Risk Management Flashcards

1
Q

What is the payback method of calculation in Risk Management ?

A

A calculation that simply compares the Annual Loss Expectancy against the expected savings from implementing that control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is NPV calculation when determining the ROI ?

A

It considers the cost of the money spent today against the savings that we might see tomorrow.
It uses a discount rate to place a value on money tomorrow it takes into account inflation, opportunity costs etc and each resourcing department has its own discount rate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Risk Acceptance ?

A

This occurs when it is not financially viable to tackle the risk - This is usually when the control is more expensive than the actual risk. It is not to be viewed as deliberately not taking action.

Often their are exceptions where the risk is acknowledged and is accepted as an exception. An exemption is like an exception but will need a more formal sign off.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Risk Avoidance ?

A

This is where we put in place controls to avoid an identified risks from occurring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Risk Mitigation ?

A

This is where we reduce risks to an acceptable level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is Risk Transference ?

A

This is where a third party accepts the risk for us - an example is insurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a risk exception ?

A

Any risk that is created due to an exemption being granted or a failure to comply with corporate policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is inherent risk ?

A

The inherent risk facing an organisation is the original level of risk that exists before implementing any controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is residual risk ?

A

Is the risk left after controls have been implemented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are key risk indicators ?

A

Metrics to measure and provide early warning for increasing levels of risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What should be recorded in a risk register ?

A

Risk Owner
Risk Threshold Information
Key Risk Indicators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is Risk Appetite ?

A

Is the level of risk that is willing to be accepted as the cost of doing business

Appetites can be expansionary, neutral or conservative and they are indicative of the approach the organisation has as a whole to risk. Risk tolerance is the same idea but applied to individual items so it is possible to have a low risk appetite generally but a high risk tolerance on a particularly important asset. Tolerance is a measure on individual items.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Risk Tolerance ?

A

The ability to withstand risk and maintain operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a risk threshold ?

A

It is the level at which a risk becomes unacceptable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is TCO ?

A

The TCO is a consideration not just of the sticker price but also the other parts of the cost ownership model such as training, support and operations etc

TCO doesnt instantly save you money its savings are realised over time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is SLE ?

A

This is the monetary cost of an event to an organisation

17
Q

What is ARO ?

A

This is the number of times a year an event occurs

18
Q

What is ALE ?

A

SLE * ARO

This represents the actual cost to the company and can be used to determine if a compensating control (brain://CxAaMrsZn0mt9AUMSW5jQQ/CompensatingControls) is worth it.

19
Q

What are the six types of loss ?

A

Cost of Repairs, Data Compromise, Data Loss, Loss of Productivity, Loss of Reputation, Loss of Revenue

20
Q

What is MTTR and MTBR

A

Mean Time Between Failure - BIA metric about the reliability of a system. It is the expected amount of time between failures.
Mean Time to Repair - BIA metric is the average amount of time to restore the system to its normal operating state after failure.

21
Q

What is a business partner agreement ?

A

Some organisations have business partners or organisations who have a vested interest in the success of the other. In addition to the nature of the business, the BPA should outline the roles and responsibilities of each organisation in the partnership. This could include items such as the controls that are in place between the partners, which organisation manages which services.

22
Q

What is a interoperability agreement ?

A

Binding agreements that are used during normal operations.

23
Q

What is a standard operating procedure ?

A

Developed to make sure that day-to-day functions are carried out in a way that is consistent with the policies we have in place. SOPs can be produced as evidence by the auditors to demonstrate the organisation is meeting requirements.

24
Q

What is common criteria standard ?

A

A set of standards in which computer system users can specify their security, functional and assurance requirements in a given system.

EALs - Is an assurance level on how secure a system is so windows gets a 4 with 7 being the highest.

25
Q

What is the Capability Maturity Model Integration standard ?

A

Focuses on processes and behaviours used during the development of software products and services within the organisation.
Categorises your organisation maturity level from 1 - 5.

26
Q

What is cloud security alliance trust assurance and risk ?

A

A public registry that documents the security and privacy controls provided by popular cloud computing offerings.

27
Q

What is the timeline for conducting internal and external audits ?

A

Quarterly for internal and Annually for external

28
Q

What thee forms can an external audit take ?

A

On site, document exchange, policy review

29
Q

What does the term de perimiterisation mean ?

A

Indicates the shifting nature of todays security permiter and why it may not be good enough to just think that security at the network perimeter is enough

30
Q
A