CISSP Chapter 2
cost/benefit calculation
An evaluation to determine whether a safeguard actually improves security without costing too much. [ALE pre-safeguard - ALE post-safeguard] - annual cost of safeguard (ACS) = value of the safeguard to the company
Six Major Elements of Quantitative Risk Analysis
Assign Asset Value (AV) Calculate Exposure Factor (EF) Calculate single loss expectancy (SLE) Assess the annualized rate of occurrence (ARO) Derive the annualized loss expectancy (ALE) Perform cost/benefit analysis of countermeasures
Quantitative Risk Analysis
Assigns real dollar figures to the loss of an asset and is based on mathematical calculations.
Recovery COntrols
Controls implemented to restore conditions to normal after a security incident.
Directive Controls
Deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.
Compensation Controls
Deployed to provide various options to other exissting controls to aid in enforcement and support of security policies
Exposure Factor
Represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
Annualized Rate of Occurrence
The expected frequency with which a specific threat or risk will occur within a single year
Risk limit
The maximum level of risk above the risk target that will be tolerated before further risk management actions are taken
Annualized Loss Expectancy (ALE)
The possible yearly cost of all instances of a specific realized threat against a specific asset. The ALE is calculated using the formula ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO).
Risk Deterrence
The process of implementing deterrents to would-be violators of security and policy.
Risk Avoidance
The process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option.
Delphi Technique
anonymous feedback and response process used to enable a group to reach an anonymous consensus
Qualitative Risk Analysis
assigns subjective and intangible values to the loss of an asset
Social Engineering
attack that exploits human nature and human behaviour
Hybrid Assessment
combining qualitative and quantitative
Residual Risk
consists of threats to specific assets against which uppermanagement chooses not to implement a response
Risk Rejection
denying that a risk exists and hoping that it will never be realized
Deterrent controls
deployed to discourage security policy violations
Detective Controls
deployed to discover or detect unwanted or unauthorized activity
Preventive Controls
deployed to thwart or stop unwanted or unauthorized activity from occuring
Corrective Controls
modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred
Administrative Controls
policies and procedures defined by an organization's security policy and other regulations or requirements
Physical Controls
security mechanisms focused on providing protection to the facility and real-world objects
Total Risk
the amoujnt of risk an organization would face if no safeguards were implemented threats *vulnerabilities * asset value = total risk
controls gap
the amount of risk that is reduced by implementing safeguards total risk - controls gap = residual risk`
Risk Tolerance
the amount or level of risk that an organization will accept per individual asset-threat pair
Technical (logical) controls
the hardware or software mechanisms used to manage access and provide protection for IT resources and systems
Risk Mitigation
the implementation of safeguards, security controls, and countermeasures to reduce or eliminate vulnerabilities or block threats
Inherent Risk
the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk managment efforts being performed
Risk capacity
the level of risk an organization is able to shoulder
Risk Assignment
the placement of the responsibility of loss due to a risk onto another entity or organization.
Single Loss Expectancy (SLE)
the potential loss associated with a single realized threat against a specific asset SLE= AV * EF
Risk Acceptance
the result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk
Risk Appetite
total ammount of risk that an organizatin is willing to shoulder in aggregate across all assets
RMF Cycle Phases
-Catregorize -Select -Implement -Assess -Authorize -Monitor -Always prepare
Risk Framework
A guideline or recipe for how risk is to be assessed, resolved, and monitored.
