Section 5.4 Risk Management Processes & Concepts Flashcards
What is the act of identifying, assessing and reducing the risk of issues that can impact your organizations operations and assets?
Risk Management
What kind of risk comes from elements within the organization’s control?
Internal Risk
What kind of risk is usually the type of risk that the organization has limited control over?
External Risk
The cost of reducing a risk is mitigated by what?
The potential cost of dealing with a security breach.
Ultimately, __________ is a cost/benefit analysis of your security infrastructure.
Risk Assessment
________ involves identifying both types of assets and determining asset value?
Asset Identification
Asset value should consider?
Repair/Replace Costs
Deprecation,
Revenue Generated
Value to competition
Exposure factor
What identifies the critical risks that pose a security threat?
Risk analysis
What kind of risk analysis is a numerical calculation of the exact cost of the loss of a specific company asset because of disaster?
Quantative risk analysis
What kind of risk analysis considers tangible and intangible factors in determining costs?
Qualitative risk analysis
The consolidation of many different types of services on the same hardware creates a security risk known as?
Single Point of Failure
What allows a computer to host multiple instances of an operating system environment, all running from the same computer on the same hardware?
Use of Virtualization Technology
What do you call the current awareness of the risk associated with an organization, both internal and external?
Risk awareness
What do you call the amount of risk that is acceptable to an organization?
Risk Tolerance
What do you call the level of risk that an organization is willing to take before actions are taken to reduce the risk?
Risk Appetite
What do you call the untreated risk, or the level of risk before any controls have been put into place to mitigate or counter risk?
Inherent risk
What do you call the risk that occurs when internal controls either fail to reduce risk or misstate the amount of risk that is present or being mitigated?
Control risk
What do you call the level of risk that remains after controls are put into place to mitigate or reduce risk?
Residual Risk
What depicts the rating of various risks according to the likelihood of occurrence and potential impact?
Risk Matrix Format
What will dictate how much funds need to be budgeted for risk countermeasures and mitigation?
Likelihood and Impact
The funds that are budgeted for risk countermeasures and mitigation?
Annualized Loss Expectancy (ALE)
The annualized loss expectancy (ALE) is calculated by multiplying?
Annualized Rate of Occurrence (ARO) x Single Loss Expectancy (SLE)
What concept prevents sensitive and private data from being intercepted or read by unauthorize users?
Confidentiality
Ensuring confidentiality for risk control often entails including:
Encryption and Access Control Measures
What concept ensures that your data is consistent and never modified by unauthorized persons or manipulated in any intentional or accidental manner?
Integrity
What concept ensures information can be trusted from the supposed sender?
Nonrepudiation
Data integrity includes the use of what for protecting data against manipulation?
Proper authentication
Authorization Security Techniques
Data integrity includes the use of what for protecting data from corruption?
Redundancy Planning
Fault Tolerant Systems
What are the common risk control methods of ensuring integrity?
Hashing
Digital Signatures
Certificates
What concept ensures that your systems and networks are always operation and providing service to users?
Availability
When considering risk control, what ensures availability?
Implementation of Hot\Warm\Cold sites
Site Sharing Agreements
What concept ensures that personnel will be safe and then that organizational priorities will be carried out?
Safety
The cost of risk management solutions should not exceed the value of?
The asset if it is lost
What do you call a living document use to track different types of data elements, most commonly risk factors and risk scenarios?
Risk Register
What risk management strategy opts to avoid the risk all together?
Risk avoidance
What risk management strategy transfers, or “passes on” the risk to a 3rd party?
Risk Transference
What risk management strategy decides to just deal with the risk?
Risk Acceptance
What risk management strategy decides to use countermeasures?
Risk Mitigation
What types of disasters occur based on location?
Environmental
Environmental disasters are protected against by?
Data Backups
Offsite Locations
What types of disasters can be accidental or intentional?
Person-made
Person-made disasters are protected against by?
Access Controls
Physical Security
What kind of disasters happen to a company that is permanently connected to the internet and can come from inside and outside of the network?
Network and Hacking Attacks
What kind of disasters are caused by special programs able to replicate themselves?
Virus attacks
Protection against virus attacks include:
Antivirus Software
User Education
What are extremely important in preventing downtime for your organization in the event of equipment or communications failure?
Disaster Recovery
Operations Planning
What do you call a step by step plan to recover your networks and systems in the event of a disaster?
Disaster Recovery Plan
Who are responsible for creating and executing business continuity activities and a disaster recovery plan that outlines the goals for restoring company operations and functionality as quickly as possible following a disaster?
Disaster Recovery Team
What assessment looks for single points of failures and looks to replace them with redundant or fault tolerant systems?
Site Risk Assessments
What analysis outlines your organizations most critical functions and how they’ll be affected during a disaster?
Business Impact Analysis (BIA)
What do you call the most important functions to complete?
Mission Essential Functions (MEF)
Critical business functions and their associated systems must be prioritized so that in case of a disaster, they’ll be what?
They will be made operation before other less critical functions and systems
Most important in the BIA will be examining?
Total Financial loss incurred through certain types of disasters
What analysis’s purpose is to determine if a system is using privacy information or connecting to one that is?
Privacy Threshold analysis
The most important part of an organization to get operational in the event of a disaster is what?
Communications
Inside of DRP documentation, what includes a list of people and businesses to notify in case of a disaster?
Notification List
Inside of DRP documentation, what includes phone numbers and contact information for employees, vendors, data recovery agencies, and offsite facilities?
Contact information
Inside of DRP documentation, what included blueprints and diagrams of all networking and facilities infrastructure so they can be re-created at the new site?
Networking and facility diagrams
Inside of DRP documentation, what includes configuration information for all servers, applications, and networking equipment?
System configurations
Inside of DRP documentation, what includes step-by-step information on how to restore data from the backup media?
Backup restoration procedures
Inside of DRP documentation, what includes the operating system software, appropriate license keys, and backup media?
Location of Backup and licensing media
To complete your disaster recovery plan, you should do what to ensure that all parts of the plan work as they should?
Test it
What is it called when departments sit together and go through scenarios?
Tabletop excercises
What do you all a report that allows you to give an honest assessment of the testing, detail the areas that should be improved upon, and identify the path forward for filling any gaps?
After Action Report(AAR) or Lessons learned report
High availability systems want to provide what?
Uninterrupted service consistently
What term specifies in measurable terms the level of service to be received, such as the percentage of time services are available?
Service Level
What industry-standard term refers to the average length of time from the moment a component fails until it is repaired?
Mean Time to Repair (MTTR)
What industry-standard term refers to the length of time that a component is expected to last in regular service?
Mean Time to Failure (MTTF)
What industry-standard term refers to the average length of time a specific component is expected to work until it fails?
Mean Time between Failures (MTBF)
What industry-standard term refers to the maximum amount of time that is considered tolerable for a service or certain business function to be unavailable?
Recovery Time Objective (RTO)
What industry-standard term refers to the maximum acceptable amount of lost data due to an outage or disaster?
Recovery Point Objective (RPO)
What is a strategy to deflect threats in order to avoid the costly and disruptive consequences of a damaging event?
Risk avoidance
