CISM Terms

The risk that remains after having applied mitigation measures

Risks that occure due to operating a business i.e. all IT related risks

Risks that are available to a whole system i.e. in banking sector, etc.

When multiple minor vulnerabilities aggregate and lead to a significant impact.

Reduce risks to an acceptable level

The risk that a control will not work as expected.

A risk likely in closely integrated/coupled systems as one failure can lead to a chain reaction.

The management of risk through the use of countermeasures and controls.

The process for systematically avoiding risk i.e. by omiting processes or projects.

The process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by out sourcing the service.

AIW (Acceptable Interruption Window) defines the maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objectives.

The potential loss to an area due to the occurrence of an adverse event.

ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) * ARO (Annualized Rate of Occurence) where SLE = AV (Asset Value) * EV (Exposure Factor).

Terminate, Transfer, Mitigate, Accept.

1. System characterization 2. Threat identification 3. Vulnerability identification 4. Control analysis 5. Likelihood determination 6. Impact analysis 7. Risk determination 8. Control recommendations 9. Results documentation

1. Strategic alignment 2. Risk management 3. Value delivery 4. Resource management 5. Performance management 6. Integration

A set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring objectives are achieved, risk is managed appropriately and resources are used responsibly.

Define long term objectives, include business linkage and define the desired state.

Checklist review Structured walkthrough Simulation test Parallel test Full interruption test

This is a prelimenary step to a real test. Recovery checklists are distributed to all members of a recovery team to review and to ensure the list is current.

Team members physically implement the plans on paper and review each step to assess its effectiveness, identify enhancements, constrains and deficiencies.

The recovery team rol play a prepared disaster scenario without activating processes at the recovery site.

The recovery site is brought to a state of operational readiness, but operations at the primary site continues normally.

Operations are shut down at the primary site and shifted to the recovery site in accordance with the recovery plan. This is the most rigorous form of testing but is expensive and potentially disruptive.

start with table-top walkthrough, continue with table-top walkthrough with mock disaster scenarios, test infrastructure and recovery of critical applications, with and without involvment of end users, test full restoration with some personell unfamiliar with the systems, test communication plan, do surprise tests

1) all the factors that materially affect the project's success or failure 2) benefits, cost and risks 3) financial aspects like TCO 4) describing the exact scope 5) describing the added value (value proposition) 6) deliverables / outcome 7) project metrics

Return of investment is either calculated as a specific financial measurement or as a collective term. Collective term = gain of investment - cost of investment, financial measurement = usually expressed as a % over three years.

Return of security investment = gain from implemented security - cost for implementing security

Equity Value Analysis: works well then a company's asset are mainly intellectual property, goddwill or marketing allure.

Net Present Value

Total Cost of Ownership: refers to the deployment and operational cost usually for a 3 year period. It helps to differentiate solutions while separating deployment cost (i.e. HW, setup, customizing) and operational cost (continous license fees, opertions, etc.).

Internal Rate of Return

Level 1: initial -> undocumented, ad-hoc Level 2: repeatable -> documented so that repetition can be achieved Level 3: defined -> process is defined Level 4: managed -> using process metrics, management can measure and control Level 5: optimizing -> includes process optimization and improvment

1) cold sites: have only basic environment (cabling, air condition, etc.) ready, is ready to receive equipment and may require weeks to become operational 2) warm sites: have complete infrastructure but only partly configured in terms of IT may have some less powerful comuter equipment ready 3) hot sites: fully configured and ready to operate within several hours, requires only staff, programs and data 4) Duplicate sites: dedicated recovery site similar to the primary siteso it can take over quickly. can be a standby hot site or reciprocal agreement 5) Mirror sites: if continous uptime and availability is required, this type may be the best, 6) Mobile sites: like cold sites but mobile and can be rented