Risk Management Flashcards
IRM
Information Risk Management - process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level
Risk assessment
Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls
Cost / benefit Comparison
Compares the annualized cost of controls to the potential cost of loss
Project Sizing
Understand what assets and threats should be evaluated
Loss potential
What a company would lose if a threat agent actually exploited a vulnerability
Delayed loss
Loss that occurs after the initial vulnerability is exploited
NIST SP 800-30
Risk Management Guide for Information Technology Systems
FRAP
Facilitated Risk Analysis Process - Focus on assessing one system at a time, only the most critical
- Based on experience and risk not quantified for expediency.
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation - Carnegie Mellon methodology that allows people within an organization to make security evaluation decisions. Wider scope than FRAP.
AS/NZS 4360
Broad approach to risk management encompassing financial, capital, human safety, and business decision risks. Business, not security, focused.
ISO/IEC 27005
International standard for risk management in ISMS (Information Security Management System)
FMEA
Failure Modes and Effect Analysis - method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process
Fault tree analysis
Method used to identify possible failures that could occur in complex environments and systems
CRAMM
Central Computing and Telecommunications Agency Risk Analysis and Management Method - risk analysis and management method developed in the UK and tools sold by Siemens
Quantitative risk analysis
Assign monetary and numeric values to all elements of the risk analysis process
Qualitative risk analysis
Softer approach to the data elements of risk analysis. Does not assign numerical values to risk elements.
SLE
Single Loss Expectancy - dollar amount assigned to a single event that represents the company’s potential loss amount. SLE = Asset value x Exposure factor
Exposure Factor
Represents the percentage of loss a threat could have on a certain asset.
ALE
Annual Loss Expectancy
ALE = SLE x Annualized Rate of Occurrence (ARO)
ARO
Annualized Rate of Occurrence
Value that estimates frequency of a specific threat taking place within a 12 month period.
Uncertainty
Degree to which you lack confidence in an estimate
Delphi Technique
A group decision method that uses anonymity to obtain a consensus.
Cost / benefit analysis
“(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company”
Residual Risk
Amount of risk left over when safeguards / countermeasures are implemented
(threats × vulnerability × asset value) × controls gap = residual risk
total risk – countermeasures = residual risk
Total Risk
Risk a company faces if it chooses not to implement any safeguards
threats × vulnerability × asset value = total risk
Transfer Risk
If total risk is too much for a company to deal with they may purchase insurance which transfers the risk
Risk Avoidance
Remove risk by terminating the activity causing the risk
Risk Mitigation
Risk reduced to level acceptable enough to continue doing business
Accept Risk
Company understands level of risk and decides to live with it. Cost of countermeasure may outweigh potential loss value.
Security Policy
Overall general statement by senior management that dictates role of security within organization
Organizational Security Policy
Management establishes security program, goals, responsibilities, value, and enforcement.
Issue-specific Policy
Functional Policy - Addresses specific security issues that need a more detailed explanation and approach
System Specific Policy
Management’s policy decision regarding specific systems or machines, networks, applications, etc…
Regulatory Policy
Policy ensures organization is following standards set by specific industry regulations
Advisory Policy
Strongly advises employees as to which types of behaviors and activities should and should not take place within the organization
Informative Policy
Informs employees on topics but not enforceable
Standards
Mandatory activities, actions, or rules
Baseline
Point in time that used as a comparison for future changes
Guidelines
Recommended actions and operational guides to users / staff
Procedure
Detailed step-by-step tasks that should be performed to achieve a certain goal
Board of Directors
Group of individuals elected by shareholders of a corporation to oversee the fulfillment of the corporation’s charter
Chief Executive Officer
Responsible for day-to-day management responsibilities of an organization
Chief Financial Officer
Responsible for a corporation’s account and financial activities and the overall financial structure of the organization
Chief Information Officer
Responsible for the strategic use and management of information systems and technology within organization
Chief Privacy Officer
Responsible for ensuring that customer, company, and employee data are kept safe
privacy impact analysis
Risk assessment from the perspective of protection of sensitive data
Chief Security Officer
Responsible for understanding the risk a company faces and mitigating these risks to an acceptable level
convergence
Formal cooperation between previously disjointed security functions
security steering committee
Group responsible for making decisions on tactical and strategic security issues within the enterprise as a whole
audit committee
Group appointed by the board of directors reviews and evaluates the company’s internal operations, internal audit system, and transparency and accuracy of financial reporting
data owner
Usually a member of management who is ultimately responsible for the protection and use of a specific subset of information
data custodian
responsible for maintaining and protecting the data
system owner
responsible for one or more systems and the applicable security considerations
security administrator
responsible for implementing and maintaining specific security network devices and software in the enterprise
security analyst
works at a higher more strategic level than previous roles and helps develop policies, standards, and guidelines - design level
application owner
typically business unit manager responsible for deciding access to their application, security, patching, change control
change control analyst
responsible for approving or rejecting requests to make changes to the network, systems, or software
data analyst
responsible for ensuring that data is stored in a way that makes the most sense for the company
process owner
responsible for properly defining, improving upon, and monitoring a company’s business processes
solution provider
vendor
product line manager
evaluates different products in the market, works with vendors, understands different options a company can take, advises management on proper solutions needed to meet their goals
auditor
ensures the organization complies with its own policies and the applicable laws and regulations
separation of duties
makes sure that one individual cannot complete a critical task by themselves
collusion
at least two people are working together to cause some type of destruction or fraud
split knowledge
Type of separation of duty - no one person has the knowledge or the details to complete a task
dual control
Type of separation of duty
rotation of duties
rotate employees through a position to detect suspicious activity from the previous employee
mandatory vacation
force employee to take a vacation to force rotation of duties
security governance
framework that facilitates security implementation from senior management to communication to implementation to verification of results
ISO / IEC 27004:2009
International standard used to assess the effectiveness of an ISMS
NIST 800-55
publication covering performance measuring for information security
Organizational tier
Risk concerned with the business as a whole
Business Process Tier
Risk concerned with major functions of the organization
Information Systems Tier
Risk concerned with information systems
Risk Management Process
Frame risk, assess risk, respond to risk, monitor risk
Threat modeling
Describing feasible adverse effects on our assets caused by threat sources