Lesson 15: Explain Risk Management Processes

0.0(0)
studied byStudied by 1 person
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/50

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

51 Terms

1
New cards

Risk Identification

The process of finding and listing things that could cause problems

2
New cards

Risk Assesment

The process of finding possible problems and figuring out how to reduce or prevent them.

3
New cards

Risk Analysis

The process of figuring out how likely a risk is to happen and how serious the damage would be.

4
New cards

Quantitative Risk Analysis

A way to use numbers to measure how likely a risk is and how much damage it could cause.

5
New cards

Qualitative Risk Analysis

The process of using logic and judgment to decide how likely a risk is and how bad it could be when you don’t have exact numbers.

6
New cards

Inherent Risk

The risk a threat would cause if nothing was done to stop it

7
New cards

Risk Management Strategy

A proactive and organized process that involves finding risks, evaluating how serious they are, deciding which ones to focus on, and taking action to reduce their impact

8
New cards

Risk Responses

  • Avoid

  • Accept

  • Transfer

  • Mitigate

9
New cards

Residual Risk

The risk that’s left over after you’ve taken steps to reduce or control it.

10
New cards

Risk Appetitie

The amount of risk an organization is willing to accept in order to achieve its goals.

11
New cards

Risk

A measure of threats, vulnerabilities, impact, and probability

12
New cards

Risk Register

A list or document that keeps track of all the risks an organization has identified, along with details about each one.

13
New cards

Risk Threshold

The limit of how much risk an organization is willing to live with before it must take action.

14
New cards

Key Risk Indicators (KRIs)

Predictive indicators for monitoring and predicting potential risks

15
New cards

Business Impact Analysis

The process of figuring out how much damage a business would suffer if important systems or operations stopped working.

16
New cards

Maximum Tolerable Downtime (MTD)

The longest amount of time a business can afford to have a system or process down before it causes serious damage.

17
New cards

Recovery Time Objective (RTO)

The amount of time you aim to recover a system or service after a disruption

18
New cards

Work Recovery Time (WRK)

The amount of time needed after systems are restored to get everything fully working again

19
New cards

Recovery Point Objective (RPO)

The maximum amount of data a business is willing to lose in a disruption, measured in time.

20
New cards

Third Party Vendor Assessment

When a company checks how safe and trustworthy another company is before working with them

21
New cards

Conflict of Interest

When a person or group has a reason to put their own benefit first, which could make it hard to stay fair or honest in their decisions.

22
New cards

Vendor Assessment Method

The different ways a company can check and evaluate how secure, reliable, and compliant a vendor is before or during a business relationship.

23
New cards

Vendor Assessment Methods

  • Evidence of Internal Audits

  • Independent Assessments

  • Penetration Testing

  • Supply Chain Analysis

  • Right to Audit Clause

24
New cards

Evidence of Internal Audits

The documents, records, or findings that show an internal audit was done and what it found.

25
New cards

Independent Assessments

Outside reviews done by someone not directly involved in the work or system being evaluated

26
New cards

Penetration Testing

When security experts simulate a real cyberattack to find and fix weak spots in a system before hackers can exploit them.

27
New cards

Supply Chain Analysis

The process of examining every step involved in getting a product or service from the supplier to the customer to understand how it works and where risks or improvements can be made.

28
New cards

Right-to-Audit Clause

A part of a contract that gives one party the legal right to review or inspect the other party’s records, systems, or processes to make sure they’re following the rules.

29
New cards

Vendor Monitoring

Regularly checking vendors to make sure they’re still following security rules, legal requirements, and contract terms.

30
New cards

Memorandum of Understanding (MOU)

A nonbinding agreement that explains what two or more parties plan to do together, including their shared goals and the basic terms of cooperation.

31
New cards

Nondisclosure Agreement (NDA)

An agreement that says you won’t share confidential information with anyone who isn’t allowed to know it.

32
New cards

Memorandum of Agreement (MOA)

A formal, legally binding agreement that clearly defines each party’s goals, roles, responsibilities, and resources.

33
New cards

Business Partnership Agreement (BPA)

Agreement by two companies to work together closely

34
New cards

Master Service Agreement (MSA)

The overall terms and conditions that will apply to all future contracts or projects between two parties.

35
New cards

Service-level Agreement (SLA)

A detailed agreement that says how well a service must be delivered

36
New cards

Statement of Work (SOW)

A detailed document that explains exactly what work will be done, who will do it, when, how, and for how much.

37
New cards

Work Order (WO)

A shorter document that gives the green light to start a specific task or job

38
New cards

Rules of Engagement (RoE)

Guidelines outlining how parties will interact

39
New cards

Attestation

Proof that your security measures are in place and effective.

40
New cards

Internal Assesment

A self-review done by an organization to check how well its processes, systems, or controls are working

41
New cards

External Assessment

A review or evaluation done by an outside party to check if an organization’s systems, processes, or controls meet required standards, laws, or best practices.

42
New cards

Ethical Hacking

A security expert (ethical hacker) uses hacking skills legally to test an organization’s defenses and help improve security.

43
New cards

Active Reconnaissance

Actively probing and interacting with target systems and networks to gather information

44
New cards

Passive Reconnaissance

The process of gathering information about target systems and networks without touching them, by using publicly available data or watching traffic quietly.

45
New cards

Known Environment Penetration Testing

The tester has detailed knowledge of the target system or network

46
New cards

Partially Known Environment Penetration Testing

The tester has limited knowledge about the target system or network

47
New cards

Unknown Environment Penetration Testing

The tester has little to no prior knowledge about the target system or network

48
New cards

Offensive Penetration aka “Red Teaming”

A safe way to attack your own system to find and fix weaknesses before real hackers do.

49
New cards

Defensive Penetration Testing aka “Blue Teaming”

Tests how good your organization is at spotting and stopping attacks.

50
New cards

Physical Penetration Testing

Checking how easy it is for someone to physically break in or bypass security at a site.

51
New cards

Integrated Penetration Testing

Combines different types of penetration testing techniques to evaluate an organization’s security operations