Bash, the Crucial Exams Chat Bot
AI Bot
SSCP - Risk Identification, Monitoring, and Analysis Flashcards
ISC2 Systems Security Certified Practitioner (SSCP) Flashcards
Study our SSCP - Risk Identification, Monitoring, and Analysis flashcards for the ISC2 Systems Security Certified Practitioner (SSCP) exam with 29+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Define corrective control | A control used to restore a system or data to its original state after a security incident |
| Define detective control | A control designed to identify and alert to a security event after it has occurred |
| Define preventive control | A control that is implemented to stop a security incident from occurring |
| Define risk appetite | The amount and type of risk an organization is willing to accept to achieve its objectives |
| Define risk tolerance | The acceptable level of deviation from the organization's risk appetite |
| Define threat | Any potential event or circumstance that can cause harm to an asset, system, or organization |
| Define vulnerability | A weakness in a system, design, procedure, or control that can be exploited by a threat |
| Explain Annualized Loss Expectancy (ALE) | ALE is the predicted yearly financial loss due to a specific risk, calculated as SLE times annualized rate of occurrence |
| Explain Single Loss Expectancy (SLE) | SLE is the monetary value of a single loss event, calculated as asset value times exposure factor |
| What are three types of controls used to mitigate risks | Preventive, detective, corrective |
| What does 'impact' refer to in risk analysis | The potential damage or consequences resulting from a threat exploiting a vulnerability |
| What does 'likelihood' refer to in risk analysis | The probability of a threat materializing |
| What does the acronym CIA stand for in security | Confidentiality, Integrity, and Availability |
| What is a residual risk | The remaining risk after applying security controls or mitigating measures |
| What is a risk assessment | A systematic process to identify, evaluate, and prioritize risks to an organization's assets |
| What is a risk matrix | A tool used to assess and prioritize risks by mapping their likelihood and impact |
| What is a risk register | A document that identifies and tracks risks, their impact, likelihood, and mitigation strategies |
| What is a security incident | An event that threatens the confidentiality, integrity, or availability of information or systems |
| What is a zero-day vulnerability | A vulnerability that is unknown to the vendor and has no available patch or fix |
| What is an attack vector | The route or method used by a threat actor to exploit a vulnerability |
| What is qualitative risk analysis | An analysis method that uses subjective judgment to prioritize risks based on their impact and likelihood |
| What is quantitative risk analysis | An analysis method that assigns numerical values to risks and their potential impact |
| What is risk identification | The process of determining potential threats and vulnerabilities to an organization's assets |
| What is risk monitoring | The ongoing process of assessing existing risks, monitoring residual risks, and identifying new risks |
| What is the primary goal of risk management | To reduce the impact and likelihood of risks affecting an organization's objectives |
| What is the purpose of a Business Impact Analysis (BIA) | To identify critical business processes and the impact of their disruption |
| What is threat modeling | A process to identify, understand, and address security threats to a system or process |
| Why are Key Risk Indicators (KRIs) important | They help monitor changing risk conditions and alert management to potential issues |
| Why is continuous monitoring important in risk management | To ensure that risk controls remain effective and that any new risks are identified quickly |
About the Flashcards
Flashcards for the ISC2 Systems Security Certified Practitioner (SSCP) exam reinforce essential terminology and processes used in enterprise risk management. Review how to identify threats, recognize vulnerabilities, and determine likelihood and impact so you can accurately describe risk identification, assessment, and mitigation concepts tested on the exam.
Cards cover qualitative and quantitative analysis techniques, preventive, detective, and corrective controls, as well as key metrics like SLE, ALE, KRIs, and risk appetite. You will also practice using a risk register, risk matrix, and Business Impact Analysis while reinforcing security fundamentals such as the CIA triad, attack vectors, and threat modeling.
Topics covered in this flashcard deck:
- Risk identification & assessment
- Threats, vulnerabilities, impacts
- Qualitative vs quantitative analysis
- Security controls & monitoring
- Risk metrics & documentation