5.2 Explain elements of the risk management process

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/8

flashcard set

Earn XP

Description and Tags

RTO

RPO

MTTR

MTBF

Risk Register

Risk appetite

Risk management strategies

SLE

ALE

ARO

Risk assessment

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

9 Terms

1
New cards

Match the risk assessment to it’s definition:

Risk assessment type:

Ad hoc

Continuous

One-Time

Recurring

Definition:

This assessment refers to a single evaluation conducted to identify and analyze risks associated with a specific event. This may include software installation, company acquisition or new unique security threats.

This assessment may already be a part of an existing process that involves an ongoing evaluation of the major risks a company may be facing.

This assessment is not scheduled regularly and are usually initiated to address immediate risks or to provide insight to a particular situation. An example is a CEO coming back from a conference to discover a possible security threat and to see if we are already protected by this threat or what steps we need to take to be protected.

This assessment is done on an interval to ensure you are meeting company standards and compliance. This can happen every 3 months or at the beginning of the year as an example.

Ad hoc: This assessment is not scheduled regularly and are usually initiated to address immediate risks or to provide insight to a particular situation. An example is a CEO coming back from a conference to discover a possible security threat and to see if we are already protected by this threat or what steps we need to take to be protected.

Continuous: This assessment may already be a part of an existing process that involves an ongoing evaluation of the major risks a company may be facing.

One-Time: This assessment refers to a single evaluation conducted to identify and analyze risks associated with a specific event. This may include software installation, company acquisition or new unique security threats.

Recurring: This assessment is done on an interval to ensure you are meeting company standards and compliance. This can happen every 3 months or at the beginning of the year as an example.

2
New cards

What’s the difference between Qualitative risk assessment and Quantitative risk assessment?

Qualitative: Qualitative risk assessment is subjective and relies on expert judgment, using descriptive data to identify and prioritize risks based on their impact and likelihood.

Quantitative:

3
New cards

What is ARO and how do you calculate this?

ARO stands for Annualized Rate of Occurrence. This can be calculated by dividing the total number of expected events in a year by the total number of opportunities for those events to occur.

4
New cards

What does SLE mean and how is this calculated?

SLE stands for Single Loss Expectancy. This is calculated by taking the Asset Value (AF) X Exposure Factor (EF).

5
New cards

What does ALE stand for and how is this calculated?

ALE stands for Annualized Loss Expectancy. This is calculated by taking the ARO X SLE.

6
New cards

What’s the difference between risk appetite and risk tolerance?

Risk Appetite: This described what a company is willing to risk and accept that risk before any action is taken to reduce that risk.

Risk Tolerance: This is considered bigger than the risk appetite as it is putting more at risk. It defines the boundaries and standards for assessing and responding to those risks.

7
New cards

What is a risk register?

A risk register is a way to track possible risks that come with a with every project that happens. A risk owner is usually tied to each risk to monitor the status of it and help identify risks that may impact the company.

8
New cards

Match the risk strategy with it’s description:

Risk Strategy:

Avoid

Accept

Transfer

Mitigate

Description:

Moving that risk to another party such as buying insurance.

A company’s decision to move forward knowing the risks involved.

Stopped participating in an activity and removed the risk completely.

Risk is still active, but can be lowered to reduce the risk overall.

Avoid: Stopped participating in an activity and removed the risk completely.

Accept: A company’s decision to move forward knowing the risks involved.

Transfer: Moving that risk to another party such as buying insurance.

Mitigate: Risk is still active, but can be lowered to reduce the risk overall.

9
New cards

What is the difference between RTO, RPO, MTTB and MTTR?

RTO: This stands for Recovery time objective. This is a time frame before how long it will be before your company is back up and running.

RPO: This stands for Recovery Point Objective: This refers to the maximum amount of data loss that an organization is willing to accept, measured in time.

MTTR: This stands for Mean Time To Repair: This is the average time required to fix an issue. This is an important metric for determining the cost and time associated with unplanned outages.

MTBF: This stands for Mean Time Between Failures: This is the estimated time between failures and can be used as a prediction as to when to expect a failure based on historical performance.