Bash, the Crucial Exams Chat Bot
AI Bot
SSCP - Risk Identification, Monitoring, and Analysis Flashcards
ISC2 Systems Security Certified Practitioner (SSCP) Flashcards
| Front | Back |
| Define corrective control | A control used to restore a system or data to its original state after a security incident |
| Define detective control | A control designed to identify and alert to a security event after it has occurred |
| Define preventive control | A control that is implemented to stop a security incident from occurring |
| Define risk appetite | The amount and type of risk an organization is willing to accept to achieve its objectives |
| Define risk tolerance | The acceptable level of deviation from the organization's risk appetite |
| Define threat | Any potential event or circumstance that can cause harm to an asset, system, or organization |
| Define vulnerability | A weakness in a system, design, procedure, or control that can be exploited by a threat |
| Explain Annualized Loss Expectancy (ALE) | ALE is the predicted yearly financial loss due to a specific risk, calculated as SLE times annualized rate of occurrence |
| Explain Single Loss Expectancy (SLE) | SLE is the monetary value of a single loss event, calculated as asset value times exposure factor |
| What are three types of controls used to mitigate risks | Preventive, detective, corrective |
| What does 'impact' refer to in risk analysis | The potential damage or consequences resulting from a threat exploiting a vulnerability |
| What does 'likelihood' refer to in risk analysis | The probability of a threat materializing |
| What does the acronym CIA stand for in security | Confidentiality, Integrity, and Availability |
| What is a residual risk | The remaining risk after applying security controls or mitigating measures |
| What is a risk assessment | A systematic process to identify, evaluate, and prioritize risks to an organization's assets |
| What is a risk matrix | A tool used to assess and prioritize risks by mapping their likelihood and impact |
| What is a risk register | A document that identifies and tracks risks, their impact, likelihood, and mitigation strategies |
| What is a security incident | An event that threatens the confidentiality, integrity, or availability of information or systems |
| What is a zero-day vulnerability | A vulnerability that is unknown to the vendor and has no available patch or fix |
| What is an attack vector | The route or method used by a threat actor to exploit a vulnerability |
| What is qualitative risk analysis | An analysis method that uses subjective judgment to prioritize risks based on their impact and likelihood |
| What is quantitative risk analysis | An analysis method that assigns numerical values to risks and their potential impact |
| What is risk identification | The process of determining potential threats and vulnerabilities to an organization's assets |
| What is risk monitoring | The ongoing process of assessing existing risks, monitoring residual risks, and identifying new risks |
| What is the primary goal of risk management | To reduce the impact and likelihood of risks affecting an organization's objectives |
| What is the purpose of a Business Impact Analysis (BIA) | To identify critical business processes and the impact of their disruption |
| What is threat modeling | A process to identify, understand, and address security threats to a system or process |
| Why are Key Risk Indicators (KRIs) important | They help monitor changing risk conditions and alert management to potential issues |
| Why is continuous monitoring important in risk management | To ensure that risk controls remain effective and that any new risks are identified quickly |
Front
What is a risk matrix
Click the card to flip
Back
A tool used to assess and prioritize risks by mapping their likelihood and impact
Front
Define risk appetite
Back
The amount and type of risk an organization is willing to accept to achieve its objectives
Front
Define vulnerability
Back
A weakness in a system, design, procedure, or control that can be exploited by a threat
Front
What does 'likelihood' refer to in risk analysis
Back
The probability of a threat materializing
Front
Define threat
Back
Any potential event or circumstance that can cause harm to an asset, system, or organization
Front
What is a zero-day vulnerability
Back
A vulnerability that is unknown to the vendor and has no available patch or fix
Front
Why are Key Risk Indicators (KRIs) important
Back
They help monitor changing risk conditions and alert management to potential issues
Front
What is a risk assessment
Back
A systematic process to identify, evaluate, and prioritize risks to an organization's assets
Front
What is a risk register
Back
A document that identifies and tracks risks, their impact, likelihood, and mitigation strategies
Front
Define preventive control
Back
A control that is implemented to stop a security incident from occurring
Front
Explain Single Loss Expectancy (SLE)
Back
SLE is the monetary value of a single loss event, calculated as asset value times exposure factor
Front
Define corrective control
Back
A control used to restore a system or data to its original state after a security incident
Front
What is the purpose of a Business Impact Analysis (BIA)
Back
To identify critical business processes and the impact of their disruption
Front
What does 'impact' refer to in risk analysis
Back
The potential damage or consequences resulting from a threat exploiting a vulnerability
Front
What is a residual risk
Back
The remaining risk after applying security controls or mitigating measures
Front
What is an attack vector
Back
The route or method used by a threat actor to exploit a vulnerability
Front
What is the primary goal of risk management
Back
To reduce the impact and likelihood of risks affecting an organization's objectives
Front
Define risk tolerance
Back
The acceptable level of deviation from the organization's risk appetite
Front
What does the acronym CIA stand for in security
Back
Confidentiality, Integrity, and Availability
Front
What is a security incident
Back
An event that threatens the confidentiality, integrity, or availability of information or systems
Front
Explain Annualized Loss Expectancy (ALE)
Back
ALE is the predicted yearly financial loss due to a specific risk, calculated as SLE times annualized rate of occurrence
Front
What is risk monitoring
Back
The ongoing process of assessing existing risks, monitoring residual risks, and identifying new risks
Front
What is qualitative risk analysis
Back
An analysis method that uses subjective judgment to prioritize risks based on their impact and likelihood
Front
What are three types of controls used to mitigate risks
Back
Preventive, detective, corrective
Front
What is quantitative risk analysis
Back
An analysis method that assigns numerical values to risks and their potential impact
Front
Define detective control
Back
A control designed to identify and alert to a security event after it has occurred
Front
What is threat modeling
Back
A process to identify, understand, and address security threats to a system or process
Front
What is risk identification
Back
The process of determining potential threats and vulnerabilities to an organization's assets
Front
Why is continuous monitoring important in risk management
Back
To ensure that risk controls remain effective and that any new risks are identified quickly
1/29
This deck includes concepts related to risk management, threat identification, and implementing monitoring tools and techniques to analyze security risks.