Section 21: Risk Assessments Flashcards
Risk Assessments
A process used inside of risk management to identify risks
Risk
The probability that a threat will be realized
Vulnerabilities
Weaknesses in the design or implementation of a system
How to deal with Risk
Avoid, Transfer, Mitigate, Accept
Risk Transfer
Passes the risk to a third party
Residual Risk
The risk remaining after trying to avoid, transfer or mitigate the risk
What to do with risks
Identify assets
Identify vulnerabilities
identify threats
identify the risks
Qualitative Risk
Uses intuition, experience, and other methods to assign a relative value to risk (lack of numbers)
Quantitative Risk
Uses numerical and monetary values to calculate risk (removes a lot of estimation)
Security Assessments
Verify that the organization’s security posture is designed and configured properly to help thwart different types of attacks
Three types of security controls
Physical, technical, or administrative
Examples of administrative controls
Focused on changing the behavior of people; policies, etc.
External risk
Not controlled by humans (wildfire)
Internet Risk
Risks that are formed within the organization, arise during normal operations, and are often forecastable (server crash)
Legacy Systems
An old method, tech, computer system, or application program which includes an outdated computer system still in use (most ICS and SCADA networks)
Multiparty
A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent risks (merging companies and accepting the risks that come with merging)
IP Theft
Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of a competitive edge, or a slowdown in business growth occurs
Software Compliance/Licensing
Risk associated with a company not being aware of what software or components are installed within its network
