Final
residual risk
Risk that remains after implementing controls.
Mean Time Between Failures (MTBF)
a common measure of reliability of a system and is an expression of the average time between system failures. The time between failures is measured from the time a system returns to service until the next failure.
hot site
a fully configured environment that is similar to the normal operating environment and that can be operaitonal immediately or within a few hours, depending on its configuration and the needs of the organization
control
a measure taken to detect, prevent, or mitgate the risk associated w a threat aka countermeasure or safeguard
threat vector
a method used to effect a threat ex. malware(threat) that is delivered via a watering hole attack(____)
asset
any resource or information an organization needs to conduct its business
Elements of Change Management/ 4 phases under configuration managemenet
configuration identification configuration control configuration status accounting configuration auditing
configuration management
considered synonymous with change management and, in a more limited manner, version control or release control often applied to the management of changes in the business environment, typically as a result of business process reengineering or quality enhancement efforts term is directly related to managing and controlling software development, maintenance, and system operation application of change management principles to configuration of both software and hardware
Configuration Status Accounting
consists of the procedures for tracking and maintaining data relative to each configuration item in the baseline; closely related to configuration control involves gathering and maintaining information relative to each configuration item
Business Impact Analysis (BIA)
describes the document that details the specific impact of elements on a business operation; aka business impact assessment; outlines what the loss of any of your critical functions will mean to the organization; foundational document used to establish a wide range of priorties , including system backups and restoration, which are needed in maintaining continuity of operation business level analysis of the criticality of all elments with respect to the business as w hole
impact
is the loss (or harm) resulting when a threat exploits a vulnerability
Single Loss Expectancy (SLE)
is the monetary loss or impact of each occurence of a threat exploiting a vulnerability
risk management
is the overall decision making process of identifying threats and vulnerabilities and their potential impacts, determining the costs to mitigate such events, and deciding what actions are cost effective for controlling these risks
Mean time to failure (MTTF)
a variation of MTBF, one that is commonly used instead of MTBF when the system is replaced in lieu of being repaired. Other than semantic difference, the calculations are the same, and the meaning is essentially the same.
incremental backup
a variation on a differential backup, with the difference being that instead of copying all files that have changed since the last full backup, it only backs up files that have changed since the last full or incremental backup occurred, thus requiring fewer files to be backed up
full backup
all files and software are copied onto the storage media
vulnerability
any characteristic of an asset that can be exploited by a threat to cause harm; can also be the result of a lack of security controls or weakness in controls; your system has a security vulnerability, for example, if u have not installed patches to fix a cross site scripting (XSS) error on your web site
intangible impact
assigning financial value of the impact can be difficult
fault tolerance
basically has the same goal as high availability - the uninterrupted access to data and services - and is accomplished by the mirroring of data and systems should a "fault" occur, causing disruption in a devices such as a disk controller, the mirrored system provides the requirested data w no apparent interruption in service to the user
delta backup
goal is to back up as little information as possible each time you perform a backup
cold site
has the basic environmental controls necessary to operate but has few of the computing components necessary for processing
hazard
is a circumstance that increases the likelihood or probable severity of a loss
Availability
is a measure of the amount of time a system performs its intended function = MTTF/ (MTTF+MTTR)
exposure factor
is a measure of the magnitude of loss of an asset; used in the calculation of single loss expectancy
Annualized Loss Expectancy (ALE)
is how much an event is expected to cost per year
systematic risk
is the chance of loss that is predictable under relatively stable circumstances. Examples such as fire, wind, or flood produce losses that, in the aggregate over time, can be accurately predicted despite short term fluctuations. ___ can be diversified away which gives managers a level of control that can be employed
unsystematic risk
is the chance of loss that is unpredictable in the aggregate bc it results from forces difficult to predict. Examples include, but are not limited to, recession, unemployment, epidemics, war related events, and so forth.____ cannot be mitigated via diversification, limiting management responses
Annualized Rate of Occurrence (ARO)
is the frequency with which an event is expected to occur on an annualized basis
Quantitative Risk Assessment
is the process of objectively determining the impact of an event that affects a project, program, or business
business continuity (BC)
issue of continued organizational operations; keeping an organization running when an event occurs that disrupts operations is not accomplished spontaneously but requires advanced planning and periodically exercising those plans to ensure they will work
risk
possibility of suffering harm or loss
Change Management
procedures that can add structure and control to the development and management of large software systems as they move from development to implementation and during operations refers to a standard methodology for performing and recording changes during software development and system operation; the methodology defines steps that ensure that system changes are required by the organization and are properly authorized, documented, tested, and approved by management
risk assessment
process of analyzing an environment to identify the risks (threats and vulnerabilities) and the mitigating actions to determine (either qualitatively or quanitatively) the impact of an event that would affect a project, program, or business aka risk analysis
high availability
referes to the ability to maintain availability of data and operational processing despite a disrupting event
separation of duties
requirement that duties be assigned to individuals in such a way that no one individual can control all phases of a process or the processing and recording of a transaction
tangible impact
results in financial loss or physical damage
baseline
serves as a foundation for comparison or measurement; provides the necessary visibility to control change
Total Cost of Ownership (TCO)
set of all costs, everythig from capital costs to operational and exception handling costs that is associated w technology
Redundant Array of Independent Disks (RAID)
takes data that is normally stored on a single disk and spreads it out among several others if any single disk is lost, the data can be recovered from the other disks where the data also resides
Recovery Time Objective (RTO)
used to describe the target time that is set for a resumption of operations after an incident; period of time that is defined by the business, based on the needs of the enterprise shorter ____ results in higher costs bc it requires greater coordination and resources deals w requirements of business continuity
System Problem Report (SPR)
used to track changes through the CCB; the ____ documents changes or corrections to a system; it reflects who requested the change and why, what analysis must be done and by whom, and how the change was corrected/implemented
Qualitative Risk Assessment
The process of subjectively determining the impact of an event that affects a project, program, or business.
Configuration auditing
The process of verifying that configuration items are built and maintained according to requirements, standards, or contractual agreements.
threat actor
(agent) is the entity behind a threat
Software Engineering Institue Model
1. Identify 2. Analyze 3. Plan 4. Track 5. Control
CMMI Maturity Levels
level 1 - initial level 2 - managed level 3 - defined level 4 - quantitatively managed level 5 - optimizing
Change Control Board (CCB)
A formally chartered group responsible for reviewing, evaluating, approving, delaying, or rejecting changes to the project, and for recording and communicating such decisions. oversees the change management process convenes on a regular basis, usually weekly or monthly, and can be convened on an emergency/as needed basis as well membership should consist of development project managers, network admins, system admins, test/QA managers, etc
Capability Maturity Model Integration (CMMI)
A process-improvement approach (useful for but not limited to software engineering projects) that can assist in assessing the maturity, quality, and development of certain organizational business processes, and suggest steps for their improvement.
threat
any circumstance or event with the potential to cause harm for an asset
difference between BCP and DRP
BCP - about trimmed down essential operations; tactical necessity until operations can be restored; what is needed for the business to operate in short term DRP - focus on recovery and rebuilding of the organization after the disaster has occurred; part of larger picture; protection of human life
mitigate
refers to taking action to reduce the likelihood of a threat occurring, and to reduce the impact if a threat does occur
disaster recovery planning
critical for effective disaster recovery efforts defines the data and resources necessary and the steps required to restore critical organizational processes must include the processes and procedures needed to restore your organization to proper functioning and to ensure continued operation
NIST Risk Model
First level - frame, assess, respond, and monitor Second level - organization, mission/business processes, information systems
Risk Management Tools
Grantt chart, Pareto chart, PERT diagram, Risk Management Plan
differential backup
Only files and software that have changed since the last full backup was completed are backed up.
warm site
Partially configured, usually having the peripherals and software but perhaps not the more expensive main processing computer.
mutual aid agreement
Similar organizations agree to assume the processing for the other party in the event a disaster occurs. aka reciprocal site
backout planning
The part of a configuration change plan where steps are devised to undo a change, even when not complete, to restore a system back to the previous operating condition.
Configuration control
The process of controlling changes to items that have been baselined. Ensures that only approved changes to a baseline are allowed to be implemented provides valuable insight to managers
Configuration Identification
The process of identifying which assets need to be managed and controlled. these assets are called configuration items or computer software configuration items
Recovery Point Objective (RPO)
The time period representing the maximum period of acceptable data loss. determines the frequency of backup operations necessary to prevent unacceptable levels of data loss deals w backup frequency
Business Risk
Treasurey Management Revenue Management Contract Management Fraud Environment Risk Management Business Continuity Management
General Risk Management Model
1. Asset Identification 2. Threat Assessment 3. Impact Determination and Quanitification 4. Control Design and Evaluation 5. Residual Risk Management
Mean Time to Repair (MTTR)
A common measure of how long it takes to repair a given failure. This is the average time, and may or may not include the time needed to obtain parts.
