Week 2 Flashcards
What is systemic risk?
Systemic risk refers to the risk of a breakdown of an entire system rather than simply the failure of individual parts.
Systemic risk is the risk of having not just statistically independent failures, but interdependent, so-called ‘cascading’ failures in a network of N interconnected system components (Helbing 2013; p 51)
How to calculate risk?
Likelihood x impact
What are the 4 risk mitigation options?
Avoid
Reduce
Transfer
Accept.
Explain Risk Appetite
Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. Risk appetite is subjective, someone who wants to keep costs low might think that with amount X spent on security, a lot of risk is covered (A). He/she is optimistic. The CIO, who needs his assets to be secure, might think that with the same amount X, fewer risks have been covered (B). He/she is pessimistic.
What are organizational, procedural and technical security controls?
- Organizational: function, role, task (segregation of duties)
- Procedural: verification; workflow
- Technical: basic security (separate networks, firewalls, routers, encryption techniques), access control, logging and monitoring
Name & explain the 4 elements of access control
- Identification: unique way of identifying an entity (e.g. login)
- Authentication: proof of identity (e.g. password)
- Authorization: rights (read, write, execute) of person in role
- Nonrepudiation: receiver can’t deny receipt of message
Explain IAM
“Identity and access management (IAM) is the discipline that enables the right individuals to access the right resources at the right times for the right reasons.”
What is segregation of duties?
segregation of duties is the concept of having more than one person required to complete a task (two consecutive steps in a business process). In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error.
What are the 3 lines of defense?
In the Three Lines of Defense model, management control is the first line of defense in risk management, the various risk control and compliance oversight functions established by management are the second line of defense, and independent assurance is the third. Each of these three “lines” plays a distinct role within the organization’s wider governance framework.
The Three Lines of Defense model distinguishes among three groups (or lines) involved in effective risk management:
- Functions that own and manage risks.
- Functions that oversee risks.
- Functions that provide independent assurance.
What is a Security Operations Center (SOC)?
A SOC (Security Operations Center) is related to people, processes and technologies that provide situational awareness through the detection, containment, and remediation of IT threats. A SOC will handle, on behalf of an institution or company, any threatening IT incident, and will ensure that it is properly identified, analyzed, communicated, investigated and reported. The SOC also monitors applications to identify a possible cyber-attack or intrusion (event), and determines if it is a genuine malicious threat (incident), and if it could affect business.
