Mod 12: Risk Management Processes

How are dependencies identified between mission essential functions?

BPAs

What do BPAs identify?

Inputs, hardware, staff, outputs, process flow

What is a BIA? What does it do?

Business Impact Analysis helps understand the potential effects of disruptions, helps quantify losses from disruptions

What are MEFs?

Mission Essential Functions are functions that are vital to business operation

What are PBFs?

Primary business functions are important but not as important as MEFs

What 4 metrics should be included in the analysis of MEFs?

MTD, RTO, WRT, RPO

What is MTD?

Maximum Tolerable Downtime is the longest period of time a business function outage can occur before causing irrecoverable failure

What is RTO?

Recovery Time Objective is the period following a disaster that an individual system may be down

What is WRT?

Work Recovery Time is the period following system recovery when additional work or testing is done

What is RPO?

Recovery Point Objective identifies the max acceptable data loss an organization can tolerate in a disaster or failure

What 2 metrics combined should not exceed MTO?

RTO + WRT

What is MTBF? What is equation is used to calculate this?

Mean Time Between Failures represents the average amount of time between failures, total operational time * # of failures

What is MTTR? What equation is used to calculate this?

Mean Time To Repair is the amount of time taken to correct a fault to bring a system to full operation

What are some risk management strategies? (3)

Risk mitigation, risk reduction, risk avoidance

What is risk transference?

Assigning risk to a 3rd party

What is a risk exception?

Risk is recognized but cannot be mitigated in the moment but will be

What is a risk exemption?

Risk is recognized and allowed due to a number of reasons

What is residual risk?

Likelihood of risk after a solution has been applied

What are the 2 main variables in calculating risk?

Likelihood, impact

What are risk assessments?

Identifies risks and their likelihood and impacts

What are the 4 risk assessment methodologies?

Ad hoc, recurring, one time, continuous

What is quantitative risk analysis?

Assigns concrete values to risk factors

What is SLE? How is this calculated?

Single Loss Expectancy is the amount that would be lost in the single occurrence of a risk factor, value of asset * exposure factor

What is ALE? How is this calculated?

Annualized Loss Expectancy is the amount that would be lost over the course of a year, SLE * ARO

What is ARO?

Annualized Rate of Occurrence is the number of times in a year an event occurs

What is qualitative risk analysis?

Assess risks based on subjective judgement rather than precise data

What is inherent risk?

Level of risk before any mitigation has been attempted

What is a risk register?

Results of risk assessments in a comprehensible format

What is a risk threshold?

Limit of acceptable risk an organization can tolerate

What are KRIs?

Key Risk Indicators are predictive indicators used to monitor and predict potential risks

What is a risk owner?

Individual responsible for managing a particular risk

What is a risk appetite?

The level of risk an organization is willing to accept

What is risk tolerance?

Determines the thresholds that separate the different levels of risk

What are the 3 levels of risk appetite?

Expansionary, conservative, neutral

What is a BCP?

Business Continuity Plan is a plan to maintain business operations during reduced or restricted infrastructure and identifies actions required to restore business to normal operation

What is COOP?

Continuity Of Operations he process of ensuring an organization can maintain or quickly resume critical functions in the event of disruption

What is capacity planning?

The assessment of current and future resource requirements needed to meet business objectives

What is due diligence?

Gathering of info about potential vendors

What is RoE?

Rules of engagement define the parameters and expectations for vendor relationships

What are 5 initial agreements between organizations and vendors?

MOU, NDA, MOA, BPA, MSA

What is attestation?

Verifying and validating security controls, systems, and processes