Principles of Information Security Chapter 4

competitive advantage

what sets the organization apart from others and provides it with a distinctive edge for meeting customer needs in the marketplace

competitive disadvantage

the need for an organization to avoid falling behind the competition due to lack of the ability to design and create safe environments in which businesses process and procedures can function

risk management

identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all components in the organization's information system

risk identification

examining and documenting the security posture of an organization's information technology and the risks it faces

risk control

applying controls to reduce the risks to an organization's data and information systems

field change order (FCO)

an authorization issued by an organization for the repair, modification, or update of a piece of equipment

data classification scheme

an information scheme used throughout an organization that helps secure confidentiality and integrity of information that is typically used by corporations

security clearance

a single authorization level assigned to each data user that indicates the level of classification he or she is authorized to view


a standard that must be met to override a data user's current security clearance

clean desk policy

a policy that requires that employees secure all information in appropriate storage containers at the end of each day

dumpster diving

the practice of searching trash and recycling bins to retrieve information that could embarrass a company or compromise information security

threat assessment

the process of examining an organization's threats to assess its potential to endanger the organization

risk assessment

evaluating the risk for each vulnerability after identifying an organization's information assets and threats


(in terms of an organization's information assets) `the probability that a specific vulnerability will be the object of a successful attack

residual risks

the risk that remains to the information asset after the existing control has been applied

access controls

used to determine if and how to admit a user into a trusted area of the organization

mandatory access controls (MACs)

a particular access control structured and coordinated with a data classification scheme; it gives users and owners limited control over access to information resources

lattice-based access controls

a particular access control in which users are assigned a matrix of authorizations for particular areas of access

access control list (ACL)

the column of attributes associated with a particular object within a lattice-based access control

capabilities table

(within an access control list) the row of attributes associated with a particular subject

non-discretionary controls

controls managed by a central authority in an organization

role-based controls

a type of non-discretionary control that is based on an individual's role

task-based controls

a type of non-discretionary control that is based on a set of specified tasks assigned to an individual

discretionary controls

controls implemented at the discretion or option of the data user


preferred risk control strategy approach that attempts to prevent exploitation of the vulnerability by means of countering threats, removing vulnerabilities in assets, limiting access to assets and adding protective safeguards


control approach that attempts to shift risk to other assets, processes, or other organizations by rethinking how services are offered, outsourcing to other organizations, purchasing insurance or implementing service contracts with providers


control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation

cost avoidance

process of avoiding the financial impact of an incident by implementing control

cost benefit analysis/economic feasibility

process of examining the cost to protect an asset and the benefit of the protection based on the asset's worth

single loss expectancy (SLE)

the calculation of the value associated with the most likely loss from an attack

exposure factor (EF)

the expected percentage of loss that would occur from a particular attack

annualized rate of occurrence (ARO)

how often a specific type of attack is expected to occur

annualized loss expectancy (ALE)

the determination/calculation of the overall lost potential per risk

quantitative assessment

assessment using actual values or estimates

qualitative assessment

evaluation process based on characteristics that do not use numerical measures


process of seeking out and studying the practices used in other organizations that produce results an individual would like to duplicate in their organization

performance gap

provide insight into the areas that an organization should work on to improve its security postures and defenses

standard of due care

the proof of maintaining a certain level of security (that an organization adopts) that is acceptable among organizations of the same capacity

due diligence

demonstration that an organization is diligent in ensuring that the implemented standards of due care continue to proved the required level of protection

best business practices/best practices/recommended practices

security efforts that seek to provide a superior level of performance in the protection of information


value or profile of a performance metric against which changes in the performance metric can be usefully compared

organizational feasibility

a feasibility analysis that examines how well the proposed information security alternatives will contribute to the efficiency, effectiveness and overall operation of an organization

operational feasibility (or behavioral feasibility)

analysis that examines user acceptance an support, management acceptance and support, and the overall requirements of the organization's stakeholders; measure the behavior of users

technical feasibility

analysis that examines whether or not the organization has or can acquire the technology necessary to implement and support the proposed control

political feasibility

analysis that determines what can and cannot occur based on the consensus and relationships among the communities of interest

risk appetite

defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility