NISTIR 7298 Revision 1, Glossary of Key Information Security Terms
NISTIR 7298 Revision 1, Glossary of Key Information Security Terms
NISTIR 7298 Revision 1, Glossary of Key Information Security Terms
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
NIST IR <strong>7298</strong> <strong>Revision</strong> 1, <strong>Glossary</strong> <strong>of</strong> <strong>Key</strong> <strong>Information</strong> <strong>Security</strong> <strong>Terms</strong><br />
Risk Management –<br />
The process <strong>of</strong> managing risks to organizational operations<br />
(including mission, functions, image, reputation), organizational<br />
assets, individuals, other organizations, and the Nation, resulting<br />
from the operation <strong>of</strong> an information system, and includes: (i) the<br />
conduct <strong>of</strong> a risk assessment; (ii) the implementation <strong>of</strong> a risk<br />
mitigation strategy; and (iii) employment <strong>of</strong> techniques and<br />
procedures for the continuous monitoring <strong>of</strong> the security state <strong>of</strong><br />
the information system.<br />
SOURCE: SP 800-53; SP 800-53A; SP 800-37<br />
Risk Management – The process <strong>of</strong> managing risks to organizational operations<br />
(including mission, functions, image, or reputation), organizational<br />
assets, or individuals resulting from the operation <strong>of</strong> an information<br />
system, and includes:<br />
1) the conduct <strong>of</strong> a risk assessment;<br />
2) the implementation <strong>of</strong> a risk mitigation strategy; and<br />
3) employment <strong>of</strong> techniques and procedures for the continuous<br />
monitoring <strong>of</strong> the security state <strong>of</strong> the information system.<br />
SOURCE: FIPS 200<br />
Risk Management – The process <strong>of</strong> managing risks to agency operations (including<br />
mission, functions, image, or reputation), agency assets, or<br />
individuals resulting from the operation <strong>of</strong> an information system. It<br />
includes risk assessment; cost-benefit analysis; the selection,<br />
implementation, and assessment <strong>of</strong> security controls; and the formal<br />
authorization to operate the system. The process considers<br />
effectiveness, efficiency, and constraints due to laws, directives,<br />
policies, or regulations.<br />
SOURCE: SP 800-82; SP 800-34<br />
The process <strong>of</strong> managing risks to organizational operations<br />
(including mission, functions, image, or reputation), organizational<br />
assets, individuals, other organizations, or the nation resulting from<br />
the operation or use <strong>of</strong> an information system, and includes: (1) the<br />
conduct <strong>of</strong> a risk assessment; (2) the implementation <strong>of</strong> a risk<br />
mitigation strategy; (3) employment <strong>of</strong> techniques and procedures for<br />
the continuous monitoring <strong>of</strong> the security state <strong>of</strong> the information<br />
system; and (4) documenting the overall risk management program.<br />
SOURCE: CNSSI-4009<br />
Risk Management Framework – A structured approach used to oversee and manage risk for an<br />
enterprise.<br />
SOURCE: CNSSI-4009<br />
Pg 160