Section 4: Security of Networks, Systems, Applications and Data Flashcards
Risk
The combination of the probability of an event and its consequence. Risk is mitigated through the use of controls or safeguards.
Threat
Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. Some organizations make a further distinction between a threat source and a threat event, classifying a threat source as the actual process or agent attempting to cause harm, and a threat event as the result or outcome of a threat agent’s malicious activity.
Asset
Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation
Vulnerability
A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.
three different approaches to implementing cybersecurit
- Compliance-based: Also known as standards-based security, this approach relies on regulations or standards to determine security implementations. Controls are implemented regardless of their applicability or necessity, which often leads to a “checklist” attitude toward security.
- Risk-based: Risk-based security relies on identifying the unique risk a particular organization faces and designing and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs.
- Ad hoc: An ad hoc approach simply implements security with no particular rationale or criteria. Ad hoc implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise, knowledge or training when designing and implementing safeguards.
cyberrisk assessment
Assets, threats and vulnerabilities must all be analyzed to determine an organization’s particular risk. The process of doing this analysis is called a cyberrisk assessment. While every risk assessment methodology has different nuances and approaches, most have three common inputs: asset identification, threat assessment and vulnerability assessment
Third Party Risk
Cybersecurity can be more difficult to control when third parties are involved, especially when different entities have different security cultures and risk tolerances. No organization exists in a vacuum, and information must be shared with other individuals or organizations, often referred to as third parties. It is important to understand third-party risk, such as information sharing and network access, as it relates to cybersecurity.
Risk Analysis
There are many methods used to bring the data collected on assets, threats and vulnerabilities together and analyze them to determine risk. Most rely on some process to pair and prioritize likelihoods and impacts. Additionally, risk analyses can be oriented toward one of the inputs, making the risk assessment asset-oriented, threat-oriented or vulnerability-oriented.
- Assets: Important assets are defined first, and then potential threats to those assets are analyzed. Vulnerabilities are identified that may be exploited to access the asset.
- Threat: Potential threats are determined first, and then threat scenarios are developed. Based on the scenarios, vulnerabilities and assets of interest to the adversary are determined in relation to the threat.
- Vulnerability: Vulnerabilities and deficiencies are identified first, then the exposed assets and potential threat events are determined.
Why we need Risk Management
Assessing risk is one of the most critical functions of a cybersecurity organization. Effective policies, security implementations, resource allocation and incident response preparedness are all dependent on understanding the risk and threats an organization faces. Using a risk-based approach to cybersecurity allows more informed decision-making to protect the organization and to apply limited budgets and resources effectively. If controls are not implemented based on awareness of actual risk, then valuable organizational assets will not be adequately protected while other assets will be wastefully overprotected.
Control
The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature.
Inherent risk
The risk level or exposure without taking into account the actions that management has taken or might take.
Residual Risk
Even after safeguards are in place, the remaining risk after management has implemented a risk response
Risk acceptance
If the risk is within the enterprise’s risk tolerance or if the cost of otherwise mitigating the risk is higher than the potential loss, the enterprise can assume the risk and absorb any losses
Threat source
Actual process or agent attempting to cause harm
Threat event
Result or outcome of a threat agent’s malicious activit