Class 15: Risk Management, Business Impact Analysis, Vendor Risk, and Attestation
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/111
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No analytics yet
Send a link to your students to track their progress
112 Terms
Risk identification
Risk identification is the process of recognizing cybersecurity and operational risks that could affect an organization.
Example: An organization identifies malware, phishing, insider threats, equipment failure, weak policies, and poor training as risks.
Memory trick: Risk identification asks, “What could go wrong?”
Trick question tip: Identification happens before assessment and management.
Cybersecurity risk
A cybersecurity risk is the possibility that a threat or weakness could negatively affect systems, data, operations, or the organization.
Example: A phishing attack could lead to account compromise and data loss.
Memory trick: Risk means possible bad outcome.
Trick question tip: Risk combines concern about threats, vulnerabilities, impact, and likelihood.
Technical versus nontechnical risk
Technical risk comes from technology weaknesses, while nontechnical risk comes from people, process, policy, training, legal, or organizational weaknesses.
Example: Unpatched software is a technical risk; weak training that leads to phishing mistakes is a nontechnical risk.
Memory trick: Technical = systems; nontechnical = people, process, policy.
Trick question tip: Malware, software flaws, and hardware failures are technical; weak policies and lack of training are nontechnical.
Malware, phishing, insider, and equipment risks
Common identified risks include malware, phishing, insider threats, equipment failure, software vulnerabilities, policy gaps, and training gaps.
Example: Ransomware could encrypt data, phishing could steal credentials, and failed hardware could cause downtime.
Memory trick: Risk examples answer “what could go wrong?”
Trick question tip: Security+ may ask you to identify the risk category from the scenario.
Policy and training risk
Policy risk comes from inadequate, outdated, or missing policies, while training risk comes from users lacking awareness or practice.
Example: A weak password policy and employees with no phishing training both increase risk.
Memory trick: Bad rules plus untrained users create easy targets.
Trick question tip: Inadequate policies and poor training are nontechnical risk factors.
Vulnerability assessment
A vulnerability assessment identifies and evaluates weaknesses that could be exploited or cause security problems.
Example: A scan identifies unpatched systems and insecure configurations.
Memory trick: Vulnerability assessment finds weak spots.
Trick question tip: Vulnerability assessments are risk identification methods.
Penetration testing
Penetration testing simulates attacks to identify exploitable weaknesses and validate defenses.
Example: A tester attempts to exploit a misconfigured application during an authorized assessment.
Memory trick: Pen testing proves whether a weakness can be used.
Trick question tip: Exploitation-focused testing points to penetration testing.
Security audit
A security audit reviews systems, controls, policies, and procedures to determine whether requirements are being met.
Example: An audit checks whether access control procedures match policy and compliance requirements.
Memory trick: Audit checks whether the organization follows the rules.
Trick question tip: Audits can identify risk and compliance gaps.
Threat intelligence for risk
Threat intelligence provides information about threats, adversaries, tactics, vulnerabilities, and attack trends to support risk decisions.
Example: A threat feed warns that a new vulnerability is being actively exploited.
Memory trick: Threat intelligence tells what attackers are doing now.
Trick question tip: Current attacker behavior or exploit information helps identify risk.
Risk assessment
Risk assessment evaluates identified risks to determine their likelihood, impact, significance, and priority.
Example: After identifying ransomware risk, the organization estimates possible downtime, impact, and likelihood.
Memory trick: Risk assessment asks, “How bad and how likely?”
Trick question tip: Assessment comes after risks have been identified.
Risk assessment methodology
Risk assessment methodology is the approach used to evaluate risk, such as ad hoc, one-time, recurring, continuous, or combined assessment.
Example: An organization uses annual reviews, ad hoc zero-day assessments, and continuous monitoring together.
Memory trick: Methodology means how and when risk is assessed.
Trick question tip: Security+ may test ad hoc versus one-time versus recurring versus continuous.
Ad hoc risk assessment
An ad hoc risk assessment is performed as needed in response to a specific incident, threat, change, or environmental condition.
Example: A company assesses risk after learning about an actively exploited zero-day affecting its systems.
Memory trick: Ad hoc means because something happened.
Trick question tip: Incident, zero-day, urgent change, or new threat trigger points to ad hoc assessment.
One-time risk assessment
A one-time risk assessment is a comprehensive evaluation performed at a specific point in time.
Example: An organization performs a one-time assessment before deploying a new business system.
Memory trick: One-time means one major snapshot.
Trick question tip: New system implementation or maturity review can trigger one-time assessment.
Recurring risk assessment
A recurring risk assessment is scheduled at regular intervals such as annually, quarterly, or monthly.
Example: A company performs quarterly vulnerability scans and annual compliance assessments.
Memory trick: Recurring means it comes back on a schedule.
Trick question tip: Annual, quarterly, monthly, scheduled audits, and scheduled scans point to recurring assessment.
Continuous risk assessment
Continuous risk assessment constantly evaluates risk using real-time or near-real-time data from monitoring tools.
Example: Agent-based vulnerability scanning and IDS alerts continuously provide risk data.
Memory trick: Continuous means always watching.
Trick question tip: Real-time data, agent-based scanning, IDS, and SIEM-style monitoring support continuous assessment.
Combined risk assessment methods
Combined risk assessment methods use multiple approaches to improve risk identification and management.
Example: An organization performs annual assessments, ad hoc assessments for zero-days, and continuous vulnerability monitoring.
Memory trick: Use multiple lenses to see risk better.
Trick question tip: Different assessment methods can be combined for stronger risk management.
Risk analysis
Risk analysis identifies and evaluates potential risks and their causes, consequences, scope, and characteristics.
Example: Analysts examine how a phishing attack could occur, what it could affect, and what consequences it may create.
Memory trick: Risk analysis studies the nature of the risk.
Trick question tip: Causes, consequences, scope, and characteristics point to risk analysis.
Risk analysis versus risk assessment
Risk analysis studies the nature and characteristics of risk, while risk assessment estimates and prioritizes likelihood, impact, severity, and response.
Example: Analysis explains why ransomware is a concern; assessment estimates how likely and damaging it is.
Memory trick: Analysis understands risk; assessment ranks risk.
Trick question tip: Likelihood, severity, prioritization, and response strategy point more to risk assessment.
Risk likelihood
Risk likelihood is the chance that a risk event will occur.
Example: Phishing may be highly likely if employees receive frequent phishing attempts.
Memory trick: Likelihood means how likely it is to happen.
Trick question tip: Probability, frequency, or chance clues point to likelihood.
Risk impact
Risk impact is the amount of harm or loss the organization may experience if a risk event occurs.
Example: A database outage could cause downtime, lost revenue, and customer dissatisfaction.
Memory trick: Impact means how bad it hurts.
Trick question tip: Damage, loss, downtime, and business consequences point to impact.
Risk prioritization
Risk prioritization ranks risks so the organization can address the most significant risks first.
Example: A high-likelihood, high-impact vulnerability is prioritized over a low-impact issue.
Memory trick: Prioritization decides what gets attention first.
Trick question tip: Ranking risks by impact and likelihood is prioritization.
Quantitative risk analysis
Quantitative risk analysis assigns numerical or monetary values to risk factors.
Example: An analyst calculates the expected annual cost of ransomware downtime.
Memory trick: Quantitative uses numbers and money.
Trick question tip: Dollar values, SLE, ALE, ARO, and EF point to quantitative analysis.
Asset value
Asset value is the total value of an asset, including replacement cost, business value, downtime cost, reputation, goodwill, and lost sales.
Example: A server may be cheap to replace but expensive to lose because it supports online orders.
Memory trick: Asset value is more than the price tag.
Trick question tip: Include direct costs, downtime, reputation, goodwill, and lost business when considering value.
Exposure Factor (EF)
Exposure Factor is the percentage of an asset’s value expected to be lost in a single risk event.
Example: If an incident destroys 40 percent of a $200,000 asset, the EF is 40 percent.
Memory trick: EF means percent exposed to loss.
Trick question tip: EF is a percentage used to calculate SLE.
Single Loss Expectancy (SLE)
SLE is the expected loss from one occurrence of a risk event.
Example: A $200,000 asset with 40 percent exposure has an SLE of $80,000.
Memory trick: SLE means single-event loss.
Trick question tip: SLE equals asset value multiplied by exposure factor.
Annualized Rate of Occurrence (ARO)
ARO is the number of times a risk event is expected to occur in one year.
Example: If ransomware is expected twice per year, the ARO is 2.
Memory trick: ARO means annual repetition count.
Trick question tip: Frequency per year is ARO.
Annualized Loss Expectancy (ALE)
ALE is the expected yearly loss from a risk.
Example: If SLE is $50,000 and ARO is 2, ALE is $100,000.
Memory trick: ALE means annual expected loss.
Trick question tip: ALE equals SLE multiplied by ARO.
SLE and ALE formulas
SLE equals asset value times exposure factor, and ALE equals SLE times annualized rate of occurrence.
Example: Asset value $200,000 times 40 percent EF equals $80,000 SLE; $80,000 SLE times ARO 2 equals $160,000 ALE.
Memory trick: SLE = one event; ALE = yearly total.
Trick question tip: Use SLE for one event loss and ALE for yearly expected loss.
Quantitative control justification
Quantitative control justification compares the expected monetary loss with the cost of a control.
Example: A control costing less than the expected annual ransomware loss may be worth implementing.
Memory trick: Numbers help prove controls are worth the money.
Trick question tip: Cost savings and dollar-based comparisons are quantitative control justification.
Direct, downtime, and intangible costs
Direct costs are measurable bills, downtime costs come from unavailable services, and intangible costs are hard-to-measure losses like reputation or customer trust.
Example: Replacing hardware is direct cost, lost sales during an outage is downtime cost, and damaged reputation is intangible cost.
Memory trick: Direct is the bill, downtime stops business, intangible hurts trust.
Trick question tip: Reputation, goodwill, and customer trust are intangible costs.
Quantitative analysis limitation
Quantitative analysis can be difficult, time-consuming, and inaccurate without reliable historical data.
Example: Analysts estimate a rare event’s financial impact using limited evidence and expert judgment.
Memory trick: Numbers are useful, but accurate numbers are hard.
Trick question tip: Lack of historical data weakens quantitative accuracy.
Historical data in risk analysis
Historical data improves risk estimates by providing evidence about past frequency, losses, and impacts.
Example: Past outage records help estimate the annual cost of service downtime.
Memory trick: History makes risk numbers stronger.
Trick question tip: Without historical data, quantitative estimates may become subjective guesses.
Qualitative risk analysis
Qualitative risk analysis evaluates risk with descriptive categories, expert judgment, and subjective ratings instead of exact monetary values.
Example: A team rates a risk as high, medium, or low during a workshop.
Memory trick: Qualitative uses words, not numbers.
Trick question tip: High, medium, low ratings and subjective judgment point to qualitative analysis.
Qualitative analysis benefits and limitations
Qualitative analysis is fast, simple, and easy to communicate, but it can be subjective, biased, and inconsistent.
Example: Two experts may disagree about whether a risk is moderate or high.
Memory trick: Words are easy, but opinions vary.
Trick question tip: Speed and accessibility are benefits; bias and inconsistency are limitations.
Expert judgment
Expert judgment uses the knowledge and experience of specialists to evaluate risk when precise data is unavailable or unnecessary.
Example: Security experts rate a legacy application as high risk because it lacks vendor support.
Memory trick: Expert judgment means experienced people estimate risk.
Trick question tip: Expert judgment is useful but can introduce bias.
Risk interdependency
Risk interdependency occurs when one risk affects or increases another risk.
Example: Poor training increases phishing risk, which increases account compromise risk.
Memory trick: Risks can connect like dominoes.
Trick question tip: Causes, consequences, and connected risks are often considered in qualitative analysis.
Inherent risk
Inherent risk is the level of risk before controls, mitigation, or countermeasures are applied.
Example: Phishing risk before MFA and training is inherent risk.
Memory trick: Inherent means raw risk.
Trick question tip: Before controls equals inherent risk.
Residual risk
Residual risk is the risk that remains after controls, mitigation, acceptance, or transference have been applied.
Example: MFA reduces account takeover risk, but some social engineering risk remains.
Memory trick: Residual means leftover risk.
Trick question tip: After controls equals residual risk.
Inherent versus residual risk
Inherent risk exists before controls, while residual risk remains after controls are applied.
Example: The original ransomware risk is inherent; the risk left after backups, EDR, and training is residual.
Memory trick: Raw risk versus leftover risk.
Trick question tip: Security+ often asks before-controls versus after-controls.
Risk mitigation
Risk mitigation reduces the likelihood or impact of a risk to a level the organization can tolerate.
Example: MFA reduces account compromise risk from stolen passwords.
Memory trick: Mitigation means lower the risk.
Trick question tip: The goal is reducing risk, not eliminating every risk.
Risk remediation
Risk remediation fixes or reduces a risk through corrective action.
Example: Applying a security patch remediates a known software vulnerability.
Memory trick: Remediation means fix the problem.
Trick question tip: Remediation and mitigation are closely related; remediation often fixes a specific issue.
Countermeasure
A countermeasure is a safeguard or control used to reduce exposure to a threat or vulnerability.
Example: A firewall rule, security patch, alarm system, or sprinkler system can be a countermeasure.
Memory trick: Countermeasure means defense against risk.
Trick question tip: Controls that reduce risk are countermeasures.
Risk reduction
Risk reduction uses controls to make a risk event less likely, less damaging, or both.
Example: Strict material storage reduces fire likelihood, while alarms and sprinklers reduce fire impact.
Memory trick: Reduction lowers chance, damage, or both.
Trick question tip: Controls that lower likelihood or impact are risk reduction.
Likelihood versus impact reduction
Likelihood reduction makes an event less likely to happen, while impact reduction limits damage after it happens.
Example: Safe storage of flammable materials reduces likelihood; sprinklers reduce impact.
Memory trick: Prevent it versus hurt less.
Trick question tip: Preventing the event reduces likelihood; limiting damage after it starts reduces impact.
Off-site backup risk effect
Off-site backups provide recovery if primary data or systems are destroyed, usually reducing impact rather than likelihood.
Example: If servers are destroyed by fire, off-site backups can restore data.
Memory trick: Backup elsewhere means recovery still exists.
Trick question tip: Backups usually reduce impact, not the likelihood of the original incident.
Risk avoidance
Risk avoidance stops the activity that creates the risk.
Example: A company shuts down an insecure application instead of trying to maintain it.
Memory trick: Avoidance means stop doing the risky thing.
Trick question tip: If the organization discontinues the activity entirely, it is avoidance.
Risk avoidance limitation
Risk avoidance is not always practical because organizations often need risky activities to meet business objectives.
Example: A company cannot stop using email even though phishing risk exists.
Memory trick: Avoidance only works when stopping the activity is realistic.
Trick question tip: Avoidance is less common because many risky activities are necessary.
Risk transference
Risk transference shifts some responsibility or financial impact of a risk to another party, such as an insurer or provider.
Example: A company buys cyber liability insurance to help cover breach costs.
Memory trick: Transfer means move some risk cost elsewhere.
Trick question tip: Insurance and third-party sharing point to risk transference.
Risk sharing
Risk sharing distributes risk responsibility or cost to another party through contracts, insurance, or shared arrangements.
Example: A contract requires a service provider to cover certain breach-related costs.
Memory trick: Sharing means another party carries part of the risk.
Trick question tip: Sharing does not eliminate the risk; it distributes responsibility or cost.
Cybersecurity insurance
Cybersecurity insurance helps cover some costs, fines, and liabilities from breaches, ransomware, legal claims, or cyberattacks.
Example: A cyber insurance policy helps pay incident response expenses after a breach.
Memory trick: Cyber insurance transfers some financial risk.
Trick question tip: Insurance is a classic transference control.
Transference limitations
Risk transference does not eliminate all responsibility because reputation damage, customer trust loss, legal duties, and due care obligations may remain.
Example: Insurance pays some breach costs, but customers may still blame the organization.
Memory trick: Insurance can pay money, not fully repair trust.
Trick question tip: Transference rarely transfers reputation damage or all accountability.
Best-practice control requirement for insurance
Insurance or contracts may require best-practice controls before risk transfer protections apply.
Example: A cyber policy requires MFA, backups, and patching before covering a claim.
Memory trick: Insurance expects you to lock the doors first.
Trick question tip: Risk transfer may depend on implementing reasonable controls.
Risk acceptance
Risk acceptance means choosing not to implement additional countermeasures because the remaining risk is within approved limits or not worth the cost.
Example: A company accepts a low-impact risk because mitigation would cost more than the expected loss.
Memory trick: Acceptance means knowingly live with the risk.
Trick question tip: Ignoring a risk is not the same as formally accepting it.
Risk exception or exemption
A risk exception or exemption documents a decision to allow a risk temporarily or under specific conditions when mitigation is delayed or limited.
Example: A legacy system receives a documented exception until it can be replaced.
Memory trick: Exception means documented permission to tolerate the gap.
Trick question tip: Exceptions should be tracked, approved, and reviewed; they are not silent neglect.
Allowable risk
Allowable risk is the level of risk an organization permits based on business, legal, regulatory, industry, and leadership factors.
Example: A regulated healthcare organization may allow less data risk than a small nonregulated startup.
Memory trick: Allowable risk is what leadership permits.
Trick question tip: Allowable risk varies by industry, regulation, resources, and objectives.
Risk tolerance
Risk tolerance is the acceptable level of risk for a specific risk, process, asset, or situation.
Example: A specific application risk exceeding tolerance is added to the risk register for action.
Memory trick: Tolerance is the limit for a particular risk.
Trick question tip: Specific acceptable limits for individual risks point to risk tolerance.
Risk appetite
Risk appetite is the overall amount of risk an organization is willing to accept while pursuing objectives.
Example: A startup may accept more risk to grow quickly, while a hospital may accept less risk for patient data.
Memory trick: Appetite is the organization’s overall risk hunger.
Trick question tip: Executive leadership usually sets risk appetite across the organization.
Risk appetite versus risk tolerance
Risk appetite is the organization’s overall willingness to take risk, while risk tolerance is the acceptable limit for specific risks.
Example: A company may have a conservative overall appetite but a specific tolerance threshold for website downtime.
Memory trick: Appetite is overall; tolerance is specific.
Trick question tip: This is a common exam trap: broad strategy equals appetite; individual risk limit equals tolerance.
Expansionary, conservative, and neutral risk appetite
Expansionary appetite accepts more risk for growth, conservative appetite minimizes risk and protects reputation, and neutral appetite accepts manageable risk aligned with objectives.
Example: A startup may be expansionary, an established regulated firm may be conservative, and a balanced organization may be neutral.
Memory trick: Growth hungry, risk cautious, or balanced.
Trick question tip: Startup growth often points to expansionary; mature compliance-focused organizations point to conservative.
Risk posture
Risk posture is the organization’s overall cybersecurity risk status, including current risks, controls, priorities, and accepted exposure.
Example: A risk posture report shows which risks need mitigation first and which are accepted.
Memory trick: Risk posture is the organization’s risk stance.
Trick question tip: Overall risk status and current security condition point to risk posture.
Risk prioritization factors
Risk prioritization considers regulatory requirements, high-value assets, high-likelihood threats, risk-increasing conditions, and control costs.
Example: A payment card database and frequent phishing attacks receive higher priority than a low-impact isolated issue.
Memory trick: Prioritize required, valuable, likely, and risky.
Trick question tip: Legal requirements, high asset value, frequent threats, and weak conditions raise priority.
Risk-increasing conditions
Risk-increasing conditions are weaknesses that make threats more likely or more damaging.
Example: Legacy applications, lack of training, unpatched software, unnecessary services, and missing audits increase risk.
Memory trick: Risk-increasing conditions make threats easier.
Trick question tip: Legacy systems, poor training, and unpatched software increase likelihood.
Heat map
A heat map is a simple visual risk matrix using colors to represent severity, likelihood, impact, control cost, or priority.
Example: Red indicates high risk, yellow moderate risk, and green low risk.
Memory trick: Heat map uses traffic-light colors for risk.
Trick question tip: Red/yellow/green visual risk priority points to a heat map or traffic light impact matrix.
Heat map limitation
A heat map provides quick visual prioritization but is less precise than detailed quantitative analysis.
Example: A red-yellow-green matrix helps leadership quickly see which risks need focus first.
Memory trick: Heat maps are quick, not deeply precise.
Trick question tip: Use heat maps for immediate visual summaries, not exact dollar calculations.
FIPS 199
FIPS 199 defines security categorizations for information systems based on the potential impact of confidentiality, integrity, or availability breaches.
Example: A system is categorized as low, moderate, or high impact based on possible CIA harm.
Memory trick: FIPS 199 categorizes CIA impact.
Trick question tip: Low, moderate, high impact tied to confidentiality, integrity, and availability points to FIPS 199.
Low, moderate, and high impact
Low impact causes minor damage, moderate impact causes significant damage or degradation, and high impact causes major damage or inability to perform essential functions.
Example: An outage that slows work is low, a serious disruption is moderate, and a failure that stops essential operations is high.
Memory trick: Low hurts a little; moderate seriously disrupts; high can stop the mission.
Trick question tip: Inability to perform essential functions equals high impact.
Confidentiality, integrity, and availability impact
Confidentiality impact is unauthorized disclosure, integrity impact is unauthorized modification or corruption, and availability impact is outage or unavailable resources.
Example: Data exposure affects confidentiality, altered records affect integrity, and system downtime affects availability.
Memory trick: Disclosure, alteration, downtime.
Trick question tip: Match the harm to the CIA term.
Risk management process
Risk management is an ongoing process of identifying assets and risks, analyzing threats and vulnerabilities, assessing impact, choosing responses, and monitoring results.
Example: An organization identifies critical systems, finds vulnerabilities, evaluates threats, and chooses mitigation or acceptance.
Memory trick: Find it, rank it, respond, repeat.
Trick question tip: Risk management is ongoing, not a one-time checklist.
Threat, vulnerability, and risk relationship
A threat is something capable of exploiting a weakness, a vulnerability is the weakness, and risk exists when a threat can exploit that vulnerability and cause impact.
Example: A cybercriminal is a threat, unpatched software is a vulnerability, and compromise of that system is the risk.
Memory trick: Threat plus vulnerability creates risk.
Trick question tip: You generally need both a threat and a vulnerability for risk.
Business impact analysis (BIA)
A BIA determines how disruptions affect business operations, processes, systems, people, assets, and recovery priorities.
Example: A BIA evaluates how a system outage, natural disaster, illness, or equipment failure affects the organization as a whole.
Memory trick: BIA asks what the business loses when things stop.
Trick question tip: BIA focuses on business disruption impact, not only technical details.
Business process analysis (BPA)
BPA maps business process inputs, enablers, outputs, dependencies, and process flow.
Example: A team identifies employees, vendors, hardware, procedures, and outputs required for order processing.
Memory trick: BPA maps how the work happens.
Trick question tip: Inputs, enablers, outputs, and flow point to BPA; disruption impact points to BIA.
BIA versus BPA
BIA measures the impact of disruption, while BPA maps how business processes work and what they depend on.
Example: BPA maps a process; BIA determines how badly the organization is harmed if that process stops.
Memory trick: BPA maps the process; BIA measures the damage.
Trick question tip: Process inputs and outputs mean BPA; outage impact and recovery priorities mean BIA.
Mission Essential Function (MEF)
A MEF is an activity that cannot stop without severe damage to the organization and usually receives the highest recovery priority.
Example: A cloud provider’s core hosting service may be a MEF during a major outage.
Memory trick: MEF means must keep going.
Trick question tip: Functions that cannot be deferred without severe damage point to MEF.
Primary Business Function (PBF)
A PBF is an important business function that supports the organization but may not be as immediately mission-essential as a MEF.
Example: A supporting sales or shipping process may be critical but lower priority than a mission-essential cloud service.
Memory trick: PBF supports the business.
Trick question tip: PBFs are important, but MEFs usually receive the highest priority.
MEF versus PBF
MEFs cannot stop without severe damage, while PBFs are important supporting business functions that may be prioritized below MEFs.
Example: A mission-critical service is MEF; a supporting business workflow may be PBF.
Memory trick: MEF must not stop; PBF supports.
Trick question tip: Highest recovery priority usually points to MEF.
Maximum Tolerable Downtime (MTD)
MTD is the longest time a business function can be unavailable before unacceptable or permanent damage occurs.
Example: A banking system may have an MTD of hours, while a training portal may tolerate days.
Memory trick: MTD is the absolute downtime deadline.
Trick question tip: MTD is the maximum business downtime, not the target recovery time.
Recovery Time Objective (RTO)
RTO is the target amount of time to restore a system, service, or function after disruption.
Example: A service must be restored within six hours to meet its RTO.
Memory trick: RTO is how fast we want to recover.
Trick question tip: RTO must be shorter than MTD.
Work Recovery Time (WRT)
WRT is the time needed after technical recovery to verify, reconnect, test, and restore normal business work.
Example: After a server is restored, staff need time to verify data and reconnect dependent services.
Memory trick: WRT is the cleanup after recovery.
Trick question tip: RTO plus WRT should not exceed MTD.
Recovery Point Objective (RPO)
RPO is the maximum acceptable amount of data loss measured in time.
Example: An RPO of one hour means backups or replication must prevent losing more than one hour of data.
Memory trick: RPO is how far back data can roll.
Trick question tip: RPO determines backup or replication frequency.
MTD, RTO, WRT, and RPO
MTD is maximum tolerable outage, RTO is target restore time, WRT is post-restore verification work, and RPO is acceptable data loss time.
Example: A BIA sets MTD, chooses an RTO shorter than MTD, includes WRT, and sets RPO for backup frequency.
Memory trick: MTD deadline, RTO restore, WRT verify, RPO data loss.
Trick question tip: RTO plus WRT must be less than or equal to MTD; RPO is about data loss, not downtime.
MTTR
MTTR is mean time to repair, the average time needed to repair a failed component or restore a service.
Example: A server takes an average of two hours to repair after failure.
Memory trick: MTTR means repair time.
Trick question tip: Repair speed points to MTTR.
MTBF
MTBF is mean time between failures, the average time a system or component operates before failing.
Example: A drive with a high MTBF is expected to operate longer between failures.
Memory trick: MTBF means time between breakdowns.
Trick question tip: Reliability and time between failures point to MTBF.
MTTR versus MTBF
MTTR measures how long repair takes, while MTBF measures how long a system usually runs between failures.
Example: A system may fail every 1,000 hours on average and take 2 hours to repair.
Memory trick: MTTR fixes; MTBF lasts.
Trick question tip: Repair time equals MTTR; reliability interval equals MTBF.
Risk register
A risk register is a centralized document that records identified risks, likelihood, impact, severity, owner, response strategy, status, and escalation information.
Example: A spreadsheet tracks each risk, who owns it, how severe it is, and what mitigation is planned.
Memory trick: Risk register is the risk tracker.
Trick question tip: Centralized tracking of risks and owners points to a risk register.
Risk owner
A risk owner is the person or role responsible for monitoring, managing, and reporting on a specific risk.
Example: A department manager owns the risk related to a critical application used by their team.
Memory trick: Risk owner owns follow-up, not necessarily the asset.
Trick question tip: Significant risks should have assigned owners.
Risk threshold
A risk threshold is the point where a risk becomes unacceptable and requires action.
Example: Losses reaching a defined dollar amount trigger mandatory mitigation.
Memory trick: Threshold means the action line.
Trick question tip: When risk crosses the approved limit, it becomes a higher priority.
Key Risk Indicator (KRI)
A KRI is a measurable metric that provides early warning that risk is increasing.
Example: A rising number of failed logins or phishing emails indicates increasing risk.
Memory trick: KRI is a risk warning metric.
Trick question tip: Numerical early warning signs of increasing risk point to KRIs.
Risk reporting
Risk reporting communicates risk status, mitigation efforts, accepted risk, and priorities to stakeholders, executives, managers, and technical teams.
Example: Executives receive a summary report, while technical teams receive detailed mitigation information.
Memory trick: Risk reporting tells the right people where risk stands.
Trick question tip: High-level stakeholders need summaries; managers and technical teams need more detail.
Enterprise Risk Management (ERM)
ERM manages risk across the entire business, not just cybersecurity.
Example: An ERM program tracks financial, operational, legal, cybersecurity, and vendor risks together.
Memory trick: ERM sees risk across the whole enterprise.
Trick question tip: Organization-wide risk program beyond security points to ERM.
Risk Management Framework (RMF)
A Risk Management Framework provides a structured method for identifying, evaluating, documenting, and managing risk.
Example: An organization uses a framework to standardize risk assessment and control selection.
Memory trick: RMF is the risk skeleton.
Trick question tip: Framework means a structured model adapted to the organization.
ISO 31000
ISO 31000 is a risk management standard that provides general guidance for managing risk across organizations.
Example: A business uses ISO 31000 guidance to structure enterprise risk management.
Memory trick: ISO 31000 is broad risk guidance.
Trick question tip: General enterprise risk management standard points to ISO 31000.
Risk and Control Self-Assessment (RCSA)
RCSA is a process where managers or process owners evaluate risks and controls in their own areas.
Example: A department manager evaluates whether their controls adequately address local operational risks.
Memory trick: RCSA means owners assess their own risks and controls.
Trick question tip: Self-assessment by business areas points to RCSA.
Internal versus external risk audit
An internal audit is performed by the organization, while an external audit is performed by an independent party.
Example: Employees perform a self-check, and a third-party assessor later reviews the same controls.
Memory trick: Internal checks inside; external validates outside.
Trick question tip: Independent outside review gives stronger stakeholder confidence.
Vendor selection
Vendor selection is the process of evaluating providers to reduce outsourcing, procurement, third-party, and supply chain risk.
Example: An organization reviews vendor security, compliance, financial stability, reputation, and reliability before signing a contract.
Memory trick: Choose partners carefully before trusting them.
Trick question tip: Vendor selection focuses on reducing third-party risk before procurement or outsourcing.
Vendor risk criteria
Vendor risk criteria are factors used to evaluate whether a vendor fits the organization’s risk tolerance and business needs.
Example: Criteria include financial stability, operational reliability, data security, regulatory compliance, reputation, and technical capability.
Memory trick: Vendor criteria are the vendor report card.
Trick question tip: Financial, operational, security, compliance, and reputation factors are vendor risk criteria.
Third-party vendor
A third-party vendor is an external organization or person that independently provides goods, services, technology, or support.
Example: A cloud provider, managed service provider, software supplier, contractor, or development agency can be a third-party vendor.
Memory trick: Third party means outside organization helping your business.
Trick question tip: External providers that support operations are third-party vendors.
Vendor due diligence
Vendor due diligence is the systematic process of gathering and analyzing vendor information before entering or expanding a relationship.
Example: A company reviews a vendor’s security practices, financial stability, compliance history, technical capabilities, and past performance.
Memory trick: Due diligence means investigate before you depend on them.
Trick question tip: Comprehensive vendor investigation before selection points to due diligence.
Vendor risk profile
A vendor risk profile summarizes a vendor’s risk level based on security, compliance, reliability, financial condition, reputation, access, and operations.
Example: A vendor with weak security controls and access to sensitive data receives a high-risk profile.
Memory trick: Risk profile is the vendor’s risk picture.
Trick question tip: Vendors should align with the organization’s risk tolerance.
Vendor reliability and integrity
Vendor reliability is the ability to deliver consistently, while vendor integrity is honesty, transparency, and ethical behavior.
Example: A vendor with frequent outages lacks reliability; a vendor hiding incidents lacks integrity.
Memory trick: Reliability asks if they can perform; integrity asks if they can be trusted.
Trick question tip: Outages point to reliability; deception or hidden issues point to integrity.
Vendor GRC
Vendor GRC connects vendor evaluation to governance, risk management, and compliance requirements.
Example: A vendor assessment checks whether a provider supports required laws, policies, and risk controls.
Memory trick: GRC ties vendor trust to rules and risk.
Trick question tip: Governance, risk, and compliance together point to GRC.