Sec+ Chapter 17: Risk Management and Privacy Flashcards
ERM
Enterprise risk management
A formal approach to risk analysis that identifies risks, determines risk severity, and adopts risk management strategies
Threats
Any possible event that can adversely impact the CIA of information or info systems
Vulnerabilities
Weaknesses in a system or control that can be exploited by a threat
Risks
Occurs at the intersection of threat and vulnerability
A threat without corresponding vulnerability and vice versa doesn’t pose a risk
Risk ID process
Identifies threats and vulnerabilities that exist in your operating environment
External risks
Originate from a source outside an org, like hacker groups or former employees
Internal risks
Originate from within an org, like disgruntled employees or partners with access to your network
Multiparty risks
When my data breach involves multiple other entities because our networks are connected together
Legacy systems
Outdated and older systems that don’t receive updates
Must be heavily protected against unpatchable vulnerabilities
IP theft
Intellectual property theft
When a company possesses trade secrets or proprietary info that could compromise a business advantage if disclosed
Software compliance / licensing
Too few licenses means your employees can’t do their job
Too many licenses is a waste of money as they sit unused
Understand exactly what your licensing requirements are and that you’re purchasing and managing them properly
Likelihood of occurrence
Probability that a risk will occur
Magnitude of impact
Impact risk will make if it does occur
Formula for risk severity
Risk severity = likelihood of occurrence * magnitude of impact
Risk assessment
A formalized approach to risk prioritization that allows orgs to conduct their reviews in a structured manner
Quantitative risk assessment
Numeric data for straightforward prioritization of risks
Qualitative risk assessment
Subjective judgements and categories for risks that are difficult to quantify
Quantitative risk assessment process
1) Determine asset value (AV) of affected asset
2) Determine the likelihood the risk will occur
3) Determine the amount of damage that will occur to the asset if the risk materializes
4) Calculate the single loss expectancy (SLE)
5) Calculate the annualized loss expectancy (ALE)
ARO
Annualized rate of occurrence
The number of times a risk is expected each year
EX: If a risk is expected twice a year ARO = 2.0
EX: Once every hundred years ARO = 0.01
EF
Exposure factor
The percentage of the asset expected to be damaged
EX: EF of a risk that completely destroys an asset = 100% / half = 50% / etc
SLE
Single loss expectancy
The amount of financial damage expected each time a risk materializes
SLE = AV * EF
ALE
Annualized loss expectancy
Amount of damage expected from a risk each year
ALE = SLE * ARO
Risk management
The process of systematically addressing the risks facing an organization
Risk mitigation
The process of applying security controls to reduce the probability and/or magnitude of a risk
Risk avoidance
When you change business practices to completely eliminate the potential that a risk will materialize
Risk transference
Shifts some of the impact of a risk from the organization experiencing the risk to another entity
Risk acceptance
Deliberately choosing to take no other risk management strategy, accept the risk, and continue operations as normal in the face of a risk
Inherent risk
Risk that exists in the absence of any security controls
Impact + likelihood
Residual risk
The level of risk that exists after implementing controls to mitigate, avoid, or transfer inherent risk
Inherent risk + security control effectiveness
Risk appetite
The level of risk an org is willing to accept as a cost of doing business
DRP
Disaster recovery plan
A detailed plan for resuming operations after a disaster
Plan before the disaster to have backups, offsite data replication, cloud alternatives, remote sites, etc
BIA
Business impact analysis
A formal process to identify the mission critical functions within an org and facilitate the identification of the critical systems that support those functions
MTBF
Mean time between failures
The expected amount of time that will elapse between outages
MTTR
Mean time to repair
The average amount of time to restore a system to its normal operating state after a failure
RTO
Recovery time objective
How long it takes to get back up and running to a particular service level, not always a complete recovery
RPO
Recovery point objective
The amount of data the org can tolerate losing during an outage
We set an objective to meet a certain set of requirements to get a system up and running to determine how much unavailable is unacceptable
Single points of failure
Systems, devices, or components that will cause a full outage if it fails
Privacy notice
A notice that outlines the privacy practices adopted by an org
PII
Personally identifiable information
Any info that uniquely identifies an individual person
PHI
Protected health information
Medical records maintained by healthcare providers and protected under HIPAA
Financial information
Any personal financial records maintained by an org
Information classification
Programs that organize data into categories based on the sensitivity of the information and the impact on the org should it be inadvertently disclosed
Data controller
Responsible for the purposes and means by which the data is processed
Data steward / custodian
Responsible for the accuracy of the data, keeping it private, and the security of the data stored in your systems
They will also identify or set labels associated with data so you know who has access
Keeps track of all data laws and regulations so your org complies with them
Implements security controls for data
Data processor
Processes data on behalf of the data controller
Often a third party or different group
EX:
Payroll department is data controller, defines payroll amount and timeframe
Payroll company is data processor, they process payroll and store employee information
Data minimization
Collecting the smallest possible amount of information necessary to meet their business requirements
Information that’s not necessary should be either immediately discard or not collected in the first place
Purpose limitation
Information should only be used for the purpose it was originally collected for
Data retention
Determines how long data should be kept
De-identification
AKA anonymization
The process of removing the ability to link data back to an individual, which reduces its sensitivity
Data obfuscation
Transforming data into a format where the original information can’t be retrieved
EX: Hashing, tokenization, and Data masking
Data owner
A person responsible for a certain set of data within an organization
EX: VP sales, and they’re responsible for all customer relationship data
DPO
Data protection officer
Higher level manager responsible for orgs overall data privacy policies
Defines what the privacy policies are, makes sure processes in place to keep data private, and have procedures for handling data throughout the work day
