Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
27 Cards in this Set
- Front
- Back
|
Define "RISK"
|
Possibility of harm to an asset as a result of a threat exploiting a vulnerability.
Ex. Probability of a virus entering your organization and infecting your computers causing damage. RISK = THREAT x VULNERABILITY X IMPACT |
|
|
Define an "ASSET"
|
Valuable resource you are trying to protect
(Ex. Data, Systems, People, Buildings, Property,...) |
|
|
Define a "THREAT"
|
A potentially harmful occurrence
Potential danger to an asset carried out by a threat agent Ex. earthquake, power outage, network based worm (Conficker) |
|
|
Define "VULNERABILITY"
|
Weakness that allows a threat to cause harm.
Ex. buildings not built to withstand earthquakes, a DC without proper backup power, an old and unpatched system. |
|
|
Define "IMPACT / COST (Consequences)"
|
Severity of the damage, sometimes expressed in dollars and therefore can appear as Cost for that reason.
|
|
|
Define a "SAFEGUARD"
|
A measure taken to reduce a risk
|
|
|
Define "ANNUALIZED LOSS EXPECTANCY (ALE)"
|
Calculation that allows you to determine the annual cost of a loss due to a risk.
(Once calculated, ALE allows you to make informed decisions to mitigate the risk.) ALE = SLE X ARO |
|
|
Define "ASSET VALUE (AV)"
|
Value of the IN/TANGIBLE asset you are trying to protect.
|
|
|
Define an "INTANGIBLE ASSET"
|
Value of an asset that is challenging to calculate / has no direct price tag.
Ex. Brand Loyalty |
|
|
Define a "TANGIBLE ASSET"
|
Value of an asset that are straightforward to calculate.
Ex. Computers, Buildings |
|
|
Define "EXPOSURE FACTOR (EF)"
|
percentage (%) of value an asset has lost due to an incident.
Ex. loss of an unecrypted laptop = 100% EF |
|
|
Define "SINGLE LOSS EXPECTANCY (SLE)"
|
Cost of a single Loss.
SLE = AV X EF , where AV=Asset Value and EF=Exposure Factor |
|
|
Define "ANNUAL RATE OF OCCURENCE (ARO)"
|
Number of losses you suffer per year
Ex. lost 11 laptops per year on average, ARO=11 |
|
|
Define "TOTAL COST OF OWNERSHIP (TCO)"
|
Cost of a mitigating safeguard.
It combines upfront costs (often a one-time capital expense) plus annual cost of maintenance, including staff hours, vendor maintenance fees, software subscriptions, etc.. |
|
|
Define "RETURN ON INVESTMENT (ROI)"
|
Amount of money saved by implementing a safeguard.
If your TCO is less than your ALE (TCO <ALE), you have a Positive ROI (and have made a good choice) If your TCO is higher than your ALE (TCO>ALE), you have a negative ROI (and made a poor choice) |
|
|
LIST THE TYPES OF RISK ANALYSIS
|
- QUALITATIVE
- QUANTITATIVE - HYBRID |
|
|
Define "QUALITATIVE RISK ANALYSIS"
|
Uses simple and approximate values and is inherently subjective.
Ex. Risk Analysis Matrix |
|
|
Define "QUANTITATIVE RISK ANALYSIS"
|
Uses hard metrics (dollars, hours,...) and is more objective than Qualitative Risk Analysis.
You are required to CALCULATE the quantity of the asset you are protecting. |
|
|
Define "HYBRID RISK ANALYSIS"
|
Combines Qualitative and Quantitative Risk Analysis.
Uses Quantitative analysis for risks that may easily be expressed in hard numbers (dollars), and the Qualitative for the remaining risks. |
|
|
Define "RISK METRICS"
|
Metrics that can greatly assist the Information Security budgeting process.
They help illustrate potentially costly risks and demonstrate the effectiveness (and potential cost savings) of existing controls. |
|
|
WHAT CHOICES DO WE HAVE WHEN CONFRONTING RISK?
|
After a Risk has been assessed, we can choose to:
1) ACCEPT THE RISK 2) MITIGATE THE RISK 3) TRANSFER THE RISK 4) AVOID THE RISK |
|
|
Define "ACCEPTING RISK"
|
After a thorough Risk Analysis where all options were considered, it is determined that it is cheaper to leave an asset unprotected relative to a specific risk, rather than spend the effort and money required to protect it.
|
|
|
What are the typical criteria for ACCEPTING A RISK
|
LOW LIKELIHOOD/CONSEQUENCE risks are the typical candidates for Risk Acceptance.
Some risks (such as data protected by law, or life/safety of employees) however are examples where risk acceptance in NOT an option. |
|
|
Define "MITIGATING A RISK"
|
Lowering a Risk to an acceptable level.
Ex. Loss of Laptops with PII, Mitigating the risk could be to encrypt the laptops. |
|
|
Define "TRANSFER THE RISK"
|
AKA ,Insurance Model. You pay an Insurance Company to assume the Risk for you.
Ex. Fire Insurance |
|
|
Define "AVOID THE RISK"
|
After a thorough Risk Analysis it is determined that there are HIGH or EXTREME Risks that cannot be easily mitigated, and that avoiding the risk is the best option.
If ALE > ROI (despite risk mitigation) then AVOID Legal or Regulatory enforcement may also prevent you from chosing anything other than Avoiding risk. |
|
|
List the 9 steps in NIST's RISK MANAGMENT PROCESS entitled "Managment Guide for IT Systems"
|
1. SYSTEM CHARACTERIZATION
2. THREAT IDENTIFICATION 3. VULNERABILITY IDENTIFICATION 4. CONTROL ANALYSIS 5. LIKELIHOOD DETERMINATION 6. IMPACT ANALYSIS 7. RISK DETERMINATION 8. CONTROL RECOMMENDATIONS 9. RESULTS DOCUMENTATION |
