Vocab 5 Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

The overall process of managing risk within an organization at all levels, according to the organization’s risk appetite, tolerance, and strategy.

A

risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Involves the application of controls that lower the overall level of risk through the reduction of the vulnerability, the likelihood of the threat exploit, or the reduction of the impact to the asset, if the risk were to be realized.

A

risk mitigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The assignment of a particular aspect of risk to a responsible (and accountable) individual, usually a risk practitioner or manager who has the ability to affect risk response through their ownership of assets, controls, or status in the organization.

A

risk ownership

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A collection of detailed data on identified IT risks; typically applied to a specific system or groups of systems.

A

risk profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The master product or document that reflects the different risk scenarios and factors for the organization; it could be broken down by asset or system and reflects the different risk factors including threats, vulnerabilities, assets, likelihood, and impact to assets.

A

risk register

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Lists the risk responses that have been chosen and charts their progress and associated timeline, with an appropriate action owner.

A

risk response action plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An identified risk event possibility, which consists of a threat actor, threat, vulnerability, and asset.

A

risk scenario

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Often referred to as risk transference, entails the use of a third party to offset part of the risk. It can involve the outsourcing of some activities to a third party to reduce the financial impacts of a risk event.

A

risk sharing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The organization’s level of acceptable variation from the risk appetite.

A

risk tolerance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Looks to establish a causal relationship between the root cause (or causes) and the problem as it manifested itself.

A

root-cause analysis (RCA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

U.S. law passed in 2002 establishing requirements for public companies in the United States, as well as auditors and accounting firms, to improve the accuracy and reliability of corporate disclosures with regard to securities laws. The law is enforced by the U.S. Securities and Exchange Commission (SEC) and provides governance for the integrity and accuracy of data produced by an organization. For security professionals, this has the effect of imposing specific integrity and protection controls on information systems and processes.

A

Sarbanes–Oxley Act of 2002 (SOX)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The process of determining the impact to the organization, with regard to confidentiality, integrity, and availability, for information and systems. The security categorization uses qualitative benchmarks of low, moderate, and high. FIPS 199 and NIST SP 800-60 offer a defined process for the security categorization of information.

A

security categorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Refers to the technologies and products used to integrate security information management and security event management information into a centralized interface, providing real-time event correlation and analysis.

A

security information and event management (SIEM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A contractual agreement, signed by an organization and a third-party provider, which details the level of security, data availability, and other protections afforded the organization’s data held by the third party.

A

service-level agreement (SLA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A third-party cloud-based service that offers outsourced use of software by an organization; this allows an organization to use licensed software at a lower cost than buying, installing, and maintaining software.

A

Software as a Service (SaaS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A third-party cloud-based service that offers outsourced use of software by an organization; this allows an organization to use licensed software at a lower cost than buying, installing, and maintaining software.

A

Software as a Service (SaaS)

17
Q

Any business-related individual, department, or entity directly affected by risk to the organization.

A

stakeholder

18
Q

A prescribed set of detailed processes, which may include specific levels of performance or function, used to complete and measure a given task or function.

A

standard

19
Q

A framework describing the entire useful life of a system or software, which usually includes phases relating to requirements definition, design, development, acquisition, implementation, sustainability, and disposal.

A

systems development life cycle (SDLC)

20
Q

An event or occurrence that has the potential to cause harm or damage to people, places, or things, or to adversely affect operations.

A

threat

21
Q

An entity that has the intent to initiate a threat event. This doesn’t have to be a person; it could also be nature, in the case of a natural disaster.

A

threat agent/ threat actor

22
Q

An assessment that attempts to determine all potential threat actors and threats that may affect a given asset or its vulnerabilities.

A

threat assessment