Glossary

Glossary

Accept: a decision made during risk analysis to take no action to address a risk and to accept the consequences should the risk occur.

Access path: ways in which information or services can be accessed via an organization's network.

Action list: a list of actions that people in an organization can take in the near term without the need for specialized training, policy changes, etc. It is essentially a list of near-term action items.

Actor: a property of a threat that defines who or what may violate the security requirements (confidentiality, integrity, availability) of an asset.

Analysis team: an interdisciplinary team, comprising representatives of both the mission-related and information technology areas of the organization, which conducts the evaluation and analyzes the information. An analysis team generally consists of about three to five people, depending on the size of the overall organization and the scope of the evaluation.

Annualized loss expectancy (ALE): the typical monetary loss that can be expected in a year resulting from a risk. Annualized loss expectancy is the product of the potential loss that could occur (impact value) multiplied by the projected frequency of occurrence of the risk in a given year (probability).

Area of concern: a situation or scenario in which someone is concerned about a threat to important assets. Typically, areas of concern have a source and an outcome—a causal action that has an effect on the organization.

Asset: something of value to the enterprise. Information technology assets are the combination of logical and physical assets and are grouped into the specific classes (information, systems, software, hardware, people).

Attributes: the distinctive qualities, or characteristics, of an information security risk evaluation.

Availability: the extent to which, or frequency with which, an asset must be present or ready for use.

Catalog of practices: a collection of good strategic and operational security practices that an organization can use to manage its security.

Catalog of vulnerabilities: a collection of vulnerabilities based on platform and application, used to evaluate an organization's computing infrastructure for technology vulnerabilities.

Champion: someone internal to an organization with an interest in conducting an information security risk evaluation. A champion generally does not have the authority to allocate resources to conduct the evaluation but must persuade someone in the organization who does have the authority to sponsor the activity.

Checklist: a vulnerability evaluation tool that functions the same as automated tools. However, unlike automated tools, checklists are manual, not automated. Checklists require a consistent review of the items being checked and must be routinely updated.

Classical concept of probability: the likelihood that an event will occur when all possibilities are known to be equally likely to occur. This concept of probability is the oldest historically and was originally developed in connection with games of chance.

Computer prioritization listing: a listing of the computer inventory owned by an organization. This listing typically depicts a prioritized ordering of systems or networking components based on their importance to the organization (e.g., mission-critical systems, high/medium/low-priority systems, administrative systems, support systems).

Confidentiality: the requirement of keeping proprietary, sensitive, or personal information private and inaccessible to anyone who is not authorized to see it.

Configuration vulnerability: a weakness resulting from an error in the configuration and administration of a system or component.

Critical assets: an organization's most important assets. The organization will suffer a large adverse impact if something happens to critical assets.

Desktop workstation: hosts on an organization's networks that staff members use to conduct business.

Design vulnerability: a weakness inherent in the design or specification of hardware or software whereby even a perfect implementation will result in a vulnerability.

Destruction: the irrevocable elimination of an asset.

Disclosure: the viewing of confidential or proprietary information by someone who should not see the information.

Evaluation criteria: a set of qualitative measures against which a risk is evaluated. Evaluation criteria define high, medium, and low impacts for an organization.

Expected value: the product of the potential loss that could occur (impact value) multiplied by the projected frequency of occurrence of a risk (probability). Expected value is also known as expected loss or risk exposure.

Extreme event: an event that has a low probability of occurrence but a potentially catastrophic impact on the organization.

Frequency interpretation of probability: the likelihood that an event (or a given outcome) will occur, based on the proportion of the time that similar events have occurred over a long period of time.

Generic threat profile: a catalog containing a range of all potential threats under consideration. The generic threat profile is a starting point for creating a unique threat profile for each critical asset.

Hardware asset: information technology physical devices (workstations, servers, etc.). Normally, hardware assets focus solely on the replacement costs for physical devices.

Home computer: home personal computers that staff members use to access information remotely via an organization's networks.

Hybrid scanner: a vulnerability evaluation tool that targets a range of services, applications, and operating system functions. Hybrid scanners may address Web servers (CGI, JAVA), database applications, registry information (e.g., Windows NT/2000), and weak password storage and authentication services. These are also known as specialty and targeted scanners.

Impact: the effect of a threat on an organization's mission and business objectives.

Impact value: a qualitative measure of a risk's impact on the organization (high, medium, or low).

Implementation vulnerability: a weakness resulting from an error made in the software or hardware implementation of a satisfactory design.

Information asset: documented (paper or electronic) data or intellectual property used to meet the mission of an organization.

Integrity: the authenticity, accuracy, and completeness of an asset.

Interruption: the limiting of an asset's availability; interruption refers mainly to services.

Key classes of components: types of devices that are important in processing, storing, or transmitting critical information. They represent assets related to critical assets.

Laptop: portable personal computer used to access information remotely via an organization's networks.

Law of large numbers: the rule that as the number of times a situation is repeated becomes larger, the proportion of successes tends toward the actual probability of success.

Loss: the limiting of an asset's availability; the asset still exists but is temporarily unavailable.

Mitigate: addressing a risk by implementing actions designed to counter the underlying threat.

Mitigation approach: the way in which an organization intends to address a risk. An organization can either mitigate or accept a risk.

Modification: an unauthorized changing of an asset.

Motive: a property of a threat that defines whether the intentions of a human actor are deliberate or accidental. Motive is also sometimes referred to as the objective of a threat actor.

Networking component: devices important to an organization's networks. Routers, switches, and modems are all examples of this class of component.

Network infrastructure scanner: a vulnerability evaluation tool that focuses on the components of the network infrastructure, such as routers and intelligent switches, DNS (domain name system) servers, firewall systems, and intrusion detection systems.

Network mapping tools: software used to search a network by identifying the physical connectivity of systems and networking components. The software also displays detailed information about the interconnectivity of networks and devices (routers, switches, bridges, hosts).

Network topology diagrams: electronic or paper documents used to display the logical or physical mapping of a network. These documents identify the connectivity of systems and networking components. They usually contain less detail than that provided by network mapping tools.

Operating system scanner: a vulnerability evaluation tool that targets specific operating systems such as Windows NT/2000, Sun Solaris, Red Hat Linux, or Apple Mac OS.

Operational practice: security practices that focus on technology-related issues. They include issues related to how people use, interact with, and protect technology.

Organizational vulnerability: a weakness in organizational policy or practice that can result in the occurrence of unauthorized actions. Vulnerabilities are indications of missing or inadequate security practices.

Outcome: a property of a threat that defines the immediate outcome (disclosure, modification, destruction, loss, interruption) of violating the security requirements of an asset.

Outputs: the outcomes that an analysis team must achieve during an information security risk evaluation.

People asset: the people in an organization who possess unique skills, knowledge, and experience that are difficult to replace.

Principles: the fundamental concepts driving the nature of an information security risk evaluation.

Probability: the likelihood that an event will occur.

Protection strategy: the policy an organization develops to enable, initiate, implement, and maintain its internal security. It tends to incorporate long-term, organizationwide initiatives.

Protection strategy practice: an action that helps initiate, implement, and maintain security within an organization. A protection strategy practice is also called a security practice.

Risk: the possibility of suffering harm or loss; the potential for realizing unwanted negative consequences of an event. Risk refers to a situation in which either a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence.

Risk evaluation: a process that generates an organizationwide view of information security risks. It provides a baseline that can be used to focus mitigation and improvement activities.

Risk management: the ongoing process of identifying risks and implementing plans to address them.

Risk measure: a qualitative value used to estimate some aspect of risk. There are two risk measures: impact value and probability.

Risk mitigation plan: a plan intended to reduce the risks to a critical asset. Risk mitigation plans tend to incorporate actions, or countermeasures, designed to counter the threats to the assets.

Risk profile: a definition of the range of risks that can affect an asset. Risk profiles contain categories grouped according to threat source (human actors using network access, human actors using physical access, system problems, other problems).

Script: a vulnerability evaluation tool that works as well as an automated tool except that it usually has a singular function. If a large number of items are being evaluated, a corresponding number of scripts will be required. Scripts require a consistent review of the items being checked and must be routinely updated.

Security component: devices that have security as their primary function (e.g., a firewall).

Security practice: actions that help initiate, implement, and maintain security within an organization. A security practice is also called a protection strategy practice.

Security requirements: requirements outlining the qualities of information assets that are important to an organization. Typical security requirements are confidentiality, integrity, and availability.

Self-direction: a policy whereby people manage and direct information security risk evaluations for their own organization. These people are responsible for directing risk evaluation activities and for making decisions about the organization's security efforts.

Server: host within the information technology infrastructure that provides information technology services to an organization.

Software assets: software applications and services (operating systems, database applications, networking software, office applications, custom applications, etc.) that process, store, or transmit information.

Storage device: device where information is stored, often for backup purposes.

Strategic practice: security practice that focuses on organizational issues at the policy level. They include business-related issues as well as issues that require organizationwide plans and participation.

Subjective probability: the likelihood that an event (or a given outcome) will occur, based on indirect or collateral information, educated guesses, intuition, or other subjective factors.

System: a logical grouping of components designed to perform a defined function(s) or meet a defined objective(s).

System of interest: the system that is most closely linked to a critical asset.

Systems assets: information systems that process and store information. Systems are a combination of information, software, and hardware assets. Any host, client, or server can be considered a system.

Technology vulnerability: a weakness in systems that can lead directly to unauthorized action. Technology vulnerabilities are present in and apply to network services, architecture, operating systems, and applications. Types of technology vulnerabilities include design, implementation, and configuration vulnerabilities.

Threat: an indication of a potential undesirable event; the existence of a situation in which either a person could do something undesirable (e.g., initiating a denial-of-service attack against an organization's email server) or a natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware). Threats have defined properties (asset, actor, motive, access, outcome).

Threat profile: a definition of the range of threats that can affect an asset. Threat profiles contain categories grouped according to threat source (human actors using network access, human actors using physical access, system problems, other problems).

Vulnerability: a weakness in an information system, system security practices and procedures, administrative controls, internal controls, implementation, or physical layout that could be exploited by a threat to gain unauthorized access to information or to disrupt processing. There are two basic types of vulnerabilities: organizational and technology.

Vulnerability evaluation approach: method of evaluating each infrastructure component; this includes deciding who will perform the evaluation and selecting the appropriate tool(s).

Vulnerability summary: a summary of the technology vulnerabilities for each component that is evaluated. A vulnerability summary lists the types of technology vulnerabilities found, when they need to be addressed, their potential effect on the critical assets, and how they can be dealt with.

Wireless component: devices, such as cell phones and wireless access points, that staff members may use to access information (for example, email).