Risk Management Principles
A security control that is inherited by one or more organizational information systems
Common control
The approach used to assess risk and its contributing risk factors
Assessment approach
Maintaining ongoing awareness to support organizational risk decisions
Continuous Monitoring
A cyberattack where threat actors make machines and other network resources unavailable to their intended users
Denial of Service (DoS) attack
A time-phased or situation dependent combination of risk response measures
Course of Action
The potential of harm to organizational operations due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.
Information security risk
All components of an information system to be authorized for operation by an authorizing official
Authorization boundary
Any observable occurrence in a network or system
Event
What are the two main aspects of risk
Likelihood and Impact
The neutralization or elimination of a vulnerability or the likelihood of its exploitation
Remediation
The portion of risk remaining after security measures have been applied
Residual Risk
A risk management process for determining the level of security required for information or an information system.
Security categorization
The measure of importance assigned to information by its owner for the purpose of denoting its need for protection
Sensistivity
What are the three preliminary aspects of risk identification which have to be identified first before risk can be determined?
Assets, Threats, Vulnerabilities
What acronym do you use to remember the four risk treatment options
MATA as in the phrase (What is the matter (only pronounced MATA)
Mitigate, Accept, Transfer/Share, Avoid
The individual, group, or organization responsible for conducting a risk assessment
Risk assessor
The characterization of information based on an assessment of the potential impact that a loss of CIA would have on the organization.
Security category
Any circumstance or event with the potential to adversely impact organizational operations
Threat
Which role is in the best position to identify risks to information or information systems
Asset owner and/or data owner
What document requires additional information is the risk treatment option is to ACCEPT?
Risk Register
The rationale has to be document by the risk owner for the ACCEPT decision.
A structured approach used to oversee and manage risk for an enterprise
Risk Management Framework (RMF)
A formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned
Security Plan
Weakness in an information system, system security procedure, internal control or implementation
Vulnerability
When identifying risks, should the risk to people be considered? (Y/N)
Yes, people are assets
Which treatment option transfers a portion of the risk to a third party?
Sharing