SECURITY-MANAGEMENT PRACTICES | The CISSP Cram Sheet

Three goals of risk management are to identify risks, quantify the impact of potential threats, and find an economic balance between the impact of the risk and the cost of the countermeasure.
A threat is a natural or man-made event that could have a negative impact on the organization. A vulnerability is a flaw, loophole, oversight, or error that makes the organization susceptible to attack or damage.
There are two approaches to dealing with risk:

Quantitative analysis Assigns real numbers or dollar amounts to the costs of countermeasures and the amount of damage that can occur. Pure quantitative risk analysis is not possible.

Qualitative analysis Looks at different scenarios of risk possibilities and ranks the seriousness of the threats and the sensitivity of the assets.
Formulas used for quantitative analysis include

EF (exposure factor) = Percentage of an asset loss caused by an identified threat

SLE (single loss expectancy) = Asset value Exposure factor

ALE (annualized loss expectancy) = Single loss expectancy Annualized rate of occurrence
Risk is dealt with in the following ways (these can be combined):

Risk reduction Implements a countermeasure to alter or reduce the risk

Risk transference Purchases insurance to transfer a portion or all of the potential cost of a loss to a third party

Risk acceptance Deals with risk by accepting the potential cost and loss

Risk rejection Pretends risk doesn't exist and ignores the risk
Security policies can be regulatory, advisory, or informative.
Security must flow from the top of the organization.
Types of security documents include

Policies General statements produced by senior management

Standards Tactical documents that are more specific than policies

Guidelines Point to a statement in a policy or procedure by which to determine a course of action

Procedures The lowest level in the policy that provide step-by-step instructions to achieve a certain task