ITEC 3500: Midterm Review Flashcards – IT Risk Management

A comprehensive set of flashcards covering key concepts from ITEC 3500: Information Technology Risk Management. These cards include essential topics such as Risk & Compliance, Information Security, IT Governance, and the Enterprise Risk Management (ERM) Framework. Designed for efficient study and active recall, these cards will help reinforce your understanding of the material and prepare you for the midterm exam.

ERM

Enterprise Risk Management involves identifying potential events affecting an entity and managing risks within its risk appetite.

Risk Appetite

The level of risk an organization is willing to accept in pursuit of its business objectives.

Risk Universe

A comprehensive list of all possible risks that could impact an organization's objectives.

KRI

Key Risk Indicators are metrics signaling increasing risk exposures in various areas of an enterprise.

ALE

Annual Loss Expectancy is the expected loss per year calculated as Single Loss Expectancy * Annualized Rate of Occurrence.

SLE

Single Loss Expectancy is the potential loss amount for a single event impacting a company.

ARO

Annualized Rate of Occurrence represents the estimated frequency of a specific threat happening within a year.

Leading Indicators

Proactive metrics identifying emerging trends for risks to enable preventive actions.

Lagging Indicators

Reactive metrics providing information about past events and their impacts.

Three Lines of Defense

A risk governance model involving Risk Owners, Risk Oversight, and Risk Assurance to manage risks effectively.

Risk Owners

First line of defense responsible for managing risks within their respective business areas.

Risk Oversight

Second line of defense providing oversight and guidance on risk management across the organization.

Risk Assurance

Third line of defense ensuring the effectiveness of risk management processes and controls.

IT Risk

Potential events related to IT systems that could have adverse effects on business operations.

Risk Management Framework

A structured approach to identify, assess, and mitigate risks in alignment with organizational objectives.

Risk Language

Common terminology used to communicate and assess risks consistently across an organization.

Risk Reporting

The process of documenting and communicating information about risks to relevant stakeholders.

Risk Mitigation

Actions taken to reduce the likelihood or impact of identified risks.

Risk Assessment

The process of evaluating potential risks to determine their likelihood and impact on business objectives.

Risk Governance

The structure and processes through which an organization manages risks effectively.

Risk Framework

A set of tools, practices, and guidelines for managing risks consistently within an organization.

Risk Culture

The values, beliefs, and behaviors related to risk within an organization.

Risk Strategy

A plan outlining how an organization intends to manage and respond to risks to achieve its objectives.

Risk Monitoring

The ongoing process of tracking and evaluating risks to ensure they are within acceptable levels.

Risk Response

The actions taken to address identified risks, including acceptance, avoidance, mitigation, or transfer.

Risk Register

A documented list of identified risks, their likelihood, impact, and planned responses.

Risk Tolerance

The level of risk that an organization is willing to accept or retain.

Risk IT Principles

1. Connect to Business Objectives

2. Align IT Risk Management With ERM

3. Balance Cost/Benefit of IT Risk

4. Promote Fair and open Communication

5. Establish Tone at the Top and Accountability

6. Function as Part of Daily Activities

IT Risk Management (ITRM)

1. Risk & Compliance: Responding & Managing Regulatory Requirements

2. Infromation Security: Managing & Mitigating External & Internal Security Threats

3. IT Governance: Aligning IT Delivery with Business Requirements

4. Service Assurance: Enabling Operational Effectiveness & Efficiency

Options to respond to an identified risk

1. Remediate or mitigate the risk
2. Avoid the risk
3. Transfer the risk
4. Accept the risk

Key considerations when selecting an option

A) Cost vs. benefits
B) Only business owners can accept risk
C) Rare to eliminate risk entirely

Risk appetite

Enterprise-level statement defining risk tolerance based on expertise and alignment with business objectives

Risk tolerance

Tolerable deviation from risk appetite level, requiring case-by-case approval

Inherent risk

Risk level without considering management actions

Controls

Technical, administrative, or physical measures to mitigate risks

Control effectiveness

Assessed as highly effective, somewhat effective, or not effective

Residual risk

Remaining risk after risk response implementation, aiming to reduce to an acceptable level

Business Continuity Planning (BCP)

Ensuring business functionality in adverse situations like disasters

Disaster Recovery (DR)

Focused on recovering IT systems to maintain business operations

Business Impact Analysis (BIA)

Examination of business processes to understand recovery objectives

Recovery Time Objective (RTO)

Earliest time to restore a business process after a disaster to avoid consequences

Recovery Point Objective (RPO)

Acceptable data loss measured in time, determining backup frequency

Maximum Tolerable Downtime (MTD)

Total time a business process can be disrupted without causing unacceptable consequences

Full backup

Complete copy of entire data set, time-consuming but simplifies recovery

Incremental backup

Backup method that only backs up data that has changed since the last full or incremental backup.

Differential backup

Backup method that includes all data changed since the last full backup.

Hot site

Recovery site with all necessary equipment and IT systems ready for quick deployment.

Warm site

Recovery site partially equipped with basic resources, requiring longer setup time than a hot site.

Cold site

Basic recovery site with minimal equipment, suitable for low-cost recovery solutions.

Hash function

Function that converts input passwords into fixed-size hashes for security purposes.

Salting

Process of adding random values to hashed output to enhance security, particularly against rainbow table attacks.

Symmetric encryption

Encryption method using a single secret key for both encryption and decryption processes.

Asymmetric encryption

Encryption method using a pair of public and private keys for secure communication.

Digital signature

Electronic validation method ensuring the integrity and authenticity of a message.

Objective of Information Security

The goal of ensuring that data is kept safe and secure from unauthorized access or alterations.

Confidentiality

The security objective focused on ensuring that data is not accessed by unauthorized individuals, including encryption, data loss prevention, and access controls.

Availability

The security objective ensuring that data and systems are accessible and usable when needed, involving redundancy, backup, and fail-over measures.

Integrity

The security objective focused on maintaining the accuracy and reliability of data, involving measures like hashing, digital signing, and access control.

Preventive control

Controls designed to stop security incidents from occurring, such as secure entrances and granting read-only access.

Detective control

Controls aimed at identifying security incidents or patterns as they occur, like alarming systems and network scanning.

Corrective control

Controls implemented to fix issues after a security incident has taken place, such as using backup tapes to restore data.

Defense in depth

The principle of having multiple layers of security defenses so that if one layer is breached, others can still provide protection.

Segregation of duties

The practice of separating tasks to reduce the risk of fraud or errors, ensuring that no single individual has control over all aspects of a process.

Minimum privilege

The concept of granting individuals the least amount of access and permissions necessary to perform their job functions.

Need to know

The principle that restricts information access to only those who require it for their specific roles and responsibilities.

Data Owner

The individual responsible for the 'due care' of data, defining data classification and being accountable for associated risks.

Data Custodian

Responsible for the day-to-day maintenance and protection of data, ensuring security controls are in place.

System Owner

The individual ultimately responsible for a system, making decisions on access, risks, and system usage.

System Custodian

Responsible for the maintenance and operation of a system, implementing security controls and ensuring data protection.

Technical vulnerability

Weaknesses within systems or processes that can be exploited by threat actors, leading to security breaches.

Non-technical vulnerability

Weaknesses related to human behavior or processes that can be exploited by threat actors, posing security risks.

System Vulnerability

A web application bug may enable Internet-based attackers to access sensitive data using SQL injection.

Human Vulnerability

An employee who lacks security training might click a phishing email and thus pose a security risk to the organization.

Process Vulnerability

A company’s HR has built a hiring process which does not require background checking for the selected candidates.

CVE

Dictionary for publicly disclosed cyber vulnerabilities

CVSS

Rating standard for technical vulnerabilities that measures severity rather than risk.

Microsoft Patch Tuesday

Monthly release of Microsoft security patches

Remote Code Execution

Highest CVSS score vulnerability affecting Windows

Most Effective way of Addressing Technical vulnerabilities

Implementing security patches in a timely manner.

Zero Day Vulnerability

Publicly known vulnerability without a patch

Security Patching Challenges

1. Many vendors do not follow a pre-determined schedule to release security patches. Some patches may not be captured by IT security in a timely manner.

2. Implementing security patches is a disruptive process for business and can be very costly

Proactive Approach for Dealing with TV

Closely monitoring the vendor releases and/or announcements. Whenever critical vulnerabilities are made public by vendors (or other trustable sources), kick off the patch management procedure immediately.

Reactive Approach for Dealing with TV

Conduct vulnerability scans on all IT systems and applications on a regular basis (e.g., monthly, quarterly, etc.). Then address the findings with a risk-based approach, i.e., vulnerabilities with higher level of severity need to be addressed more quickly.

Compensating Control

Alternate protection when original control is impractical

Vulnerability Scans

Regular checks for IT system weaknesses

Root Cause Fix

Addressing the main source of a security flaw

Risk Analysis

Examining situation and documenting risk factors

Compensating Control Example

Retaining Win 7 machines with restricted access

Key Risk Indicators

Metrics to monitor phishing email risk levels

Identification

The process of establishing and centrally managing the identity of an individual, such as providing identification information like SIN or driver's license.

Authentication

The process of verifying that an individual is who they claim to be, typically through credentials like a user ID and password or a smart card.

Authorization

The process of mapping individual users to the resources they are allowed to access, determining what resources an identified user can access.

Two-factor authentication

A security process that requires two different authentication methods for access, such as a user ID/password and a physical token showing one-time passwords.

Active Directory (AD)

A directory service in a Windows environment managed by the Domain Controller, used to determine user access to network resources through Group Policy settings.

Accountability

Maintaining audit logs and ensuring non-repudiation, allowing tracking of user actions and preventing denial of performed actions in security incidents.

Biometric systems

Security systems that use unique physical or behavioral characteristics of individuals for authentication, such as palm scans, hand geometry, retina scans, and iris scans.

Type I Error

An error in a biometric system where an authorized user is rejected, also known as the false rejection rate (FRR).

Type II Error

An error in a biometric system where an unauthorized user is accepted, also known as the false acceptance rate (FAR).

Crossover Error Rate (CER)

A rating in biometric systems where Type I Errors equal Type II Errors, indicating the sensitivity threshold adjustment for accuracy.

Iris Scan

A biometric method capturing the colored portion of the eye surrounding the pupil, known for its high accuracy in identification.