Risk and Asset identification
Terms in this set (7)
A document in which the results of risk analysis and risk response planning are recorded.
fields in a risk register
- unique iD
- business impact
- mitigation steps and priorities
- residual risk
- risk owner
risk assesment process
1 - identify physical, intellectual assets, personnel, and intangible assets
2 - conduct threat assessment to calculate potential risks
3 - conduct impact analysis
4 - design mitigation strategies
Help an organization identify and categorize threats
(Improves the security posture of any system or application by ensuring resources aren't squandered on low-priority threats)
list of potential costs of both direct and indirect, tangible or intangible that are incurred if a threat occurs
Privacy Impact Assessment
"An analysis of how information is handled:
(i) to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy;
(ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and
(iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks." PIAs should disclose what PII is being collected, why it is being collected, what the intended uses of the PII are, whom the PII will be shared with, what opportunities individuals will have to opt-out of PII collection or use, how the PII will be secured, whether a system of records is being created under the Privacy Act and an analysis of the information life cycle. Checklists or tools used to ensure that the system used to collect personal information is evaluated for privacy risks, designed with lifecycle principles in mind and made to ensure that effective and required privacy protection measures are used. A PIA should be completed pre-implementation of the privacy project, product, or service and should be ongoing through its deployment. The PIA should identify these attributes of the data collected: what information is collected; why it is collected; the intended use of the information; with whom the information is shared, and the consent and choice rights of the data subjects. The PIA should be used to assess new systems, significant changes to existing systems, operational policies and procedures and intended use of the information. PIAs should also be used before, during, and after mergers and acquisitions. An effective PIA evaluates the sufficiency of privacy practices and policies with respect to existing legal, regulatory and industry standards, and maintains consistency between policy and operational practices.
privacy threshold assessment (PTA)
A) more commonly known as an "analysis" rather than an "assessment."
B) This is the compliance tool used in conjunction with the PIA.
C) Identifies systems that hold PII.
OTHER SETS BY THIS CREATOR
Events and Incidents
Defense In Depth
Security Standards Orgs
THIS SET IS OFTEN IN FOLDERS WITH...
Security Plus:The CIA Triad