IS Governance & Risk Mgmt Flashcards
Annual Rate of Occurrence (ARO)
The number of times per year that an incident is likely to occur.
Asset
Any person, facility, material, information, or activity that has a positive value to an owner.
Attack
Attempt to gain unauthorized access to an information system’s services, resources, or information, or the attempt to compromise an information system’s integrity, availability, or confidentiality.
Business Continuity Plan (BCP)
A documented and tested plan for responding to an emergency.
COBIT
Control Objectives for Information and Related Technology.
Control
Any protective action, device, procedure, technique, or other measure that reduces exposures.
Countermeasures
The deployment of a set of security services to protect against a security threat.
Due care
Managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed.
Due diligence
The enforcement of due care policy and provisions to ensure that the due care steps taken to protect assets are working effectively.
Exposure Factor (EF)
A measure of the magnitude of loss or influence on the value of an asset.
Information Security Management Systems (ISMS)
The International Standards Organization (ISO) defines ISMS to be that part of an overall management system based on a business risk approach to establish, implement, operate, monitor, maintain, and improve information security.
Likelihood
The qualitative or quantitative likelihood that a potential hazard will occur or a potential threat will be instantiated. Most international standards define six levels of likelihood (lowest to highest): incredible, improbable, remote, occasional, probable, and frequent.
Risk
(1) The probability that a particular security threat will exploit a particular vulnerability resulting in loss or harm to an asset or precluding the organization from reaching a goal or objective.
(2) A combination of the probability of an event and its consequences.
Risk Management
Coordinated activities to direct and control an organization with regard to risk; The discipline of identifying and measuring security risks associated with an information system, and controlling and reducing those risks to an acceptable level. The goal of risk management is to invest organizational resources to mitigate security risks in a cost-effective manner, while enabling timely and effective mission accomplishment. Risk management is an important aspect of information assurance and defense-in-depth.
Safeguard
Protection included to counteract a known or expected condition.
Threat
Any entity or event with the potential to adversely impact an information system through unauthorized access, destruction, disclosure, modification of data, or denial of service.
Threat-source
Either (a) intent and method targeted at the international exploitation of a vulnerability, or (b) a situation and method that may accidentally trigger a vulnerability. Synonymous with threat agent.
Total risk
The potential for the occurence of an adverse event if no mitigating action is taken (ie. the potential for any applicable threat to exploit a system vulnerability). See also acceptable risk, residual risk, minimum level of protection.
Vulnerability
A weakness in a system that can be exploited to violate the system’s intended behavior relative to safety, security, reliability, availability, integrity, etc.
