Risky Business
The cyclical process of identifying, assessing, analyzing, and responding to risks.
What is Risk Management?
Determining that a risk is within the organization’s appetite and no countermeasures other than ongoing monitoring is needed.
What is Risk Acceptance?
The “hostile” or attacking team in a penetration test or incident response exercise.
What is Offensive Penetration Testing?
The amount that would be lost in a single occurrence of a particular risk factor.
What is Single Loss Expectancy (SLE)?
A document that defines the expectations for a specific business arrangement.
What is a Statement of Work (SOW)/Work Order (WO)?
Within overall risk assessment, specific process of listing sources of risk due to threats and vulnerabilities.
What is Risk Identification?
Reducing risk to fit within an organization’s willingness to accept risk.
What is Risk Mitigation (or Remediation)?
The defensive team in a penetration test or incident response exercise.
What is Defensive Penetration Testing?
The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).
What is Annualized Loss Expectancy (ALE)?
A contract that establishes precedence and guidelines for any business documents that are executed between two parties.
What is a Master Service Agreement (MSA)?
Process for qualifying or quantifying the likelihood and impact of a factor.
What is Risk Analysis?
In risk mitigation, the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario.
What is Risk Deterrence (or Reduction)?
Assessment techniques that extend to site and other physical security systems.
What is Physical Penetration Testing?
In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.
What is the Annualized Rate of Occurrence (ARO)?
An agreement that sets the service requirements and expectations between a consumer and a provider.
What is a Service-Level Agreement (SLA)?
The process of identifying risks, analyzing them, developing a response strategy for them, and mitigating their future impact.
What is Risk Assessment?
In risk mitigation, the practice of ceasing activity that presents risk.
What is Risk Avoidance?
A holistic approach that combines different types of penetration testing methodologies and techniques to evaluate an organization’s security operations.
What is Integrated Penetration Testing?
Metric for a device or component that predicts the expected time between failures.
What is Mean Time Between Failures (MTBF)?
Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.
What is a Memorandum of Understanding (MOU)?
A periodic summary of relevant information about a project’s current risks. It provides a summarized overview of known risks, realized risks, and their impact on the organization.
What is Risk Reporting?
In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.
What is Risk Transference (or Sharing)?
Penetration testing techniques that interact with target systems directly.
What is Active Reconnaissance?
Metric representing average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.
What is Mean Time to Repair (MTTR)?
Legal document forming the basis for two parties to cooperate without a formal contract (a cooperative agreement). MOAs are often used by public bodies.
What is a Memorandum of Agreement (MOA)?
The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.
What is Enterprise Risk Management (ERM)?
A category of risk management that uses alternate mitigating controls to control an accepted risk factor.
What is a Risk Exception?
Penetration testing techniques that do not interact with target systems directly.
What is Passive Reconnaissance?
The maximum time allowed to restore a system after a failure event.
What is Recovery Time Objective (RTO)?
An agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.
What is a Nondisclosure Agreement (NDA)?
A document highlighting the results of risk assessments in an easily comprehensible format (such as a “traffic light” grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.
What is a Risk Register?
A category of risk management that accepts an unmitigated risk factor.
What is a Risk Exemption?
A definition of how a pen test will be executed and what constraints will be in place. This provides the pen tester with guidelines to consult as they conduct their tests so that they don’t have to constantly ask management for permission to do something.
What are the Rules of Engagement (RoE)?
The longest period that an organization can tolerate lost data being unrecoverable.
What is Recovery Point Objective (RPO)?
Agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.
What is a Business Partnership Agreement (BPA)?
The method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occurring.
What are Key Risk Indicators (KRIs)?
Risk that remains even after controls are put into place.
What is Residual Risk?
The longest period that a process can be inoperable without causing irrevocable business failure.
What is Maximum Tolerable Downtime (MTD)?
A legal principal that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system.
What is Due Diligence?
A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders.
What is a Heat Map Risk Matrix?
Risk that an event will pose if no controls are put in place to mitigate it.
What is Inherent Risk?
In disaster recovery, time additional to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event.
What is Work Recovery Time (WRT)?
In vendor management, structured means of obtaining consistent information, enabling more effective risk analysis and comparison.
What is a Questionnaire?
Systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.
What is a Business Impact Analysis (BIA)?
Determines the thresholds that separate different levels of risk.
What is Risk Tolerance?
In quantitative risk analysis, the chance of an event that is expressed as a percentage.
What is Probability?
When an individual or organization has investments or obligations that could compromise their ability to act objectively, impartially, or in the best interest of another party.
What is a Conflict of Interest?