CISSP - Study Guide - Chapter 2
Risk Management
A detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.
Asset Valuation
A dollar value assigned to an asset based on actual cost and non-monetary expenses.
Scenario
A written description of a single major threat. the description focuses on how a threat would be instigated and what effects its occurrence could have on the organization, the IT infrastructure, and specific assets.
Probability Determination
ARO calculation is also known as _____.
Delphi Technique
An anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Primary purpose is to elicit honest and uninfluenced responses from all participants.
Risk Rejection
An unacceptable response to risk. Denying that risk exists.
Loss Potential
Another name for Exposure Factor (EF)
Threats
Any action or inaction that could cause damage, destruction, alteration, loss, or disclosure of assets or that could block access to or prevent maintenance of assets.
Personally Identifiable Information (PII)
Any data item that can be easily and/or obviously traced back to the person of origin or concern.
Safeguard
Anything that removes or reduces a vulnerability or protects against one or more specific threats.
Asset
Anything within an environment that should be protected.
Non-compete Agreement (NCA)
Attempts to prevent an employee with special knowledge of secrets from one organization from working in a competing organization in order to prevent the second organization from benefiting from the worker's special knowledge of secrets.
Exposure
Being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited by a threat agent or event.
Physical
Examples of this category of security control are guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms.
Administrative
Examples of this category of security control are policies, procedures, hiring practices, background checks, data classifications and labeling, security awareness and training efforts, vacation history, reports and reviews, work supervision, personnel controls, and testing.
Derive the Annualized Loss Expectancy (ALE)
Fifth step of quantitative risk analysis
Assign Asset Value (AV)
First step of quantitative risk analysis
# / year
Formula for Annualized Rate of Occurrence (ARO)
total risk - controls gap
Formula for residual risk.
threats * vulnerabilities * asset value
Formula for total risk.
ALE = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)
Formula to calculate Annualized Loss Expectancy (ALE)
SLE = Asset Value (AV) * Exposure Factor (EF)
Formula to calculate Single Loss Expectancy (SLE)
(ALE1 - ALE2) - ACS
Formula to calculate the value or benefit of a safeguard.
Assess the Annualized Rate of Occurrence (ARO)
Fourth step of quantitative risk analysis
Residual Risk
Once countermeasures are implemented, the risk that remains is known as?
Employment Agreement
Outlines the rules and restrictions of the organization, the security policy, the acceptable use and activities policies, details of the job description, violations and consequences, and the length of time the position is to be filled by the employee.
Exposure Factor (EF)
Represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
Quantitative Risk Analysis
Risk assessment methodology that assigns real dollar figures to the loss of an asset.
Qualitative Risk Analysis
Risk assessment methodology that assigns subjective and intangible values to the loss of an asset.
risk = threat * vulnerability
Risk written as a formula
Calculate Exposure Factor (EF)
Second step of quantitative risk analysis
Perform Cost/Benefit Analysis of Countermeasures
Sixth step of quantitative risk analysis
Principle of Least Privilege
States that in a secured environment, users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities.
Percentage
The Exposure Factor is expressed as a _____.
Dollar Value
The Single Loss Expectancy is calculated in a _____.
Compliance
The act of conforming to or adhering to rules, policies, regulations, standards, or requirements.
Total Risk
The amount of risk that an organization would face if no safeguards were implemented.
Security Governance
The collection of practices related to supporting, defining, and directing the security efforts of an organization.
Single Loss Expectancy (SLE)
The cost associated with a single realized risk against a specific asset. Indicates the exact amount of loss an organization would experience if an asset were harmed by a specific threat occurring.
Controls Gap
The difference between total risk and residual risk. The amount of risk that is reduced by implementing safeguards.
Annualized Rate of Occurrence (ARO)
The expected frequency with which a specific threat or risk will occur.
Attack
The exploitation of a vulnerability of a threat agent.
Experienced Exposure
The exposure to a realized threat
Crafting job descriptions
The first step in defining security needs related to personnel and being able to seek out new hires.
Governance
The goal of this is to maintain business processes while striving towards growth and resiliency.
Risk Mitigation
The implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats.
Hybrid Assessment / Analysis
The method of combining quantitative and qualitative analysis into a final assessment of organizational risk.
Breach
The occurrence of a security mechanism being bypassed or thwarted by a threat agent.
Safeguards
The only means by which a risk is mitigated or removed.
Risk aSsignment
The placement of the cost of loss a risk represents onto another entity or organization.
Annualized Loss Expectancy (ALE)
The possible yearly cost of all instances of a specific realized threat against a specific asset.
Risk Analysis
The process by which the goals of risk management are achieved. Includes examining an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause if it did occur, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management.
Documentation Review
The process of reading the documents such as security requirements, security policies, and self-assessment reports that are exchanged between an organization and a governing body.
Separation of Duties
The security concept in which critical, significant, and sensitive work tasks are divided among several individual administrators or high-level operators.
Job Responsibilities
The specific work tasks an employee is required to perform on a regular basis.
Third-Party Governance
The system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements.
Technical, Administrative, and Physical
The three categories of security controls.
Risk Acceptance
The valuation by management of the cost/benefit analysis of possible safeguards and the determination that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk.
Vulnerability
The weakness in an asset or the absence or the weakness of a safeguard or countermeasure.
Calculate Single Loss Expectancy (SLE)
Third step of quantitative risk analysis
Administrative
This category of security control are the policies and procedures defined by an organization's security policy and other regulations or requirements.
Technical
This category of security control includes authentication methods, encryption, constrained interfaces, access control lists, protocols, firewalls, router, intrusion detection systems, and clipping levels.
Quantitative and Qualitative
Two types of risk assessment methodologies
Nondisclosure Agreement (NDA)
Used to protect the confidential information within an organization from being disclosed by a former employee.
$45,000
What is the ALE if the SLE of an asset is $90,000 and the ARO for a specific threat (such as a total power loss) is .5.
Collusion
When several people work together to perpetrate a crime.
