Vocab 5 Flashcards
The overall process of managing risk within an organization at all levels, according to the organization’s risk appetite, tolerance, and strategy.
risk management
Involves the application of controls that lower the overall level of risk through the reduction of the vulnerability, the likelihood of the threat exploit, or the reduction of the impact to the asset, if the risk were to be realized.
risk mitigation
The assignment of a particular aspect of risk to a responsible (and accountable) individual, usually a risk practitioner or manager who has the ability to affect risk response through their ownership of assets, controls, or status in the organization.
risk ownership
A collection of detailed data on identified IT risks; typically applied to a specific system or groups of systems.
risk profile
The master product or document that reflects the different risk scenarios and factors for the organization; it could be broken down by asset or system and reflects the different risk factors including threats, vulnerabilities, assets, likelihood, and impact to assets.
risk register
Lists the risk responses that have been chosen and charts their progress and associated timeline, with an appropriate action owner.
risk response action plan
An identified risk event possibility, which consists of a threat actor, threat, vulnerability, and asset.
risk scenario
Often referred to as risk transference, entails the use of a third party to offset part of the risk. It can involve the outsourcing of some activities to a third party to reduce the financial impacts of a risk event.
risk sharing
The organization’s level of acceptable variation from the risk appetite.
risk tolerance
Looks to establish a causal relationship between the root cause (or causes) and the problem as it manifested itself.
root-cause analysis (RCA)
U.S. law passed in 2002 establishing requirements for public companies in the United States, as well as auditors and accounting firms, to improve the accuracy and reliability of corporate disclosures with regard to securities laws. The law is enforced by the U.S. Securities and Exchange Commission (SEC) and provides governance for the integrity and accuracy of data produced by an organization. For security professionals, this has the effect of imposing specific integrity and protection controls on information systems and processes.
Sarbanes–Oxley Act of 2002 (SOX)
The process of determining the impact to the organization, with regard to confidentiality, integrity, and availability, for information and systems. The security categorization uses qualitative benchmarks of low, moderate, and high. FIPS 199 and NIST SP 800-60 offer a defined process for the security categorization of information.
security categorization
Refers to the technologies and products used to integrate security information management and security event management information into a centralized interface, providing real-time event correlation and analysis.
security information and event management (SIEM)
A contractual agreement, signed by an organization and a third-party provider, which details the level of security, data availability, and other protections afforded the organization’s data held by the third party.
service-level agreement (SLA)
A third-party cloud-based service that offers outsourced use of software by an organization; this allows an organization to use licensed software at a lower cost than buying, installing, and maintaining software.
Software as a Service (SaaS)
