NISTIR 7298 Revision 1, Glossary of Key Information Security Terms
NISTIR 7298 Revision 1, Glossary of Key Information Security Terms NISTIR 7298 Revision 1, Glossary of Key Information Security Terms
NIST IR 7298 Revision 1, Glossary of Key Information Security Terms Risk-Adaptable Access Control – (RAdAC) A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and consider the adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. SOURCE: SP 800-53 A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (1) the adverse impacts that would arise if the circumstance or event occurs; and (2) the likelihood of occurrence. Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. SOURCE: CNSSI-4009 A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security.] SOURCE: SP 800-37; SP 800-53A The probability that one or more adverse events will occur. SOURCE: SP 800-61 A form of access control that uses an authorization policy that takes into account operational need, risk, and heuristics. SOURCE: CNSSI-4009 Pg 158
NIST IR 7298 Revision 1, Glossary of Key Information Security Terms Risk Analysis – The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment. SOURCE: SP 800-27 Risk Assessment – Risk Executive – (or Risk Executive Function) Examination of information to identify the risk to an information system. See risk assessment. SOURCE: CNSSI-4009 The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, arising through the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. SOURCE: SP 800-53; SP 800-53A; SP 800-37 The process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF). SOURCE: CNSSI-4009 An individual or group within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing risk from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success. SOURCE: CNSSI-4009; SP 800-53A; SP 800-37 Pg 159
- Page 108 and 109: NIST IR 7298 Revision 1, Glossary o
- Page 110 and 111: NIST IR 7298 Revision 1, Glossary o
- Page 112 and 113: NIST IR 7298 Revision 1, Glossary o
- Page 114 and 115: NIST IR 7298 Revision 1, Glossary o
- Page 116 and 117: NIST IR 7298 Revision 1, Glossary o
- Page 118 and 119: NIST IR 7298 Revision 1, Glossary o
- Page 120 and 121: NIST IR 7298 Revision 1, Glossary o
- Page 122 and 123: NIST IR 7298 Revision 1, Glossary o
- Page 124 and 125: NIST IR 7298 Revision 1, Glossary o
- Page 126 and 127: NIST IR 7298 Revision 1, Glossary o
- Page 128 and 129: NIST IR 7298 Revision 1, Glossary o
- Page 130 and 131: NIST IR 7298 Revision 1, Glossary o
- Page 132 and 133: NIST IR 7298 Revision 1, Glossary o
- Page 134 and 135: NIST IR 7298 Revision 1, Glossary o
- Page 136 and 137: NIST IR 7298 Revision 1, Glossary o
- Page 138 and 139: NIST IR 7298 Revision 1, Glossary o
- Page 140 and 141: NIST IR 7298 Revision 1, Glossary o
- Page 142 and 143: NIST IR 7298 Revision 1, Glossary o
- Page 144 and 145: NIST IR 7298 Revision 1, Glossary o
- Page 146 and 147: NIST IR 7298 Revision 1, Glossary o
- Page 148 and 149: NIST IR 7298 Revision 1, Glossary o
- Page 150 and 151: NIST IR 7298 Revision 1, Glossary o
- Page 152 and 153: NIST IR 7298 Revision 1, Glossary o
- Page 154 and 155: NIST IR 7298 Revision 1, Glossary o
- Page 156 and 157: NIST IR 7298 Revision 1, Glossary o
- Page 160 and 161: NIST IR 7298 Revision 1, Glossary o
- Page 162 and 163: NIST IR 7298 Revision 1, Glossary o
- Page 164 and 165: NIST IR 7298 Revision 1, Glossary o
- Page 166 and 167: NIST IR 7298 Revision 1, Glossary o
- Page 168 and 169: NIST IR 7298 Revision 1, Glossary o
- Page 170 and 171: NIST IR 7298 Revision 1, Glossary o
- Page 172 and 173: NIST IR 7298 Revision 1, Glossary o
- Page 174 and 175: NIST IR 7298 Revision 1, Glossary o
- Page 176 and 177: NIST IR 7298 Revision 1, Glossary o
- Page 178 and 179: NIST IR 7298 Revision 1, Glossary o
- Page 180 and 181: NIST IR 7298 Revision 1, Glossary o
- Page 182 and 183: NIST IR 7298 Revision 1, Glossary o
- Page 184 and 185: NIST IR 7298 Revision 1, Glossary o
- Page 186 and 187: NIST IR 7298 Revision 1, Glossary o
- Page 188 and 189: NIST IR 7298 Revision 1, Glossary o
- Page 190 and 191: NIST IR 7298 Revision 1, Glossary o
- Page 192 and 193: NIST IR 7298 Revision 1, Glossary o
- Page 194 and 195: NIST IR 7298 Revision 1, Glossary o
- Page 196 and 197: NIST IR 7298 Revision 1, Glossary o
- Page 198 and 199: NIST IR 7298 Revision 1, Glossary o
- Page 200 and 201: NIST IR 7298 Revision 1, Glossary o
- Page 202 and 203: NIST IR 7298 Revision 1, Glossary o
- Page 204 and 205: NIST IR 7298 Revision 1, Glossary o
- Page 206 and 207: NIST IR 7298 Revision 1, Glossary o
NIST IR <strong>7298</strong> <strong>Revision</strong> 1, <strong>Glossary</strong> <strong>of</strong> <strong>Key</strong> <strong>Information</strong> <strong>Security</strong> <strong>Terms</strong><br />
Risk Analysis – The process <strong>of</strong> identifying the risks to system security and<br />
determining the likelihood <strong>of</strong> occurrence, the resulting impact, and<br />
the additional safeguards that mitigate this impact. Part <strong>of</strong> risk<br />
management and synonymous with risk assessment.<br />
SOURCE: SP 800-27<br />
Risk Assessment –<br />
Risk Executive –<br />
(or Risk Executive Function)<br />
Examination <strong>of</strong> information to identify the risk to an information<br />
system. See risk assessment.<br />
SOURCE: CNSSI-4009<br />
The process <strong>of</strong> identifying risks to organizational operations<br />
(including mission, functions, image, or reputation), organizational<br />
assets, individuals, other organizations, and the Nation, arising<br />
through the operation <strong>of</strong> an information system.<br />
Part <strong>of</strong> risk management, incorporates threat and vulnerability<br />
analyses and considers mitigations provided by security controls<br />
planned or in place. Synonymous with risk analysis.<br />
SOURCE: SP 800-53; SP 800-53A; SP 800-37<br />
The process <strong>of</strong> identifying, prioritizing, and estimating risks. This<br />
includes determining the extent to which adverse circumstances or<br />
events could impact an enterprise. Uses the results <strong>of</strong> threat and<br />
vulnerability assessments to identify risk to organizational operations<br />
and evaluates those risks in terms <strong>of</strong> likelihood <strong>of</strong> occurrence and<br />
impacts if they occur. The product <strong>of</strong> a risk assessment is a list <strong>of</strong><br />
estimated potential impacts and unmitigated vulnerabilities. Risk<br />
assessment is part <strong>of</strong> risk management and is conducted throughout<br />
the Risk Management Framework (RMF).<br />
SOURCE: CNSSI-4009<br />
An individual or group within an organization that helps to ensure<br />
that: (i) security risk-related considerations for individual information<br />
systems, to include the authorization decisions for those systems, are<br />
viewed from an organization-wide perspective with regard to the<br />
overall strategic goals and objectives <strong>of</strong> the organization in carrying<br />
out its missions and business functions; and (ii) managing risk from<br />
individual information systems is consistent across the organization,<br />
reflects organizational risk tolerance, and is considered along with<br />
other organizational risks affecting mission/business success.<br />
SOURCE: CNSSI-4009; SP 800-53A; SP 800-37<br />
Pg 159