a physical loss of an asset or the inability to access the asset
- Loss
- might be permanent or temporary, including altered data or inaccessible data
- Disclosure
- disclosing critical information regardless of where or how it was disclosed
What is a risk factor?
something that increases risk or susceptibility
What are the risk factors?
- physical damage
- natural disasters, vandalism, power loss
- malfunction
- failure of systems, networks or peripherals
- attack
- purposeful acts whether from the inside or outside
- human
- usually considered accidental, whereas attacks are purposeful incidents
- application errors
- failures of the application, including operating system
Acronym: Police Must Accept Happy Anarchists
What are the different types of risk?
- Residual Risk
- Inherent Risk
- Total Risk
What is Residual Risk?
- risk that remains even with all conceivable safeguards are in place
- exists AFTER security controls are implemented
What is Inherent Risk?
- newly identified risk not yet addressed with risk management strategies
- the amount of risk that exists in the absence of controls
- inherent risk is the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed
- exists BEFORE security controls are implemented
What is Total Risk?
- amount of risk that an organization would face if no safeguards are implemented
- exists WITHOUT security controls
What is risk identification?
- systematically identifying and documenting potential risks that could negatively impact the confidentiality, integrity, or availability of information assets
- identifying internal and external threats and potential impacts
What techniques are used to identify risks?
- risk assessments
- threat modeling
- vulnerability assessments
- asset inventories
What is risk assessment?
- analyzing and evaluating identified risks to determine their likelihood of occurrence and potential impact
- helps prioritize risks based on their severity and the likelihood of occurrence
What parameters does risk assessment consider?
- value of the assets at risk
- the potential impact on the organization’s operations
- financials, reputation, and compliance requirements
What is a risk response?
- developing and implementing strategies to address identified risks
- includes determining the most effective and efficient controls and countermeasures to reduce the risk to an acceptable level
What are the possible ways of risk response?
- Risk Avoidance
- Risk Rejection
- Risk Mitigation
- Risk Assignment/Transfer
- Risk Acceptance
- Risk Deterrence
Acronym: All Romans Must Attack All Docks
What is risk avoidance?
- avoiding the risk altogether by ceasing the activity or not engaging in the vulnerable process
- e.g. opening a private cloud facility in Utah instead of Texas to avoid hurricanes
What is risk rejection?
unacceptable possible response to risk by rejecting or ignoring the risk
What is risk mitigation?
- implementing controls and countermeasures to reduce the likelihood or impact of the risk
- can include implementing security controls, applying patches and updates, or enhancing employee training
- accepts the residual risk
What is risk assignment/transfer?
- transferring the risk to a third party, such as through insurance or outsourcing
- shifts the financial burden or responsibility for managing the risk to another entity
What is risk acceptance?
- accepting the risk and consciously deciding to tolerate the potential consequences
- typically done for risks with a low likelihood or impact, or when the cost of mitigation outweighs the potential harm
What is risk deterrence?
- implementing deterrents to would-be violators of security and policy
- includes things like security cameras or security guards
Describe Risk Monitoring and Review
- risk management is an ongoing process, and organizations need to continuously monitor, review, and reassess risks
- periodic risk assessments and reviews ensure that risk management practices remain up to date and aligned with the evolving security needs of the organization
Describe Risk Communication
- effective risk management includes clear and concise communication of risks, their potential impacts, and recommended mitigation strategies to stakeholders
- enables stakeholders to understand the potential impacts, make informed decisions, and participate in risk management activities
What does risk management documentation include?
risk management process, risk assessments, risk treatment decisions, and the implementation and effectiveness of security controls
What is Risk Appetite (Risk Tolerance)?
- level of risk that an organization or individual is willing to accept or tolerate in pursuit of its objectives
- involves finding the right balance between risk-taking and risk avoidance
What business needs to consider, so that risk management efforts are in line with the overall organizational strategy?
business priorities, strategic goals, and risk appetite
What should risk management consider as one of the top priorities?
- legal and regulatory requirements applicable to the organization’s industry and jurisdiction
- compliance with laws, regulations, and industry standards is an integral part of risk management, ensuring that the organization operates within legal boundaries and meets its obligations to protect sensitive information
What are the two different ways to evaluate risk to assets?
- quantitative
- qualitative
What is quantitative risk analysis?
- assigns a dollar value to evaluate the effectiveness of countermeasures
- labor intensive - employs data collection and analysis
- objective - involves hard data
What is qualitative risk analysis?
- uses a scoring system to rank threats and effectiveness of countermeasures relative to the system or the environment
- subjective - involves opinion