EAR  >  glosario

EAR / glosario Environment for the Analysis of Risk

Glossary

Accountability :

Assurance that it can be always determined who did what and when.

Accountability: A quality that allows all the actions carried out to an information technology system to be associated unequivocally with an individual or entity. [CESID:1997]

Accountability: The property that ensures that the actions of an entity may be traced uniquely to the entity. [13335-1:2004]

Accountability: Process of tracing information system activities to a responsible source. [CNSS:2003]

Accreditation:

The action of allowing an information system or network to process sensitive data, determining both the degree to which the design and the implementation of the system meet the pre-set security and technical requirements. [CESID:1997]

Accreditation: Formal declaration by the responsible management approving the operation of an automated system in a particular security mode using a particular set of safeguards. Accreditation is the official authorization by management for the operation of the system, and acceptance by that management of the associated residual risks. Accreditation is based on the certification process as well as other management considerations. [15443-1:2005]

Accumulated risk:

The calculated risk taking into consideration the value of an asset and the value of the assets that depend on it. This value is combined with the degradation caused by a threat and its estimated frequency.

Accumulated value:

Considers the value of the asset itself and that of the assets that depend on it.Inherited goods: Those inherited from the grandparents. [DRAE]

Asset:

Resources of the information system or related with it that are necessary for the organisation to operate correctly and to reach the objectives proposed by its management.Resources of the information system or related with it that are necessary for the organisation to operate correctly and to reachthe objectives proposed by its management. [Magerit:1997]

Goods: In terms of values, an element with a positive value making it estimable. [DRAE]

Asset: Anything that has value to the organisation. [13335-1:2004]

Asset: A component or part of the total system. Assets may be of four types: physical, application software, data, or end user services. [CRAMM:2003]

Asset: Something of value to the enterprise. [Octave:2003]

Asset: Any information resource with value that is worth protecting or preserving. [TDIR:2003]

Assets: Information or resources to be protected by the countermeasures of a Target of Evaluation. [CC:1999]

Attack:

Any deliberate action designed to break through the security mechanisms in an information system. [CESID:1997]

Authenticity:

Assurance of identity or origin.Authentication: The property of giving and recognising the authenticity of the assets in the domain (of information type) and/or the identity of those involved and/or the authorisation by those issuing it as well as the checking of these three matters. [Magerit:1997]

Authenticity: Having an undisputed identity or origin. [OPSEC]

Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. [800-53:2004]

Authenticity: The property that ensures that the identity of a subject or resource is the one claimed. Authenticity applies to entities such as users, processes, systems, and information. [13335-1:2004]

Availability:

Assurance that the authorised users have access when they require it to the information and its associated assets.Property that prevents the unauthorised denial of access to assets in the domain. [Magerit:1997]

Availability: The assurance that data transmissions, computer processing systems, and/or communications are not denied to those who are authorized to use them (JCS 1997) [OPSEC]

Availability: Ensuring timely and reliable access to and use of information. [800-53:2004]

Availability: The extent to which, or frequency with which, an asset must be present or ready for use. [Octave:2003]

Availability: Timely, reliable access to data and information services for authorized users. [CNSS:2003] [TDIR:2003] [CIAO:2000]

Availability: The property of being accessible and usable upon demand by an authorized entity. [7498-2:1989]

Certification:

Confirmation of the result of an evaluation and that the evaluation criteria used were applied correctly.

Confidentiality:

Assurance that the information is accessible only to those authorised to have access.A property that prevents the unauthorised disclosure of assets in the domain. [Magerit:1997]

Confidentiality: An assurance that information is not disclosed to unauthorized entities or processes (DOD JP 1994; JCS 1997) [OPSEC]

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [800-53:2004]

Confidentiality: The requirement of keeping proprietary, sensitive, or personal information private and inaccessible to anyone that is not authorized to see it. [Octave:2003]

Confidentiality: Assurance that information is not disclosed to unauthorized persons, processes, or devices. [CNSS:2003] [TDIR:2003]

Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. [7498-2:1989]

Control:

See safeguard.

Controls selection document:

A formal document for a group of safeguards that shows whether they apply to the information system being studied or whether they are not applicable.

Countermeasure:

See safeguard.

Deficiencies report:

Report: Absence or weakness of safeguards that appear suitable for reducing the risk to the system.

Deflected risk:

The calculated risk taking into consideration the value of an asset. This value is combined with the degradation caused by a threat and its estimated frequency, both measured on the assets on which it depends.

Degradation:

The loss of the value of an asset as a result of the appearance of a threat.

Dimension:

(Of security) An aspect, different to other possible aspects, that allows the value of an asset to be measured in the sense of the damage that would be caused by its loss of value.

Frequency:

The rate at which a threat occurs.

Impact:

The effect that the appearance of a threat has on an asset.The effect that the appearance of a threat has on an asset. [Magerit:1997]

Impact: The result of an information security incident. [13335-1:2004]

Impact: The effect of a threat on an organisations mission and business objectives. [Octave:2003]

Impact: The effect on the organisation of a breach in security. [CRAMM:2003]

Impact analysis:

Study of the consequences to the organisation of a stoppage of X time.

Incident:

Event with negative consequences for the information system security.Information security event: An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant. [17799:2005]

Information security incident: Any unexpected or unwanted event that might cause a compromise of business activities or information security. [13335-1:2004]

Incident: A successful or unsuccessful action attempting to circumvent technical controls, organizational policy, or law. This is often called an attack. [TDIR:2003]

Information system:

Computers and electronic communications networks as well as the electronic data stored, processed, retrieved or transmitted by them for their operation, use, protection and maintenance.A group of physical and logical elements, communications elements, data and personnel that allow the storage, transmission and processing of information. [Magerit:1997]

Any system or product designed to store, process or transmit information. [CESID:1997]

Information System: Set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information. [CNSS:2003]

Information System: Any procedure or process, with or without IT support, that provides a way of acquiring, storing, processing or disseminating information. Information systems include applications and their supporting infrastructure. [CRAMM:2003]

Integrity:

Guarantee of the exactness and completeness of the information and the methods for processing it.Property that prevents the unauthorised modification or destruction of assets in the domain. [Magerit:1997]

Information integrity: The state that exists when information is unchanged from its source and has not been accidentally or intentionally modified, altered, or destroyed (NSC EO 1995; JCS 1997). [OPSEC]

Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. [800-53:2004]

Integrity: the property of safeguarding the accuracy and completeness of assets. [13335-1:2004]

Integrity: the authenticity, accuracy, and completeness of an asset. [Octave:2003]

Data integrity: A condition existing when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed. [CNSS:2003] [TDIR:2003] [CIAO:2000]

Data integrity: The data quality that exists as long as accidental or malicious destruction, alteration, or loss of data does not occur. [CRAMM:2003]

Integrity: Condition existing when an information system operates without unauthorized modification, alteration, impairment, or destruction of any of its components. [CIAO:2000]

Residual impact:

The impact remaining in the system after the implementation of the safeguards described in the information security plan.

Residual risk:

The risk remaining in the system after the implementation of the safeguards described in the information security plan.Risk remaining after applying safeguards in a simulation scenario or in the real world. [Magerit:1997]

Residual risk: The risk that remains after risk treatment. [13335-1:2004]

Residual risk: Portion of risk remaining after security measures have been applied. [CNSS:2003] [CRAMM:2003]

Residual Risk: The potential for the occurrence of an adverse event after adjusting for the impact of all in-place safeguards. [TDIR:2003]

Risk:

Estimate of the degree of exposure to a threat appearing to one or more assets, causing damages or prejudices to the organisation.The possibility of a specific impact occurring on an asset, a domain or the entire organisation. [Magerit:1997]

The probability that a vulnerability in the information system will be used by the threats to that system in order to penetrate it. [CESID:1997]

Risk: combination of the probability of an event and its consequence. [17799:2005] [Guide 73:2002]

Risk: A measure of the potential degree to which protected information is subject to loss through adversary exploitation. [OPSEC]

Risk: the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation. [13335-1:2004]

Risk: Possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability. [CNSS:2003]

Risk: A combination of the likelihood that a threat will occur, the likelihood that a threat occurrence will result in an adverse impact, and the severity of the resulting adverse impact. Reducing either the threat or the vulnerability reduces the risk. [TDIR:2003]

Total risk: The potential for the occurrence of an adverse event if no mitigating action is taken (i.e., the potential for any applicable threat to exploit a system vulnerability). [TDIR:2003]

Risk: A measure of the exposure to which a system or potential system may be subjected. [CRAMM:2003]

Risk analysis:

The systematic process for estimating the size of the risks to which an organisation is exposed.Identification of threats to the components belonging or relating to the information system (known as assets) to determine the systems vulnerability to these threats and to estimate the impact or degree of damage that insufficient security may have for the organisation, obtaining a certain knowledge of the risk being run. [Magerit:1997]

Risk analysis: Systematic use of information to identify sources and to estimate the risk. [17799:2005] [Guide 73:2002]

Risk assessment: Process of evaluating the risks of information loss based on an analysis of threats to, and vulnerabilities of, a system, operation or activity. [OPSEC]

Risk analysis: The systematic process of estimating the magnitude of risks. [13335-1:2004]

Risk Analysis: Examination of information to identify the risk to an information system. [CNSS:2003]

Risk Assessment:: Process of analyzing threats to and vulnerabilities of an information system, and the potential impact resulting from the loss of information or capabilities of a system. This analysis is used as a basis for identifying appropriate and cost-effective security countermeasures. [CNSS:2003]

Risk Analysis: An analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of occurrence. [TDIR:2003]

Risk Assessment: A study of vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures. The process of evaluating threats and vulnerabilities, known and postulated, to determine expected loss and establish the degree of acceptability to system operations. [TDIR:2003]

Risk management:

Selection and implementation of safeguards to know, prevent, reduce or control the identified risks.Selection and implementation of the security measures or safeguards that are suitable to know, prevent, reduce or control the identified risks and to reduce their potential or possible damage to the minimum. Risk management is based on the results of analysing the risks. [Magerit:1997]

Risk management: A security philosophy which considers actual threats, inherent vulnerabilities, and the availability and costs of countermeasures as the underlying basis for making security decisions (JSCR 1994). [OPSEC]

Risk management: Process of identifying and applying countermeasures commensurate with the value of the assets protected based on a risk assessment. [CNSS:2003]

The identification, assessment, and mitigation of probabilistic security events (risks) in information systems to a level commensurate with the value of the assets protected. [CIAO:2000]

Risk map:

Report: List of the threats to which the assets are exposed.Threat Analysis: The examination of all actions and events that might adversely affect a system or operation. [TDIR:2003]

Threat Assessment: An evaluation of the nature, likelihood, and consequence of acts or events that could place sensitive information and assets as risk. [TDIR:2003]

Risk position:

Report: Characterisation of assets by their residual risk; that is, what could happen, taking into consideration the safeguards deployed.

Safeguard:

Procedure or technological mechanism that reduces the risk.Control: Means of managing risks, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management or legal nature. [17799:2005]

Countermeasure: Anything which effectively negates or mitigates an adversarys ability to exploit vulnerabilities. [OPSEC]

Safeguard: Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. [800-53:2004]

Safeguard: a practice, procedure or mechanism that treats risk. [13335-1:2004]

Countermeasure: Action, device, procedure, technique, or other measure that reduces the vulnerability of an information system. [CNSS:2003]

Security safeguard: Protective measures and controls prescribed to meet the security requirements specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. [CNSS:2003]

Countermeasure: Any action, device, procedure, technique, or other measure that mitigates risk by reducing the vulnerability of, threat to, or impact on a system. [TDIR:2003]

Safeguards evaluation:

Report: Evaluation of the effectiveness of the existing safeguards in relation to the risks they face.

Security:

The capability of networks or information systems to resist accidents or illegal or malicious actions that compromise the availability, authenticity, integrity and confidentiality of the data stored or transmitted and of the services that these networks or systems make available with a specific level of competence.Information system security: Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. [CNSS:2003]

Security audit:

Independent study and examination of the history and activities of an information system in order to check the suitability of the systems controls, and to ensure their compliance with the security structure and operational procedures to detect breaches in security and to recommend changes in procedures, controls and security structures.

Security plan:

Group of security programs that put Risk management decisions into practice.

Security programme:

Grouping of tasks defined to face the risk to the system. The grouping is made by convenience either because the tasks by themselves lack effectiveness or because the tasks have a common objective or because the tasks involve a single unit of action.

Security project:

Security programme whose scope is such that it requires a specific plan.

Threat:

Events that may cause an incident in the organisation, producing material damage or immaterial losses in its assets.Events that may cause an incident in the organisation, producing material damage or immaterial losses in its assets. [Magerit:1997]

Condition in the information systems environment which may cause a security violation, given the opportunity. [CESID:1997]

Threat: A potential cause of an incident which may result in harm to a system or organisation. [17799:2005][13335-1:2004]

Threat: Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. [800-53:2004]

Threat: Any circumstance or event with the potential to adversely impact an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. [CNSS:2003]

Threat: An activity, deliberate or unintentional, with the potential for causing harm to an automated information system or activity. [TDIR:2003]

Threat: Any circumstance or event that could harm a critical asset through unauthorized access, compromise of data integrity, denial or disruption of service, or physical destruction or impairment. [CIAO:2000]

A threat is an indication of a potential undesirable event. [NSTISSI:1998]

Threat: A potential violation of security. [7498-2:1989]

Value:

Of an asset. An estimate of the cost of the appearance of a threat.Quality of some realities, considered goods, which makes them estimable. [DRAE]

Value model :

Report: A description of the value of the assets to the organisation as well as the dependencies between the assets.

Vulnerability:

Estimate of the effective exposure of assets to a threat. It is determined by two measurements: frequency of occurrence and the degradation caused.The vulnerability of an asset is the potential or possibility of the appearance of a threat to it. [Magerit:1997]

Weakness in the security of an information system. [CESID:1997]

Vulnerability: A weakness of an asset or group of assets that can be exploited by one or more threats. [17799:2005][13335-1:2004]

Vulnerability: The susceptibility of information to exploitation by an adversary. [OPSEC]

Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited. [CNSS:2003]

Vulnerability: A weakness or lack of controls that would allow or facilitate a threat actuation against a specific asset or target. [CRAMM:2003]

ISO/IEC Guide 73:2002

Risk management:

coordinated activities to direct and control an organization with regard to risk.

Risk assessment:

overall process of risk analysis and risk evaluation.

Risk analysis:

systematic use of information to identify sources and to estimate risk.

Source identification:

process to find, list and characterize sources .

Risk estimation:

process used to assign values to the probability and consequences of a risk.

Risk evaluation:

process of comparing the estimated risk against given risk criteria to determine the significance of the risk.

Risk treatment:

process of selection and implementation of measures to modify risk.

The following table summarises the correspndanse between Guide 73 and Magerit:

Guide 73:2002	Magerit v2
Risk management	Risk anlisis and management
Risk assessment
Risk analysis	Risk analysis
Risk treatment	Risk management