Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
61 Cards in this Set
- Front
- Back
Enterprise Risk Management Program (ERM) |
Organizations take a formal approach to risk analysis that begins with identifying risks, continues with determining the severity of each risk, and then results in adopting one or more risk management strategies to address each risk |
|
Threats |
Any possible events that might have an adverse impact on the CIA of our information or information systems |
|
Vulnerabilities |
Weaknesses in our systems or controls that could be exploited |
|
Risks |
Combination of a threat and vulnerability and is the potential damage that could take place if nothing is done to reduce the risk |
|
Risk Identification Process |
Identifying the threats and vulnerabilities that exist in your operating environment |
|
External Risks |
Originate from a source outside the organization. These include cybersecurity adversaries, malicious code, and natural disasters. |
|
Internal Risks |
Originate from within the organization. They include malicious insiders, mistakes made by authorized users, and equipment failures. |
|
Multiparty Risks |
Impact more than one organization. Example is a power outage to an entire city block that affects multiple businesses |
|
Legacy Systems |
Outdated systems often do not receive security updates and cybersecurity professionals must take extraordinary measures to protect them against unpatchable vulnerabilities. |
|
Intellectual Property (IP) Theft |
Occur when a company possesses trade secrets or other proprietary information which, if disclosed, could compromise the organization’s business advantage |
|
Software Compliance/Licensing Risks |
When an organization licenses software from a vendor and intentionally or accidentally runs afoul of usage limitations that expose the customer to financial and legal risk. |
|
Risk Calculation |
Not all risks are created equal and this process allows for prioritizing risks based on several factors. |
|
Likelihood of Occurance |
The probability that the risk will occur. Expressed as a percent change over a specified period of time, like a year. |
|
Magnitude of Impact |
The amount of impact that the risk will have on the organization if it does occur. This is usually expressed as a financial cost. |
|
Risk Severity Calculation |
Risk Severity = Likelihood * Impact |
|
Risk Assessment |
Formalized approach to risk prioritization that allows organizations to conduct their reviews in a structured manner |
|
Quantitative Risk Assessment |
Uses numeric data in the analysis, resulting in assessments that allow the very straightforward prioritization of risks. |
|
Qualitative Risk Assessments |
Use subjective rating scales to evaluate probability and magnitude of risks, allowing the assessment of risks that are difficult to quantify. |
|
Risk Management |
Process of systematically addressing the risks facing an organization. It serves two roles: - Provides guidance in prioritizing risks so that the risks with the highest probability and magnitude are addressed first. - Quantitative risk assessments help determine whether the potential impact of a risk justifies the costs incurred by adopting a risk management approach. |
|
Risk Mitigation |
Process of applying security controls to reduce the probability and/or magnitude of a risk. It is the most common risk management strategy. |
|
Risk Avoidance |
Change business practices to completely eliminate the potential that a risk will materialize. This can have a detrimental impact on the business. |
|
Risk Transference |
Shifts some of the impact of a risk from the organization experiencing the risk to another entity. Most common example is purchasing an insurance policy that covers a risk. |
|
Cyber Security Insurance |
This coverage would repay some or all of the cost of recovering operations and may also cover lost revenue during and attack. |
|
Risk Acceptance |
Deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk. Warranted if the cost of mitigating a risk is greater than the impact of the risk itself. |
|
Inherent Risk |
Original level of risk that exists before implementing any controls. |
|
Residual Risk |
Risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk. |
|
Risk Appetite |
Level of risk that an organization is willing to accept as a cost of doing business. |
|
Control Risk |
Risk that arises from the potential that a lack of internal controls within the organization will cause a material misstatement in the organization’s financial reports. |
|
Risk Matrix |
Quickly summarizes risks and allows senior leaders to quickly focus on the most significant risks facing the organization. |
|
Disaster Recovery Planning (DRP) |
Developing plans to recover operations as quickly as possible in the face of a disaster. The goal of these plans is to help the organization recover normal operations as quickly as possible in the wake of a disruption. |
|
Disaster |
Any event that has the potential to disrupt an organization’s business. The occurrence of a disaster triggers the activation of the organization’s disaster recovery plan. |
|
Site Risk Assessments |
Seek to identify and prioritize the risks posed to the facility by a disaster, including both internal and external risks from both environmental and man-made disasters. |
|
Business Impact Analysis (BIA) |
Formal process designed to identify the mission essential functions within an organization and facilitate the identification of the critical systems that support those functions. |
|
Mean Time Between Failures (MTBF) |
Measure of the reliability of a system. The expected amount of time that will elapse between system failures. |
|
Mean Time to Repair (MTTR) |
Average amount of time to restore a system to its normal operating state after a failure. |
|
Recovery Time Objective (RTO) |
Amount of time that the organization can tolerate a system being down before it is repaired. |
|
Recover Point Objective (RPO) |
Amount of data that the organization can tolerate losing during an outage. |
|
Single Point of Failure |
Systems, devices, or other components that, if they fail, would cause an outage. |
|
Personally Identifiable Information (PII) |
Information that uniquely identifies an individual person, including customers, employees, and third parties. |
|
Protected Health Information (PHI) |
Medical records maintained by healthcare providers and other organizations that are subject to the health Insurance Portability and Accountability Act (HIPAA) |
|
Financial Information |
Personal financial records maintained by the organization. |
|
Government Information |
Information about government including classified data |
|
Information Classification |
Organizes data into categories based on the sensitivity of the information and the impact on the organization should the information be inadvertently disclosed. |
|
Top Secret |
Information that requires the highest degree of protection |
|
Secret Classification |
Information that requires a substantial degree of protection. |
|
Confidential Classification |
Information that requires some protection. |
|
Unclassified Classification |
Information that does not meet the standards for classification. Not publicly releasable without authorization. |
|
Data Ownership |
Organization designates specific senior executives as the data owners for different data types. They don’t make all of these decisions in isolation. Data owners delegate some of their responsibilities to others in the organization and also rely on advice from subject matter experts. |
|
Data Controllers |
Entities who determine the reasons for processing personal information and direct the methods of processing that data. |
|
Data Stewards |
Individuals who carry out the intent of the data controller and are delegated responsibility from the controller. |
|
Data Custodians |
Individuals or teams who do not have controller or stewardship responsibility but are responsible for the secure safekeeping of information. |
|
Data Processors |
Service providers that process personal information on behalf of a data controller. |
|
Data Minimization |
Collect the smallest possible amount of information necessary to meet their business requirements. |
|
Purpose Limitations |
Information should be used only for the purpose that it was originally collected and that was consented to by the data subjects. |
|
Data Retention |
Guide the end of the data lifecycle. Data should only be kept for as long as it remains necessary to fulfill the purpose for which it was originally collected. Reducing the amount of data that you retain is the best or most effective strategy for reducing risk |
|
Data De-Identification |
Removes the ability to link data back to an individual, reducing its sensitivity. |
|
Data Obfuscation |
Transforming data into a format where the original information can’t be retrieved. Hashing, tokenization, and data masking are examples. |
|
Hashing |
Hash functions transform a value in our dataset to a corresponding hash value. |
|
Tokenization |
Replaces sensitive values with a unique identifier using a lookup table. You must keep the lookup table secure though. |
|
Data Masking |
Partially redact sensitive information by replacing some or all of the sensitive fields with blank characters. |
|
Rainbow Table Attack |
The attacker computes the hashes of those candidate values and then checks to see if those hashes exist in your data file. |