competitive advantage
what sets the organization apart from others and provides it with a distinctive edge for meeting customer needs in the marketplace
competitive disadvantage
the need for an organization to avoid falling behind the competition due to lack of the ability to design and create safe environments in which businesses process and procedures can function
risk management
identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all components in the organization's information system
risk identification
examining and documenting the security posture of an organization's information technology and the risks it faces
risk control
applying controls to reduce the risks to an organization's data and information systems
field change order (FCO)
an authorization issued by an organization for the repair, modification, or update of a piece of equipment
data classification scheme
an information scheme used throughout an organization that helps secure confidentiality and integrity of information that is typically used by corporations
security clearance
a single authorization level assigned to each data user that indicates the level of classification he or she is authorized to view
need-to-know
a standard that must be met to override a data user's current security clearance
clean desk policy
a policy that requires that employees secure all information in appropriate storage containers at the end of each day
dumpster diving
the practice of searching trash and recycling bins to retrieve information that could embarrass a company or compromise information security
threat assessment
the process of examining an organization's threats to assess its potential to endanger the organization
risk assessment
evaluating the risk for each vulnerability after identifying an organization's information assets and threats
likelihood
(in terms of an organization's information assets) `the probability that a specific vulnerability will be the object of a successful attack
residual risks
the risk that remains to the information asset after the existing control has been applied
access controls
used to determine if and how to admit a user into a trusted area of the organization
mandatory access controls (MACs)
a particular access control structured and coordinated with a data classification scheme; it gives users and owners limited control over access to information resources
lattice-based access controls
a particular access control in which users are assigned a matrix of authorizations for particular areas of access
access control list (ACL)
the column of attributes associated with a particular object within a lattice-based access control
capabilities table
(within an access control list) the row of attributes associated with a particular subject
non-discretionary controls
controls managed by a central authority in an organization
role-based controls
a type of non-discretionary control that is based on an individual's role
task-based controls
a type of non-discretionary control that is based on a set of specified tasks assigned to an individual
discretionary controls
controls implemented at the discretion or option of the data user
avoidance
preferred risk control strategy approach that attempts to prevent exploitation of the vulnerability by means of countering threats, removing vulnerabilities in assets, limiting access to assets and adding protective safeguards
transference
control approach that attempts to shift risk to other assets, processes, or other organizations by rethinking how services are offered, outsourcing to other organizations, purchasing insurance or implementing service contracts with providers
mitigation
control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation
cost avoidance
process of avoiding the financial impact of an incident by implementing control
cost benefit analysis/economic feasibility
process of examining the cost to protect an asset and the benefit of the protection based on the asset's worth
single loss expectancy (SLE)
the calculation of the value associated with the most likely loss from an attack
exposure factor (EF)
the expected percentage of loss that would occur from a particular attack
annualized rate of occurrence (ARO)
how often a specific type of attack is expected to occur
annualized loss expectancy (ALE)
the determination/calculation of the overall lost potential per risk
quantitative assessment
assessment using actual values or estimates
qualitative assessment
evaluation process based on characteristics that do not use numerical measures
benchmarking
process of seeking out and studying the practices used in other organizations that produce results an individual would like to duplicate in their organization
performance gap
provide insight into the areas that an organization should work on to improve its security postures and defenses
standard of due care
the proof of maintaining a certain level of security (that an organization adopts) that is acceptable among organizations of the same capacity
due diligence
demonstration that an organization is diligent in ensuring that the implemented standards of due care continue to proved the required level of protection
best business practices/best practices/recommended practices
security efforts that seek to provide a superior level of performance in the protection of information
base-lining
value or profile of a performance metric against which changes in the performance metric can be usefully compared
organizational feasibility
a feasibility analysis that examines how well the proposed information security alternatives will contribute to the efficiency, effectiveness and overall operation of an organization
operational feasibility (or behavioral feasibility)
analysis that examines user acceptance an support, management acceptance and support, and the overall requirements of the organization's stakeholders; measure the behavior of users
technical feasibility
analysis that examines whether or not the organization has or can acquire the technology necessary to implement and support the proposed control
political feasibility
analysis that determines what can and cannot occur based on the consensus and relationships among the communities of interest
risk appetite
defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility