Term
|
Definition
| A framework that helps developand evaluate features that support information security objectives at various levels of assurance |
|
|
Term
|
Definition
| Anticipating such risks, the firm designs measures to mitigate such risks; these measures reprsent control, in essense sustaining the likelihood that the firm will achieve one or more of its objectives |
|
|
Term
|
Definition
| A system desinged to ensure that behaviors and decisions of people are consistent with the entity's objectives. A coordinated set of related control measures comprise a control system. |
|
|
Term
|
Definition
| The cryptographic procedure use to convert plaintext into ciphertext to prevent anyone except teh owner(s) or intended recipient(s) from reading the data. |
|
|
Term
|
Definition
| System features and attributes that help achieve desired results |
|
|
Term
|
Definition
| The level at which a security or control measure is implemented within a hierarchy of levels in a system |
|
|
Term
|
Definition
| An information asset is any tangible or intangible resource deployed to generate and use information |
|
|
Term
|
Definition
| Because the term here refers to security of information assets, it is commonly denoted as information security |
|
|
Term
|
Definition
| A set of control measures targeted to achieve control objectives |
|
|
Term
|
Definition
| A policy is a high-level document independent of all functions, roles, powers, and personalities within the firm |
|
|
Term
|
Definition
| The rules of behavior, including behavior of people, systems, and processes. A set of rules for the exchange of information between computing devices. |
|
|
Term
|
Definition
| A duplicate or overlapping resource is employed to achieve a desired control objective |
|
|
Term
|
Definition
| In any solution, the variety of responses included must be adequate to mitigate every possible out-of-control situation |
|
|
Term
|
Definition
| Risk is the reduction in likelihood that the firm achieves one or more of its objectives |
|
|
Term
|
Definition
| Risk avoidance is a deliberate attempt to keep the target system away from a specific risk |
|
|
Term
|
Definition
| Risk exposure represents all kinds of possibilities of harm to an entity without regard to its likelihood |
|
|
Term
|
Definition
| A systematic approach to manage risks to a target system |
|
|
Term
|
Definition
| Risk reduction refers to proactive measures taken to prevent a loss from occurring or to limit losses from the consequences of a risk |
|
|
Term
|
Definition
| Risk retention is a behavior that suggests that a risk is "kept" by the risk managers |
|
|
Term
|
Definition
| Risk sharing is a special case of risk transfer where entities facing identical exposure join to manage their collective risk |
|
|
Term
|
Definition
| Risk transfer is an approach use to transfer target system risk to some other entity |
|
|
Term
|
Definition
| Security measures, refers to specific types of controls designed to protect information assets |
|
|
Term
|
Definition
| A security policy is a formal statement of the rules by which people who are given access to an organization's technolgoy and information assets must abide |
|
|
Term
|
Definition
| A widely accepted protocol that becomes the industry norm |
|
|
Term
| Target of evaluation (TOE) |
|
Definition
| A process, resource, or system subject to a systematic evaluation for assurance of security |
|
|
Term
|
Definition
| An information asset desired to be protected from all types of risks |
|
|
Term
|
Definition
| Relying on a person or thing |
|
|
Term
|
Definition
| System usability has the goal of making the system inviting, easy to use, and least obstructive to the end user |
|
|
