Chapter 1: Security Principles Flashcards
Vulnerability
Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.
Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event.
Threat
Any circumstance or event with the potential to adversely impact organisational operations (including mission, functions, image or reputation), organisational assets, individuals, other organisations or the nation through an information system via unauthorised access, destruction, disclosure, modification of information and/or denial of service.
Threat Vector
The means by which a threat actor carries out their objectives.
Risk Likelihood
The probability that a risk will occur
Risk Impact
Risk impact is the potential consequence or damage that a problem can cause if it occurs. It can be measured in terms of financial loss, operational disruption, customer dissatisfaction, reputation damage, legal liability, or any other relevant metric.
Risk Identification
Risk identification (RI) is a set of activities that detect, describe and catalog all potential risks to assets and processes that could have negatively impact business outcomes in terms of performance, quality, damage, loss or reputation.
Risk Acceptance
Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.
Risk Avoidance
Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.
Risk Transference
Paying an external party to accept the financial impact of a given risk.
Security Controls
Mitigate the impact or reduce the likelihood of the threat happening
NIST 800-53
The NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organisations is a set of recommended security and privacy controls for federal information systems and organisations to help meet the Federal Information Security Management Act (FISMA) requirements.
PCI-DSS
The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.
Cost/Benefit Analysis
A cost-benefit analysis is a systematic process that businesses use to analyse which decisions to make and which to forgo.
Risk Appetite
Risk appetite is the level of risk that an organisation is willing to accept while pursuing its objectives, and before any action is determined to be necessary in order to reduce the risk.