Section 21 Risk Assessments Flashcards
A process used inside of risk management to identify how much risk exists in a given network or system.
Risk Assessments
The probability that a threat will be realized.
Risk
Weaknesses in the design or implementation of a system.
Vulnerabilities
Any condition that could cause harm, loss, damage, or compromise to our information technology systems.
Threat
A strategy that requires stopping the activity that has risk or choosing a less risky alternative.
Risk Avoidance
A strategy that passes the risk to a third party.
Risk Transfer
A strategy that seeks to minimize the risk to an acceptable level.
Risk Mitigation
A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized.
Risk Acceptance
The risk remaining after trying to avoid, transfer, or mitigate the risk.
Residual Risk
An estimation of the amount of damage that a negative risk might acheive.
Magnitude of Impact
Cost associated with the realization of each individualized threat that occurs.
Single Loss Expectancy (SLE)
SLE = AV x EF
Asset value x Exposure factor
Number of times per year that a threat is realized.
Annualized Rate of Occurrence (ARO)
Expected cost of a realized threat over a given year.
Annualized Loss Expectancy (ALE)
Verify that the organizations security posture is designed and configured properly to help thwart different types of attacks.
Security Assessments
Utilizes more intrusive techniques like scanning, hands on testing, and probing of the network to determine vulnerabilities.
Active Assessments
Utilizes open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems.
Passive Assessments
Methods implemented to mitigate a particular risk.
Security Controls
Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it.
Physical Controls
Safeguards and countermeasures used to avoid, detect, counteract, or minimize, security risks to our systems and information.
Technical Controls
Focused on changing the behavior of people instead of removing the actual risk involved.
Administrative Controls
Security controls that are focused on decision making and the management of risk.
Management Controls
Focused on the things done by people.
Operational Controls
Security controls that are installed before an event happens and are designed to prevent something from occurring.
Preventative
Used during the event to find out whether something bad might be happening.
Dective Controls
Used after an event occurs a single control can be categorized into multiple types or categories.
Corrective Controls
Used whenever you can’t meet the requirements for a normal control.
Compensating Controls
Risks that are produced by a non human source and are beyond human control.
External Risk
Risks that are formed within the organizations, arise during normal questions, and are often forecastable.
Internal Risk
An old method, technology, computer system, or application program which includes an outdated computer system still in use.
Legacy Systems
A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent tasks.
Multiparty
Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of a competitive edge, or a slowdown in business growth occurs.
IP Theft
Risk associated with a company not being aware of what software or components are installed within its network.
Software Compliance/Licensing
