Section 21: Risk Assessments Flashcards
Risk Assessments
A process used inside of risk management to identify risks
Risk
The probability that a threat will be realized
Vulnerabilities
Weaknesses in the design or implementation of a system
How to deal with Risk
Avoid, Transfer, Mitigate, Accept
Risk Transfer
Passes the risk to a third party
Residual Risk
The risk remaining after trying to avoid, transfer or mitigate the risk
What to do with risks
Identify assets
Identify vulnerabilities
identify threats
identify the risks
Qualitative Risk
Uses intuition, experience, and other methods to assign a relative value to risk (lack of numbers)
Quantitative Risk
Uses numerical and monetary values to calculate risk (removes a lot of estimation)
Security Assessments
Verify that the organization’s security posture is designed and configured properly to help thwart different types of attacks
Three types of security controls
Physical, technical, or administrative
Examples of administrative controls
Focused on changing the behavior of people; policies, etc.
External risk
Not controlled by humans (wildfire)
Internet Risk
Risks that are formed within the organization, arise during normal operations, and are often forecastable (server crash)
Legacy Systems
An old method, tech, computer system, or application program which includes an outdated computer system still in use (most ICS and SCADA networks)