Information Technology /Security+ (SY0-701): Lesson 15: Risk Management Part 2
Security+ (SY0-701): Lesson 15: Risk Management Part 2
This deck covers key concepts in risk management, including definitions, frameworks, and processes essential for understanding and managing risk within an organization.
Define 'risk exemption'
A condition where risk can remain without mitigation, usually due to a strategic business decision.
Tap or swipe ↕ to flip
Swipe ←→Navigate
SSpeak
FFocus
1/30
Key Terms
Term
Definition
Define 'risk exemption'
A condition where risk can remain without mitigation, usually due to a strategic business decision.
Define 'residual risk'
Risk that remains even after controls (mitigation/transference/exemption/exception) are put into place.
Define 'risk appetite'
How much risk and what types of risk an organization is willing to take to fulfill its organizational goals and objectives.
In order, list the 5 phases of risk management
Identify Mission Essential Functions
Identify Vulnerabilities
Identify Threats
Analyze Busines...
What are the two main variables when calculating risk?
Likelihood and Impact.
Define 'risk likelihood'
Qualitative analysis used to describe the chance of a risk event happening; Low/Med/High or on some form of a numeric scale.
Related Flashcard Decks
Study Tips
- Press F to enter focus mode for distraction-free studying
- Review cards regularly to improve retention
- Try to recall the answer before flipping the card
- Share this deck with friends to study together
| Term | Definition |
|---|---|
Define 'risk exemption' | A condition where risk can remain without mitigation, usually due to a strategic business decision. |
Define 'residual risk' | Risk that remains even after controls (mitigation/transference/exemption/exception) are put into place. |
Define 'risk appetite' | How much risk and what types of risk an organization is willing to take to fulfill its organizational goals and objectives. |
In order, list the 5 phases of risk management |
|
What are the two main variables when calculating risk? | Likelihood and Impact. |
Define 'risk likelihood' | Qualitative analysis used to describe the chance of a risk event happening; Low/Med/High or on some form of a numeric scale. |
Define 'risk impact' | The severity of the risk if realized as a security incident. |
Define 'risk probability' | Quantitative measure typically expressed as a numerical value to precisely measure the chance of a risk event occurring based on statistical methods. |
What are NIST's Risk Management Framework (RMF) or ISO 31K? | They are enterprise risk management (ERM) policies and procedures. |
Define a 'risk register' | A document showing the results of risk assessments that includes information regarding risks, their severity, the associated owner of the risk, and all identified mitigation strategies. |
Define a 'risk threshold' | Determines risk acceptance; defines the limits or levels of acceptable risk an organization is willing to tolerate. |
What are factors that define a risk threshold? | Regulatory requirements, organizational objectives, stakeholder expectations, and the organization's risk appetite. |
Define 'Key Risk Indicators (KRIs)' | Metrics that provide an early indication of increasing risk exposures in different areas of the organization. |
Define a 'risk owner' | An individual who is accountable for developing and implementing a risk response strategy for a risk documented in a risk register. |
Define 'risk tolerance' | The maximum risk the organization is willing to take for a risk. |
What is the difference between risk tolerance and risk appetite? | Risk appetite is what drives the willingness of the company to take risks. Risk tolerance then defines the boundaries and standards for assessing and responding to those risks. |
What are the 3 levels of risk appetite? |
|
Define an expansionary risk appetite | Willingness to take on higher levels of risk in the pursuit of high returns or aggressive growth. |
Define a conservative risk appetite | Prioritizes risk avoidance. |
Define a neutral risk appetite | Balances expansionary and conservative approaches and is willing to take on risks if they align with strategic objectives and can be managed effectively. |
Define 'risk reporting' | A summarized overview of known risks, realized risks, and their impact on the organization. |
What is the purpose of risk reporting? | Supports decision-making, highlights concerns, and ensures stakeholders understand the organization's risks. |
When assessing mission critical functions, what is an important component of advancing operations? | By reducing the number of dependencies between components. |
How are dependencies between mission critical functions identified? | By performing a business process analysis (BPA) for each function. |
What are the 5 factors to identify when performing a business process analysis (BPA) for a function/process? |
|
What are business process inputs? | Sources of information for performing the function (including the impact if these are delayed or out of sequence). |
What are business process outputs? | Data or resources produced by the function. |
What are business process 'process flows'? | A step-by-step description of how the function is performed. |
What defines business process hardware? | Server(s) or data center that performs the processing. |
How does an organization's staff impact business processes | Needing sufficient staff and resources to support the function. |