NISTIR 7298 Revision 1, Glossary of Key Information Security Terms

23.03.2013 Views
NIST IR 7298 Revision 1, Glossary of Key Information Security Terms Risk-Adaptable Access Control – (RAdAC) A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and consider the adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. SOURCE: SP 800-53 A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (1) the adverse impacts that would arise if the circumstance or event occurs; and (2) the likelihood of occurrence. Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. SOURCE: CNSSI-4009 A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security.] SOURCE: SP 800-37; SP 800-53A The probability that one or more adverse events will occur. SOURCE: SP 800-61 A form of access control that uses an authorization policy that takes into account operational need, risk, and heuristics. SOURCE: CNSSI-4009 Pg 158

NIST IR 7298 Revision 1, Glossary of Key Information Security Terms Risk Analysis – The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment. SOURCE: SP 800-27 Risk Assessment – Risk Executive – (or Risk Executive Function) Examination of information to identify the risk to an information system. See risk assessment. SOURCE: CNSSI-4009 The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, arising through the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. SOURCE: SP 800-53; SP 800-53A; SP 800-37 The process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF). SOURCE: CNSSI-4009 An individual or group within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing risk from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success. SOURCE: CNSSI-4009; SP 800-53A; SP 800-37 Pg 159

Page 2 and 3: NIST IR 7298 Revision 1 Glossary of

Page 4 and 5: NIST IR 7298 Revision 1, Glossary o






































































































Page 210 and 211: NIST IR 7298, Glossary of Key Infor

cryptographic

fips

nist

glossary

revision

authentication

comsec

software

controls

entity

nistir

csrc.nist.gov

NISTIR 7298 Revision 1, Glossary of Key Information Security Terms

NISTIR 7298 Revision 1, Glossary of Key Information Security Terms ... View more NISTIR 7298 Revision 1, Glossary of Key Information Security Terms

Delete template?

Save as template ?

NISTIR 7298 Revision 1, Glossary of Key Information Security Terms NISTIR 7298 Revision 1, Glossary of Key Information Security Terms