Auditor
Provides an independent view of the design, effectiveness, and implementation of controls.
Categorization
The process of determining the impact of the loss of confidentiality, integrity, or availability of the information to an organization.
Classification System
A system designed to ensure information is marked in such a way that only those with an appropriate level of clearance can have access to the information.
Corrective Action Plan
A plan that takes the output of the risk assessment and identifies tasks needing to be accomplished to mitigate.
Corrective Controls
Controls that relate to those activities required when addressing a security incident.
Detective Controls
Controls that reduce the risk of exposing sensitive personal and health information.
Gap Analysis
An assessment designed to recognize the current security posture of your organization and set realistic expectations of the targeted security posture.
Impact
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availabil
Preventative Controls
Controls that deter, detect, and/or reduce impacts to the system.
Risk
The possibility of loss.
Risk Assessment
The process of identifying, estimating, and prioritizing information security risks.
Risk Management
The technique or profession of assessing, minimizing, and preventing accidental loss to a business, as through the use of insurance, safety measures, etc.
Risk Mitigation
The practice of the elimination of, or the significant decrease in, the level of risk presented.
The Health Information Trust Alliance (HITRUST)
Common Security Framework (CSF) Assurance Program
Utilizes a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by health care organizations.
Threat
Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of infor
Threat Source
Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
Vulnerability
An inherent weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source.
Vulnerability Assessments
Assessment focused on the technology aspects of an organization, such as the network or applications.